Robomongo: When authenticating without clusterAdmin role, left pane navigation only shows authenticated database

Hi @avish

_When connecting to a MongoDB server without the clusterAdmin role, Robomongo can't get a list of databases so it only shows the authenticated database._

Yes. You are right. This is how permission scheme works in MongoDB up from 2.4 and currently we can't do anything with this. "readAnyDatabase" and other "AnyDatabase" permissions don't have access to listDatabases operation. So, user with only "readAnyDatabase" permission can't see list of databases and can't read any of them. For this purposes you should add "clusterAdmin" permission to this user. I agree, that this is not obvious and not intuitive, but this is MongoDB behavior.

_The default DB can be different from the authenticated DB_

Unfortunately, this has no sense, because you should be authenticate to database you want to connect. You cannot be authenticated to two DBs at the same time within one connections (You can do it only having delegated credentials). So, in your case you just authenticated to DB in "Authentication" tab and "Default DB" is skipped. I agree, that this is a little bit confusing, we plan to enchance UI to be more intuitive and user-friendly.

I hope I answer to your questions.
Thank you for your interest in Robomongo!

@stmoroz re: _You cannot be authenticated to two DBs at the same time within one connections_

FYI, there is a use case for Delegated Credentials in MongoDB 2.4+, where you may need to authenticate against a different database than the one you are using:
http://docs.mongodb.org/manual/reference/privilege-documents/#delegated-credentials-for-mongodb-authentication

Delegated credentials are the recommended approach in 2.4+, but having multiple active authentication credentials for _different_ DBs is definitely supported for a single connection:
http://docs.mongodb.org/ecosystem/tutorial/authenticate-with-java-driver/#normal-authentication

So a connection can be authenticated to multiple DBs, but can only have one active user per DB (logging in as a 2nd user on the same DB will invalidate the credentials of the 1st user for that DB):
http://docs.mongodb.org/manual/core/access-control/#authentication

Cheers,
Stephen

Hi @stennie,

Thanks for correcting me. I has edited my answer. I expected, that @avish doesn't use connection to multiple DBs. Anyway, connecting via "userSource" currently isn't supported in Robomongo.

Thank you for participation in discussion.

I'll try to explain my case better.

In order to provide developers with read-only or read-write access to databases, we give them a user in the "admin" DB and provide them the roles readAnyDatabase and/or writeAnyDatabase. This allows them to authenticate against the admin DB but use any DB on the server, and is currently the simplest way to implement this kind of permission model. Adding clusterAdmin for the user is not an option, of course, since that would allow the user to effectively do what they like on the cluster, which is counterproductive to the idea of permissions in the first place.

So this is one common scenario where authenticating to a different DB than the one you plan to work on makes sense. The other scenario is delegating users as @stennie mentioned, which, if it isn't supported by Robomongo, probably should be its own issue.

So when you say:

The default DB can be different from the authenticated DB

Unfortunately, this has no sense, because you should be authenticate to database you want to connect.

I have to disagree with you: it makes perfect sense as it's the only way to give users global read/write permissions on all DBs without making them cluster admins. If anything, forcing Robomongo users to only grant the readAnyDatabase role together with clusterAdmin, as you suggested, will eliminate this valid scenario, and will only confuse users more.

At the moment it's already possible to use Robomongo to authenticate against the admin DB and then switch to some other DB by manually issuing a use <somedb> statement (assuming you have readAnyDatabase permission or specific permissions on that DB). All I'm saying is that Robomongo should support this in its navigation UI by querying the metadata of whichever DB is being currently used. If that's not possible, you can ask the user for a list of DBs to show metadata for (e.g. as a separate box on the connection properties dialog); and if that too isn't an option, you just use the existing "default DB" as the one to query metadata for, instead of the one being authenticated against, when both are present.

@avish

Thanks a lot for explanations. Now, it is clear what should be done within this.

Thank you for your understanding. If you could describe what you plan to do with this that would be super :)

Hello @avish,

I have looked through this issue. I try to explain once more:

In Robomongo we use "listDatabases" command to get list of database. According to http://docs.mongodb.org/manual/reference/user-privileges/ you can see that "listDatabases" command may execute only clusterAdmin. I have a trouble, how can i get a list of databases without this command. If you have any solution off this problem please explain workaround.

If default database was set in connection dialog then at opening shell we automatically execute (https://github.com/paralect/robomongo/blob/master/src/robomongo/core/mongodb/MongoWorker.cpp#L72) "use somedb", and now you can get all needed data.

I understand you already issue a 'use db' command. What I'm asking for is that you populate the left navigation pane with the details of the default DB.

