Creating custom role for a limited sysadmin account on a sharded cluster

Allan_Chase · November 8, 2024, 1:09am

When I create a custom role (while connected to mongos):

db.createRole({
 role: "sysad",
  privileges: [
  {
     resource: {db: "admin",collection:""},
     actions: ["replSetStateChange","replSetGetStatus"]
  }
 ],
roles:["clusterAdmin"]
})

It creates the role in the “admin” database, but not across the cluster. If I understand this, do I need to run this create role command on the primary shard config database + each primary shard?

Same question for when I create the user with this role.

I’m a little confused, I thought it would create this role across the cluster and when I created the user, I thought it would also be cluster wide.

GOAL: I wanted to allow sysadmins the ability to login, see cluster status and be able to stepDown a primary in order to reboot that vm. When I create the role/user, and actually try it out, it works great.

(I’m using mongo 6 if that makes any difference).

Samuel_84194 · November 8, 2024, 11:48am

Hello, welcome to the MongoDB community.

When you create a user in a sharded cluster, you will create it from mongos and it will store the user in the admin database of the config servers.

If you want to create a “local” user for that specific shard, you will need to log into the primary node of the shard and create the user, in which case it will store the user in the shard’s admin database.

Here is some documentation that may help you.

I am at your disposal.

Att,
Samuel

Allan_Chase · November 9, 2024, 1:17am

Thank you, I believe that answers the question(?). The desire was to create a role/user that was omnipresent in all shards/config, but it just sounds like I need to create that role and user manually in mongos, then shard 1 and then shard 2. No big deal, it just makes me have to remember that X 3 when I rotate the password.