MongoDB Opens shard Operation Minimum Privilege User Authorization

Keywords: Operation & Maintenance Database MongoDB

MongoDB Opens shard Operation Minimum Privilege User Authorization

 (2018-01-25 15:52:29)







Minimum permission





Classification: data base


Operational requirements provide a minimum privilege for program users to meet the following operational requirements:

  • Allow full operation of specified database
  • Allow shard to be opened for collection in a specified database

With such restrictions, only the designated database will be affected at most.
Avoid affecting the whole cluster due to program problems or other external factors that cause data processing logic problems.


Take myDb.myCollection as an example. To open shard for collection, the following operations are needed:

  1. If the database does not open the fragmentation function, you need to open it first:

  2. If there is already data in the collection, you need to create the corresponding shardkey index first:

     use myDb
     db.myCollection.createIndex( {"shard_key_field": "hashed"} )
  3. Open shard for the specified collection:

     sh.shardCollection("myDb.myCollection", {"shard_key_field": "hashed"})

Therefore, the corresponding privileges are needed to run the above three operation commands.
Referring to the description of official documents, users need to be provided with two permissions:


Because the original project user's role in business database is dbOwner.
Therefore, to create a role with shard-related operation privileges, granting project database users can achieve minimum privilege control.

First, create a new role to provide the above two operation permissions.
This is called opShardRole and can be changed according to actual requirements:

use myDb;
        role: "opShardRole",
                resource:{db:"myDb", collection:""},
                actions:["enableSharding, "createIndex"]

Then the opShardRole role grant is given to the project user, assuming that the user name is project_user:

db.grantRolesToUser("project_user",[{role:"opShardRole", db:"myDb"}])

At this point, the operation is completed, and the project user can test whether there is any problem in opening the shard related operation.

Check relevant user privileges

Switch to Business db and check the relevant users and roles:

  • View role-related permissions:

      mongos> db.getRole("opShardRole",{showPrivileges: true})
          "role" : "opShardRole",
          "db" : "myDb",
          "isBuiltin" : false,
          "roles" : [ ],
          "inheritedRoles" : [ ],
          "privileges" : [
                  "resource" : {
                      "db" : "myDb",
                      "collection" : ""
                  "actions" : [
  • View user-related roles:

      mongos> show users;
          "_id" : "myDb.project_user",
          "user" : "project_user",
          "db" : "myDb",
          "roles" : [
                  "role" : "opShardRole",
                  "db" : "myDb"
                  "role" : "dbOwner",
                  "db" : "myDb"

As you can see, the role of opShardRole does already have the required shard operation rights for the business database myDb.
At the same time, the project_user user user already has opShardRole role authorization.


Posted by twm on Mon, 09 Sep 2019 01:50:50 -0700