I don't have a way to list databases without clusterAdmin role (this should be an issue opened against Mongo itself), but I can see that if I connect without clusterAdmin role Robomongo shows me the collections in the DB I authenticated against (in this case admin). So Robomongo is already able to populate the navigation pane with details of specific DBs even without clusterAdmin.

What I suggest is that when "default DB" is set, you'll query for the details of that DB instead of (or in addition to) the DB being authenticated against, so the navigation pane will automatically show it (instead of trying to listDatabases).

A better solution would be to update the navigation pane whenever the DB context changes, so e.g. if I execute use otherDB in the shell, Robomongo will pick that up and query the new DB's details and show them in the navigation pane (adding them to whichever DB was already there before the switch).

An even better solution would be to allow the user to specify a list of DBs in the connection properties that, once connected, will be queried for their details (instead of just the authenticated DB or the default DB).

In addition to populating the default DB, it would be great if there were a way for the user to indicate which databases were available so they could be opened without needing listDatabases.

+1 to @avish proposal

+1 and added the first donation!
We had MongoDB support guys working on securing our MongoDB clusters, and they removed all database specific users, and added users to the 'admin' database with write permission on one database.

In MongoDB, we can connect using an authenticationDatabase, and specify the database we have permissions for as the defaultDatabase, but in the left tree we only see the admin database. If you implement it as @avish suggested, We could see the collections in the default database in the tree instead of having to type db.getCollectionNames() in the shell.

Is there any progress with this issue? Role management seems like a true work-in-progress in MongoDB. But in the meantime, would it be possible to just list collections from the default database if specified, instead of trying to list databases against admin?

In our multi-tenant setup, we are able to work around by creating a privilege. Here is the command I used for reference:

db.runCommand({
createRole : "robomongo",
privileges : [ { resource : { cluster : true }, actions : [ "listDatabases"]  } ],
roles : []
});

Then, it's just a matter of running:

db.grantRolesToUser("myUser", [ "robomongo" ]);

On all users that need it. The problem is that now Robomongo lists all of the databases running on the mongo instance, regardless of if the user can actually access them or not. As our multi-tenant setup grows, this can be annoying to users.

P.S... this level of granular privileges was just recently added to Mongo (either 2.5.x or 2.6.x).

Does something going to happen with this issue?

Hi @watchmaker-io , sorry for long delay but there is limited number of contributors for Robomongo. This ticket is labeled as "high-vote" which is one of the highest priority tags, and which means it will be investigated sooner than other issues.

+1

+1

+1

I think the least thing that should happen is that the default database shows up in the left pane even when the user doesn't have the permission to listDatabases

+1

As a workaround, I'm able to make a database visible in Robo 3T right-clicking the connection name, clicking "Create Database" feature and typing the name of my existing db.

I too would like to see this in Robomongo.
However, just thought i'd mention that the paid 3T Studio DOES show user-accessible DBs. In case you were considering upgrading. (I have no connection to 3T, just happen to use both packages)

Please just fix this.

When I use MongoDB Compass Sommunity Edition to connect to a database, using a user that is specified in the admin db and just have read access in a database, the database is showing in the left pane.

I'm responsible for migrating a project from SQL server to MongoDB. I want to keep security tight. I have created a user in the admindb that only have read access in one of our databases. To demo this to my colleagues I connect to the database using the "reader user". It is hard for them to believe that they are actually connected to the right database when there is only the admin database showing in the left pane.

We are in the early stages of migrating and I have to prove to the project that mongodb and is easy to use and administrate, secure and that there are tools that are intuitive and easy to use.

Maybe I should just use compass instead?

Hi All, we are very sorry for the long delay.

Root cause of the problem seems to be coming from MongoDB command listDatabases. This command can be run only by admin and not by authenticated users which is causing our problem in this ticket.
The fix seems to be in MongoDB version r4.1.8 which was released a day ago.
At this moment, the new Robo 1.3 has already been upgraded from MongoDB 3.4 to 4.0.5, soon to be released.

To fix this problem, we will need to upgrade MongoDB drivers at least to 4.1.8 in the next Robo releases.

Details:
https://jira.mongodb.org/browse/SERVER-6898
Message: SERVER-6898 Enable listDatabases for all users
Branch: master
https://github.com/mongodb/mongo/commit/a34fa65325dafc01857a4525d0d8b2f26b485965

And as a workaround this seems to be working:
Create a new database with the name of existing db to which the user is authenticated.

Thanks to @jeanbmar for this workaround, original comment: #389 (comment)

Nop, doesn't work for me !

Failed to create database 'db-name'.

Error:
Unauthorized