A MongoDB “userAdminAnyDatabase” user cannot admin users in “any database”. Why?

问题

This is a userAdmin vs. userAdminAnyDatabase question.

In the system.users I have the following users (password 1234 for both):

> db.system.users.find()
{ "_id" : ObjectId("52a976cb7851682aa44d6d4d"), "user" : "admin_one", "pwd" : "884f516cf308a4c6a75bbc5a0a00807b", "roles" : [  "userAdmin",  "dbAdmin" ] }
{ "_id" : ObjectId("52a97c697851682aa44d6d4f"), "user" : "admin_two", "pwd" : "26e7bb644e5919461cd6ba7403dc6906", "roles" : [  "userAdminAnyDatabase",  "dbAdminAnyDatabase" ] }

Connecting with a wrong user:

$ mongo mono -u admin -p 1234
connecting to: mono
Thu Dec 12 10:09:00.733 Error: 18 { code: 18, ok: 0.0, errmsg: "auth fails" } at src/mongo/shell/db.js:228

which is OK.

Connecting with the db admin:

$ mongo mono -u admin_one -p 1234
connecting to: mono
> db.system.users.find()
{ "_id" : ObjectId("52a976cb7851682aa44d6d4d"), "user" : "admin_one", "pwd" : "884f516cf308a4c6a75bbc5a0a00807b", "roles" : [  "userAdmin",  "dbAdmin" ] }
{ "_id" : ObjectId("52a97c697851682aa44d6d4f"), "user" : "admin_two", "pwd" : "26e7bb644e5919461cd6ba7403dc6906", "roles" : [  "userAdminAnyDatabase",  "dbAdminAnyDatabase" ] }

which is also OK.

Now, connecting with the "AnyDatabase" admin I get an error:

$ mongo mono -u admin_two -p 1234
connecting to: mono
> db.system.users.find()
error: { "$err" : "not authorized for query on mono.system.users", "code" : 16550 }

Why?

回答1:

It appears that you're attempting to allocate the userAdminAnyDatabase role on the mono database, not the the {{admin}} database. The "anyDatabase" roles are only available for users that authenticate to the admin database.

See the documentation of the anyDatabase Roles for more information.

回答2:

I ran to similar problems after creating the admin user in mongodb.

You may want to check:

1. The admin user has to be in the admin database in the system
2. Check the roles of you admin user the role that allows you to "see" all the databases would be "clusterAdmin" I would check the roles and add those that you need for the amdin role.

this may help

Users roles explained: http://docs.mongodb.org/manual/reference/method/db.grantRolesToUser/#db.grantRolesToUser

userAdminAnyDatabase and userAdmin do not explicitly authorize a user for any privileges beyond user administration. You will also have to add the "clusterAdmin" role for the list databases command: http://docs.mongodb.org/manual/reference/user-privileges/#clusterAdmin If you want you user to read/write from the database and collections, you will need to add another role, the "readWrite"

Additionally, you may want to check your mongod terminal to see what errors are popping in the back.

Good luck,

来源：https://stackoverflow.com/questions/20539376/a-mongodb-useradminanydatabase-user-cannot-admin-users-in-any-database-why