Why not have root user have authority on anydatabase?

The first user we’ve created can be done from outside the Mongo shell
mongo admin --host localhost:27000 --eval ’
db.createUser({
user: “m103-admin”,
pwd: “m103-pass”,
roles: [
{role: “root”, db: “admin”}
]
})
I think all others must be done from inside the shell because you have to be using the admin db and logged in as the root user. Correct?
Why not have the root user granted authority over anydatabase?
In addition, Nuberto’s lecture says the security officer (userAdmin) ought to be the first user created (as shown below). But is this after the root user has been created and passed as the authority to create the security officer?

db.createUser(
{ user: “security_officer”,
pwd: “h3ll0th3r3”,
roles: [ { db: “admin”, role: “userAdmin” } ]
}
)

So admin/root maybe able to manage the database(s), however that doesn’t mean they should have access to that data.

So I can add a security officer to maintain access to a CIA database, but just because I am admin, should I be able to view the list of CIA agents (The noc list)? There needs to be a separation of roles and access.

1 Like