All Products
Search
Document Center

ApsaraDB for MongoDB:What permissions are granted to the root account when an instance is created?

Last Updated:Mar 18, 2024

This topic describes the permissions on ApsaraDB for MongoDB that are granted to the root account.

After you create an ApsaraDB for MongoDB instance, the system automatically creates a root account in the admin database. The permissions that are granted to the root account vary based on the instance version. The root account is granted the following permissions for different instance versions:

  • If the instance runs MongoDB 4.2 and earlier: the root account has the permissions of the built-in root role in ApsaraDB for MongoDB.

  • If the instance runs MongoDB 4.4 or later, the root account has the permissions of the alibabaCloudAdmin role.

    Important

    In some scenarios, severe performance jitter may occur when you write data to the admin database. Therefore, the alibabaCloudAdmin role does not have the write permissions on the admin database, and cannot create accounts that have the write permissions on the admin database.

You can run the rolesInfo command to view the permissions of a specific role. For more information about the permissions of the root role and the rolesInfo command, see root and rolesInfo.

Important

To ensure data security, we recommend that you do not use the root account to manage your databases. We recommend that you create a database account that has relevant permissions based on your business requirements. For more information, see Create an account for an ApsaraDB for MongoDB instance.

You can run the following command to view the permissions of the root account:

db.getSiblingDB("admin").runCommand({usersInfo: "root"});
Note

For more information about the usersInfo command, see usersInfo.

Permissions of the alibabaCloudAdmin role

  • The role is granted the permissions (such as read and writing collections, managing accounts, and querying statistics) of the following built-in roles: readWriteAnyDatabase, userAdminAnyDatabase, dbAdminAnyDatabase, clusterMonitor, backup, enableSharding, restore.

    Note

    The alibabaCloudAdmin role has only read permissions on the admin database.

  • The following commands are supported for sharded cluster instances: flushRouterConfig, cleanupOrphaned, runCommandOnShard, splitVector, clearJumboFlag, moveChunk, and splitChunk.

FAQ

  • Why am I unable to create a privileged user or role such as clusterAdmin, clusterManager, and hostManager?

    The alibabaCloudAdmin role has limited permissions. Therefore, a custom user or role cannot be granted permissions that exceed the existing permission scope of the root account when you are creating the user or role.

  • Why am I unable to create a user or role that has the readWrite, dbAdmin, or dbOwner permission in the admin database?

    The alibabaCloudAdmin role has only read permissions on the admin database. You cannot assume this role to write data to the database. You can create a user or role that has these built-in permissions in other databases.

  • How do I create a user that has read and write permissions on all custom collections?

    You can create an account that has the readWriteAnyDatabase, dbAdminAnyDatabase, or userAdminAnyDatabase built-in role in the admin database. Sample command:

    db.getSiblingDB("admin").createUser({user:"myName",pwd:"myPassword",roles:["readWriteAnyDatabase"]})
  • The clusterManager role has permissions to run many commands related to the O&M of sharded cluster instances. How do I use these commands if I cannot create the role?

    By default, the root account that has the permissions of the alibabaCloudAdmin role can run some commands related to the O&M of sharded cluster instances. You can use the root account to run these commands.

    If you want to create a custom account to run O&M commands, use the following method to create a user. The following example shows how to create a user that supports the splitVector command:

    db.runCommand({createRole:'myRole',privileges:[{"resource":{"db":"","collection":""},"actions":['splitVector']}],roles:['readAnyDatabase']})
    
    db.getSiblingDB("admin").createUser({user:"myUser",pwd:"myPassword",roles:["myRole"]})
  • When I use flink-sql-connector-mongodb-cdc to create a role based on provided example, why does the result show that the role has no permissions?

    The listDatabases action applies to the entire cluster and must be executed in Cluster Resource. You can run the following command to create a custom role:

    db.createRole(
        {
            role: "flinkrole",
            privileges: [
            {
                resource: { db: "", collection: "" },
                actions: [
                    "splitVector",
                    "listDatabases",
                    "listCollections",
                    "collStats",
                    "find",
                    "changeStream" ]
            },
            {
                resource: { "cluster": true }, 
                actions: [ "listDatabases" ]
            }
            ],
            roles: [
                { role: 'read', db: 'config' }
            ]
        }
    );

    If an error still occurs when you use the CDC service after the role and user are created, submit a ticket to contact Alibaba Cloud technical support.