I have two users, a user with root role and another user with read only role on the database. When I login as root then switch to read only user without exiting the shell, MongoDB allows me to run and execute root level commands even though I am logged in as the read only user. To reproduce the problem do the following.
I logged in as the user with root access using
use admin
db.auth("rootUser","Password")
run commands like show databases, show collections everything works find.
Then without exiting the shell, I now logged in as the read only user
use dbabc
db.auth("readOnlyUser","Password")
Now logged in as this user, I can drop, list db and perform all other root operation. I think this is very dangerous. I tried to reproduce the problem several times and it works.
The only time the read only user works as expected is when I exit the shell then login again as the read only user. See the execution of commands below.
> db.auth("admin","adminPassword")
> show databases
admin 0.000GB
main db 11.843GB
anotherdatab 9.025GB
anotherdata1 0.008GB
local 0.000GB
school 0.734GB
test 0.000GB
> use readonlydb
switched to db readonlydb
> db.auth("readonlyuser","readonlypass")
1
> show databases
admin 0.000GB
maindb 11.843GB
anotherdatab 9.025GB
anotherdata1 0.008GB
local 0.000GB
school 0.734GB
test 0.000GB
This is what I got from MongoDB folks when I posted this on their JIRA site. I don't think this is safe but MongoDB likes it this way.
Hi [~sneceesay77],
Thank you for the report. This is expected behavior. You can be logged
in on different databases with several users concurrently in the shell.
In this case, you will have the collective permissions of all authenticated users.
If you do not want to be authenticated on a particular database you can
execute [db.logout()|https://docs.mongodb.com/manual/reference/method/db.logout/]
on the same database.