do account in mongodb's admin database take precedence over accounts in "normal" databases

Question

Just a quick question re user accounts in mongodb.

I have the following user configured in the admin database:

> use admin
switched to db admin
> db.system.users.find({ user : "foobar_admin"}).pretty()
{
        "_id" : ObjectId("52024f53e513b080573d59de"),
        "otherDBRoles" : {
                "test" : [
                        "dbAdmin",
                        "readWrite"
                ]
        },
        "pwd" : "<pwdhash>",
        "roles" : [
                "read"
        ],
        "user" : "foobar_admin"
}
>

and the following user configured on the test database

> use test
switched to db test
> db.system.users.find({ user : "abc_admin"}).pretty()
{
        "_id" : ObjectId("52024f97e513b080573d59e1"),
        "pwd" : "<pwdhash>",
        "roles" : [
                "readWrite"
        ],
        "user" : "foobar_admin"
}
>

Do the permissions set in the admin database override those set in the test database? IE, does the foobar_admin have dbAdmin and readWrite on the test database? does one document have precedence over the other?

The best way is to test but I do remember reading something in the documentation about the admin user taking over the same user of that name in the local database. I personally have never had this ambiguity between my users, I try to avoid it — Sammaye, Mar 12 '14 at 08:50
Yeah, i've inherited something that appears to have user documents in each db, so i am in the process of cleaning it all up. I am just a little cautious, as the db is currently in production, and cant afford to have it broken... Ill do some testing on one of my test boxes and see what i come up with. — Mark V, Mar 12 '14 at 11:01

score 0 · Answer 1 · answered Mar 13 '14 at 02:41

For anyone wondering, neither credentials take precedence, rather - the relevant roles are applied depending on which db the user authenticated to.

So in the above example,

if the foobar_admin user authenticated against the admin database, the user would have the dbAdmin and readWrite roles
if the foobar_admin user authenticated against the test database the user would only have the readWrite role

The documentation (http://docs.mongodb.org/manual/reference/privilege-documents/) doesn't appear to state this clearly.

Thanks for putting up with my ramblings! :)

do account in mongodb's admin database take precedence over accounts in "normal" databases

1 Answers1