在MongoDB上执行createRole时出现Unauthorized错误

kuhbmx9i  于 2023-08-04  发布在  Go
关注(0)|答案(1)|浏览(183)

以下是我的帐户svc-mydbuser用户的权限

{
   privileges: [
      {
         actions: ["dropRole", "createRole", "grantRole", "find", "viewRole"],
         resource: { db: "admin", collection: "" }
      },
      {
         actions: [
            "changeStream", "collStats", "createIndex", "dbHash",
            "dbStats", "dropIndex", "find", "killCursors", "listCollections",
            "listIndexes", "planCacheRead", "insert", "update", "remove"
         ],
         resource: { db: "admin", collection: "system.roles" }
      },
      {
         actions: ["dropDatabase", "createDatabase"],
         resource: { db: "core-POC", collection: "" }
      }],
   roles: [
      { role: "readWrite", db: "core-POC" },
      { role: "userAdmin", db: "admin" }
   ]
}

字符串
登录到mongo数据库并尝试createRole命令后,出现以下错误:

MongoDB Enterprise REP062:PRIMARY> use admin;

MongoDB Enterprise REP062:PRIMARY> db.adminCommand(
   {
      createRole: "CN=GLB-Admin-S-L,OU=Groups - Applications,OU=Global Admin Groups,DC=dmzprod01,DC=mybank,DC=com",
      privileges: [],
      roles: [
         { role: "read", db: "core-POC" }
      ]
   }
);
  

{

        "operationTime" : Timestamp(1691051515, 106),

        "ok" : 0,

        "errmsg" : "not authorized on admin to execute command { createRole: \"CN=GLB-Admin-S-L,OU=Groups - Applications,OU=Global Admin Groups,DC=dmzprod01,DC=mybank,DC=com\", privileges: [], roles: [ { role: \"read\", db: \"core-POC\" } ], lsid: { id: UUID(\"0174cbc1-0595-40f2-9609-bd43927c06f4\") }, $clusterTime: { clusterTime: Timestamp(1691048964, 1), signature: { hash: BinData(0, 2B98A040357462EBE5CB97642C569DC3A6958C81), keyId: 7216972790308536321 } }, $db: \"admin\" }",    
        "code" : 13,    
        "codeName" : "Unauthorized",    
        "$clusterTime" : {    
                "clusterTime" : Timestamp(1691051515, 106),    
                "signature" : {    
                        "hash" : BinData(0,"ygtzgwKkaNXmNzIXYCzbk9yprbk="),    
                        "keyId" : NumberLong("7216972790308536321")    
                }    
        }    
}


你能建议什么特权应该提供给我的帐户,而不提供管理员权限,使我可以成功地执行createRoledropRole命令。

9lowa7mx

9lowa7mx1#

问题不在于createRole命令,而在于您希望授予的角色。您可以创建角色,此命令工作正常:

db.adminCommand(
   {
      createRole: "CN=GLB-Admin-S-L,OU=Groups - Applications,OU=Global Admin Groups,DC=dmzprod01,DC=mybank,DC=com",
      privileges: [],
      roles: []     
   }
);

字符串
此命令出现错误:

db.getSiblingDB('admin').grantRolesToRole(
   "CN=GLB-Admin-S-L,OU=Groups - Applications,OU=Global Admin Groups,DC=dmzprod01,DC=mybank,DC=com",
   [{ role: "read", db: "core-POC" }]
)
MongoServerError: not authorized on admin to execute command { grantRolesToRole: "CN=GLB-Admin-S-L,OU=Groups - Applications,OU=Global Admin Groups,DC=dmzprod01,DC=mybank,DC=com", roles: [ { role: "read", db: "core-POC" } ], lsid: { id: UUID("a7b88755-3bbc-4695-8dcf-64799f9fa2cc") }, $db: "admin" }


您可以授予角色{ role: "userAdminAnyDatabase", db: "admin" }
但是,userAdminAnyDatabase角色不限制用户可以授予的权限。因此,userAdminAnyDatabase用户可以授予自己超出当前权限的权限,甚至可以授予自己所有权限,即使角色没有显式授权超出用户管理权限的权限。
因此,最好创建一个自定义角色并将其授予用户:

db.adminCommand(
   {
      createRole: "svc-role",
      privileges: [{
         resource: { db: "core-POC", collection: "" },
         actions: ["createRole", "dropRole", "find", "grantRole", "viewRole"]
      }],
      roles: [],
   }
)

db.getSiblingDB('admin').grantRolesToUser(
   'svc-mydbuser',
   [{ role: "svc-role", db: "admin" }]
)

db.getSiblingDB('admin').grantRolesToRole(
   "CN=GLB-Admin-S-L,OU=Groups - Applications,OU=Global Admin Groups,DC=dmzprod01,DC=mybank,DC=com",
   [{ role: "read", db: "core-POC" }]
)
{ ok: 1 }

相关问题