以下是我的帐户svc-mydbuser用户的权限
{
privileges: [
{
actions: ["dropRole", "createRole", "grantRole", "find", "viewRole"],
resource: { db: "admin", collection: "" }
},
{
actions: [
"changeStream", "collStats", "createIndex", "dbHash",
"dbStats", "dropIndex", "find", "killCursors", "listCollections",
"listIndexes", "planCacheRead", "insert", "update", "remove"
],
resource: { db: "admin", collection: "system.roles" }
},
{
actions: ["dropDatabase", "createDatabase"],
resource: { db: "core-POC", collection: "" }
}],
roles: [
{ role: "readWrite", db: "core-POC" },
{ role: "userAdmin", db: "admin" }
]
}字符串
登录到mongo数据库并尝试createRole命令后,出现以下错误:
MongoDB Enterprise REP062:PRIMARY> use admin;
MongoDB Enterprise REP062:PRIMARY> db.adminCommand(
{
createRole: "CN=GLB-Admin-S-L,OU=Groups - Applications,OU=Global Admin Groups,DC=dmzprod01,DC=mybank,DC=com",
privileges: [],
roles: [
{ role: "read", db: "core-POC" }
]
}
);
{
"operationTime" : Timestamp(1691051515, 106),
"ok" : 0,
"errmsg" : "not authorized on admin to execute command { createRole: \"CN=GLB-Admin-S-L,OU=Groups - Applications,OU=Global Admin Groups,DC=dmzprod01,DC=mybank,DC=com\", privileges: [], roles: [ { role: \"read\", db: \"core-POC\" } ], lsid: { id: UUID(\"0174cbc1-0595-40f2-9609-bd43927c06f4\") }, $clusterTime: { clusterTime: Timestamp(1691048964, 1), signature: { hash: BinData(0, 2B98A040357462EBE5CB97642C569DC3A6958C81), keyId: 7216972790308536321 } }, $db: \"admin\" }",
"code" : 13,
"codeName" : "Unauthorized",
"$clusterTime" : {
"clusterTime" : Timestamp(1691051515, 106),
"signature" : {
"hash" : BinData(0,"ygtzgwKkaNXmNzIXYCzbk9yprbk="),
"keyId" : NumberLong("7216972790308536321")
}
}
}型
你能建议什么特权应该提供给我的帐户,而不提供管理员权限,使我可以成功地执行createRole和dropRole命令。
1条答案
按热度按时间9lowa7mx1#
问题不在于
createRole命令,而在于您希望授予的角色。您可以创建角色,此命令工作正常:字符串
此命令出现错误:
型
您可以授予角色
{ role: "userAdminAnyDatabase", db: "admin" }。但是,
userAdminAnyDatabase角色不限制用户可以授予的权限。因此,userAdminAnyDatabase用户可以授予自己超出当前权限的权限,甚至可以授予自己所有权限,即使角色没有显式授权超出用户管理权限的权限。因此,最好创建一个自定义角色并将其授予用户:
型