This topic describes the permissions on ApsaraDB for MongoDB that are granted to the root account.
After you create an ApsaraDB for MongoDB instance, the system automatically creates a root account in the admin database. The permissions that are granted to the root account vary based on the instance version. The root account is granted the following permissions for different instance versions:
If the instance runs MongoDB 4.2 and earlier: the root account has the permissions of the built-in root role in ApsaraDB for MongoDB.
If the instance runs MongoDB 4.4 or later, the root account has the permissions of the alibabaCloudAdmin role.
ImportantIn some scenarios, severe performance jitter may occur when you write data to the admin database. Therefore, the alibabaCloudAdmin role does not have the write permissions on the admin database, and cannot create accounts that have the write permissions on the admin database.
You can run the rolesInfo
command to view the permissions of a specific role. For more information about the permissions of the root role and the rolesInfo
command, see root and rolesInfo.
To ensure data security, we recommend that you do not use the root account to manage your databases. We recommend that you create a database account that has relevant permissions based on your business requirements. For more information, see Create an account for an ApsaraDB for MongoDB instance.
You can run the following command to view the permissions of the root account:
db.getSiblingDB("admin").runCommand({usersInfo: "root"});
For more information about the usersInfo
command, see usersInfo.
Permissions of the alibabaCloudAdmin role
The role is granted the permissions (such as read and writing collections, managing accounts, and querying statistics) of the following built-in roles: readWriteAnyDatabase, userAdminAnyDatabase, dbAdminAnyDatabase, clusterMonitor, backup, enableSharding, restore.
NoteThe alibabaCloudAdmin role has only read permissions on the admin database.
The following commands are supported for sharded cluster instances: flushRouterConfig, cleanupOrphaned, runCommandOnShard, splitVector, clearJumboFlag, moveChunk, and splitChunk.
FAQ
Why am I unable to create a privileged user or role such as clusterAdmin, clusterManager, and hostManager?
The alibabaCloudAdmin role has limited permissions. Therefore, a custom user or role cannot be granted permissions that exceed the existing permission scope of the root account when you are creating the user or role.
Why am I unable to create a user or role that has the readWrite, dbAdmin, or dbOwner permission in the admin database?
The alibabaCloudAdmin role has only read permissions on the admin database. You cannot assume this role to write data to the database. You can create a user or role that has these built-in permissions in other databases.
How do I create a user that has read and write permissions on all custom collections?
You can create an account that has the readWriteAnyDatabase, dbAdminAnyDatabase, or userAdminAnyDatabase built-in role in the admin database. Sample command:
db.getSiblingDB("admin").createUser({user:"myName",pwd:"myPassword",roles:["readWriteAnyDatabase"]})
The clusterManager role has permissions to run many commands related to the O&M of sharded cluster instances. How do I use these commands if I cannot create the role?
By default, the root account that has the permissions of the alibabaCloudAdmin role can run some commands related to the O&M of sharded cluster instances. You can use the root account to run these commands.
If you want to create a custom account to run O&M commands, use the following method to create a user. The following example shows how to create a user that supports the splitVector command:
db.runCommand({createRole:'myRole',privileges:[{"resource":{"db":"","collection":""},"actions":['splitVector']}],roles:['readAnyDatabase']}) db.getSiblingDB("admin").createUser({user:"myUser",pwd:"myPassword",roles:["myRole"]})
When I use What permissions are granted to the root account when an instance is created? to create a role based on provided example, why does the result show that the role has no permissions?
The listDatabases action applies to the entire cluster and must be executed in Cluster Resource. You can run the following command to create a custom role:
db.createRole( { role: "flinkrole", privileges: [ { resource: { db: "", collection: "" }, actions: [ "splitVector", "listCollections", "collStats", "find", "changeStream" ] }, { resource: { "cluster": true }, actions: [ "listDatabases" ] } ], roles: [ { role: 'read', db: 'config' } ] } );
If an error still occurs when you use the CDC service after the role and user are created, submit a ticket to contact Alibaba Cloud technical support.