Homework 2.1 : Create Users for Different Tasks

I have created the users and given the roles. The validation script would not be able to run the commands as these privileges are not in the example. I have run the script as is and run the script as an admin.

My results where:

2018-09-26T18:40:37.226+0000 E QUERY [thread1] Error: error: { “ok” : 0, “errmsg” : “not authorized on admin to execute command { find: “system.users”, filter: {} }”, “code” : 13 } : _getErrorWithCode@src/mongo/shell/utils.js:25:13 DBCommandCursor@src/mongo/shell/query.js:689:1 DBQuery.prototype._exec@src/mongo/shell/query.js:118:28 DBQuery.prototype.hasNext@src/mongo/shell/query.js:276:5 DBQuery.prototype.toArray@src/mongo/shell/query.js:325:12 @(shell eval):3:23

When modified to run as admin I get:

{“users”:[{“user”:“alice”,“roles”:[{“role”:“root”,“db”:“admin”}]},{“user”:“dataLoader”,“roles”:[{“role”:“myRole04”,“db”:“admin”}]},{“user”:“dbAdmin”,“roles”:[{“role”:“myRole03”,“db”:“admin”}]},{“user”:“sysAdmin”,“roles”:[{“role”:“myRole02”,“db”:“admin”}]},{“user”:“userAdmin”,“roles”:[{“role”:“userAdmin”,“db”:“admin”},{“role”:“myRole01”,“db”:“admin”}]}],“numMembers”:3}

Since my privileges are in custom roles not sure how you would know if I got the correct answer.

I also have an extra user that I used to create the db which would change the output of the script.

I am on my last submit so I do not want to submit again.

Thanks

you should only have users listed in the lab in your replica set. The first created user “userAdmin” will be able to create other users. Take help from lesson “Create user with built in role”.

Hi Michael_16026,

Note: the validation output should be a valid JSON document with two keys, users and numMembers, and the corresponding values for those keys.

The validation script is correct and able to execute the commands if the users are setup according to the lab requirements

I’m not sure what you mean by:

Since my privileges are in custom roles not sure how you would know if I got the correct answer.

Your goal is to figure out which built-in role best suits the needs of each user.

A couple of things to check:

  • the roles you’ve assigned to the users ( built-in roles )

  • The validation script is connecting to port 31210 so if it’s not the PRIMARY it won’t be able to run the commands.

  • As mention you don’t want any additional users - only those in the requirements

Hope this helps,

David

Hi David,

Below is my output, still it says incorrect. Please let me know whats wrong with it.

vagrant@database:~/shared$ ./validate-hw-2.1.sh
{“users”:[{“user”:“dataLoader”,“roles”:[{“role”:“readWriteAnyDatabase”,“db”:“admin”}]},{“user”:“dbAdmin”,“roles”:[{“role”:“dbAdmin”,“db”:“admin”}]},{“user”:“sysAdmin”,“roles”:[{“role”:“clusterManager”,“db”:“admin”}]},{“user”:“userAdmin”,“roles”:[{“role”:“userAdminAnyDatabase”,“db”:“admin”}]}],“numMembers”:3}
vagrant@database:~/shared$

Thanks
Dhamodharan L

You need to add a role for any database. Rest is correct as per my knowledge.

You need to copy paste this in the answer box after changing the role.

Kanika

When you say “on any database” does that include “local” and “config”? And what about system collections, such as system.users? Thanks for a quick reply so I can move forward with the rest of the HW.

Hey @Rick_47429, I can’t give away too much but you will find what you’re looking for in this documentation for Built-in Roles.

I’ve read that documentation and it indicates that some of the built-in roles do the right things for the HW question, but do not include acting upon local and config. I do not see it as giving away anything to explain whether questions that indicate “all databases” include those not normally included with many of the built-in roles. I’m asking for clarification of the question, not the answer. But I do thank you for replying quickly and look forward to a clarification of the question, not simply a reference to a large hunk of documentation that does not clarify what the question is requiring.

For this HW, local and config are not in the scope of the requirements so you’re fine using a best-fitting role that doesn’t include access to system dbs. Hope it helps!

Much appreciated. Thank you.

1 Like