avatarTek Loon

Summary

This article provides a guide on creating read-only roles in MongoDB for different access levels, suitable for new developers in a team.

Abstract

The article "How to Create Read-Only Role in MongoDB" outlines two methods for granting read-only database access to new team members. The first method involves creating a user with read-only privileges to a specific database, demonstrated with a user named 'devA' for the 'client' database. The second method illustrates how to grant a user, 'devB', read-only access to all databases except 'local' and 'config', using the built-in role 'readAnyDatabase'. The tutorial uses MongoDB Compass and Mongo Shell for implementation and verification, emphasizing ease of debugging and secure access management in a staging environment.

Opinions

  • The author suggests that managing all user roles in the 'admin' database is a best practice for future scalability and security.
  • It is implied that granting read-only access is a common practice for new developers to facilitate debugging while maintaining data integrity.
  • The use of MongoDB Compass for visual verification of user permissions is recommended as a practical approach.
  • The article highlights the importance of the 'readAnyDatabase' role for scenarios where broader read access is required without compromising system databases.
  • The author notes that the 'readAnyDatabase' role also grants the 'listDatabases' action, which is useful for users who need an overview of the database landscape.
  • The article concludes by summarizing the two scenarios covered, indicating a structured approach to role-based access control in MongoDB.

How to Create Read-Only Role in MongoDB

Photo by Luiza Braun on Unsplash

This post discussed how to create a read-only role in the MongoDB database. Without further ado, let’s start.

Scenario

Imagine you’re a DevOps engineer or the team leader for the Backend team, normally these roles are the role to grant access to the database.

There are two newly hired developers who just joined your team and the management decided to provide a read-access only to the database in the staging environment in order to ease the debugging workflow. Let's call them Developer A and Developer B.

Here is the list of Mongo databases that is available.

Let’s summarized the scenario and break it down into two tutorials.

Method 1 — Create a user who has read-only access to the client database for Developer A.

Method 2 — Create a user which have read-only access to all databases for Developer B

Method 1

Firstly, we would have to create a user to access the DB. Although you could create a user in any database. But I recommend creating all users in admin database so it is easier to manage. So in the future, you hired a DB Administrator and you could just grant him access to the admin database so he could help you manage the DB user role creation without exposing any other database.

In this tutorial, we will be using Mongo Shell to create users.

use admin; // Make sure we go to the admin database 
// Create devA user and read access only to client DB. db.createUser({ 
  user: "devA", 
  pwd: "devA",
  roles: [ { role: "read", db: "client" } ] 
});

Using the simple above command we will now have a devA user who has only read-access to the client database and you can see the user successfully added in the below screenshot.

Let’s verify it using MongoDB Compass. The below screenshots showed that we’re trying to connect to the database using the newly-created user, “devA”.

  • We can only see client database even though there are total of 5 databases.
  • Trying to create a collection and get an “Unauthorized” error which is exactly what we want. Read-access only.

Method 2

This tutorial is way easier than you could imagine. There is a built-in role called readAnyDatabase where you can grant to the user

use admin; // Make sure we go to the admin database
// Create devB user and provide read access all of the DB.
db.createUser({
  user: "devB",
  pwd: "devB",
  roles: ["readAnyDatabase"]
});

Now let’s verify the newly added user, devB has access to all the databases. From the screenshots below, we can see devB has read-only access to all the databases and creating new records is also prohibited.

MongoDB 3.4 onwards, readAnyDatabase no longer provides read access to local and config database.

Provides the same read-only privileges as read on all databases except local and config. The role also provides the listDatabases action on the cluster as a whole. — MongoDB Docs

Conclusion

In short, this post discussed two different scenarios on how to:

  • Create read-only access to the specified database
  • Create read-only access to all of the databases exclude local and config databases.

Thank you for reading and see you in the next article.

References

Mongodb
Database
Software Development
Programming
Coding
Recommended from ReadMedium
avatarSeliesh Jacob
API Design: From Basics to Best Practices

Introduction

5 min read
avatarAlexander Nguyen
The resume that got a software engineer a $300,000 job at Google.

1-page. Well-formatted.

4 min read
avatarVishal Barvaliya
Count(*) vs Count(1) in SQL.

If you’ve spent any time writing SQL queries, you’ve probably seen both `COUNT(*)` and `COUNT(1)` used to count rows in a table. But what’s…

2 min read
avatarAbhay Parashar
17 Mindblowing Python Automation Scripts I Use Everyday

Scripts That Increased My Productivity and Performance

14 min read
avatarAndrew Zuo
Async Await Is The Worst Thing To Happen To Programming

I recently saw this meme about async and await.

5 min read
avatarDerek Johnson
I’m Unemployed for Over Two Years (as a software engineer)

In 2022, I worked on a contract as a software engineer at Apple. Apple dissolved our entire team right before the 2022 tech recession…

3 min read