We have a cluster in AWS, with a Document DB up and running. I wanted to grant some extra privileges, so I connected to the database as an user with the root role granted, and did the usual MongoDB thing:
db.grantRolesToUser("nameOfTheUser", ["readWrite"])
Instead of just granting the privileges, it gave me:
2020-05-04T15:26:42.053+0000 E QUERY [js] uncaught exception: Error: Cannot update system managed users' roles :_getErrorWithCode@src/mongo/shell/utils.js:25:13
DB.prototype.grantRolesToUser@src/mongo/shell/db.js:1592:15
@(shell):1:1
This is the first time I hear about any system managed users. I searched both MongoDB and AWS DocumentDB docs, but didn't find it anywhere. What are they? How an user ends up being system managed? And how can I change their privileges?
The serviceadmin user is created implicitly when the cluster is created. Every Amazon DocumentDB cluster has a serviceadmin user that provides AWS the ability to manage your cluster. You cannot log in as, drop, rename, change the password, or change the permissions for serviceadmin. Any attempt to do so results in an error.
Please see the following for more information: https://docs.aws.amazon.com/documentdb/latest/developerguide/security.managing-users.html