Minimum permission for using mongodump (to dump a specific db)

前端未结
关注
 4  1438
不知归路 2021-02-01 16:59
We can\'t seem to find any conclusive document on what permissions (user roles) are required to run mongodump on a specific db.
Say I have a db named

      
      
        
          4条回答        

        
                    
            
            
                         
                
              
              
                
                   太阳男子
                                             
                
                
                (楼主)
            
              
              
                2021-02-01 17:42
              

            
            
                        
TL;DR: For mongodb 2.4, you need at least a user with read role as well as userAdmin on the db. Or else you will run into the error we faced in the question when dumping system.users.bson on such db.



So we overlooked an important reference: man mongodump

However, you need to have mongodump 2.4.x to see the relevant section, so here is a reference via mongodb github docs:

Required User Privileges
------------------------

.. note:: User privileges changed in MongoDB 2.4.

The user must have appropriate privileges to read data from database
holding collections in order to use :program:`mongodump`. Consider the
following :doc:`required privileges ` for
the following :program:`mongodump` operations:

.. list-table::
   :header-rows: 1

   * - Task
     - Required Privileges

   * - All collections in a database except ``system.users``.
     - :authrole:`read`. [#read-or-read-write]_

   * - All collections in a database, including ``system.users``.
     - :authrole:`read` [#read-or-read-write]_ and :authrole:`userAdmin`.

   * - All databases. [#profiling-exception]_
     - :authrole:`readAnyDatabase`, :authrole:`userAdminAnyDatabase`,
       and :authrole:`clusterAdmin`. [#cluster-admin]_

See :doc:`/reference/system-defined-roles` and
:doc:`/reference/privilege-documents` for more information on user
roles.

.. [#read-or-read-write] You may provision :authrole:`readWrite`
   instead of :authrole:`read`.

.. [#cluster-admin] :authrole:`clusterAdmin` provides the ability to
   run the :dbcommand:`listDatabases` command, to list all existing
   databases.

.. [#profiling-exception] If any database runs with profiling enabled,
   :program:`mongodump` may need the
   :authrole:`dbAdminAnyDatabase` privilege to dump the
   ``system.profile`` collection.


PS: there are currently no way to skip certain collection(s), so if you only have read or readWrite role on a db, you need to dump each collection individually.
    
             
                                                        
            
            
              
                
                0
              
                   
                
               讨论(0)
              
                                                  
              
              
                          
             
       
          
              
                                       
     查看其它4个回答


            
                         
                    


               
            
    发布评论:
    
         
                        
    
    提交评论 
  
  

                    
                    
                    
                        
                        
                         加载中...
                        
                    
                
          
                              			
        
        
        
          
            
            
              
              
            
    


                                 
              
            
                          
    

        
         
                验证码
                
                  
                
                
                   看不清?
                
              
                                  
                    
   
                 
             
              提交回复