Configure User Roles for MongoDB

The Liquibase MongoDB Pro Extension and OSS extension access MongoDB as a user and respects all MongoDB role-based security structures. That means that you must provide sufficient privileges to the user ID that Liquibase is using so that Liquibase can operate the way you want.

This guide discusses two approaches to creating a user with sufficient privileges for Liquibase and the MongoDB extension to perform all of their functionality. The two methods include the built-in roles method and the user-defined role method. It is possible to create more restrictive setups, but depending on which restrictions are imposed, some Liquibase and MongoDB extension features may not work.

Role requirements

The two methods to create a user with privileges for Liquibase include the built-in roles method and the user-defined role method. The built-in role method allows you to provide different levels of access commonly needed in a database system. The user-defined role method allows for custom role creation when the built-in roles cannot describe the privileges necessary for the job.

Permissions: roles required to manage non-administrative database changes

The minimum required roles and permissions for Liquibase to manage changes to non-system collections and the system.js collection are:

  • readWrite
  • collMod

Roles Required to Manage Administrative Tasks

  • readWrite
  • dbAdmin

As a MongoDB administrator, you have the ability to create a user using these standard roles or you can create your own custom roles. Liquibase supports both approaches as long as the resulting permissions meet the above requirements.

Built-in roles method

This method allows you to create a user that has readWrite and dbAdmin roles. when dbAdmin roles are enabled, this user can run the Liquibase MongoDB extension directly from the administrative perspective. As mentioned above, the built-in role method allows you to provide different levels of access commonly needed in a database system. If you need a user to have administrative access, use this guide.

Note: Without dbAdmin role permissions, you cannot run the MongoDB extension from the administrative perspective.

Create a user with the built-in readWrite and dbAdmin roles by executing the following code in one of two ways:

  1. With your own user, password, and database content, use Mongo Shell directly in MongoDB to execute the code.
  2. With your own user, password, and database content, add this code as part of the Docker init-script if you use Docker to start your database.
db.createUser(
    {
        user: "lbuser",
        pwd: "password",
        roles: [
            {
                role: "readWrite",
                db: "yourdb"
            },
            {
                role: "dbAdmin",
                db: "yourdb"
            }
        ]
    }
);

User-defined roles method

This method allows you to create a custom user-defined role which is inherited from the readWrite role. If a user does not need the dbAdmin role for security purposes, use this method.

Create a role with readWrite with only one additional collMod privilege by executing the two sections of code in one of two ways:

  • With your own user, password, and database content, use Mongo Shell directly in MongoDB to execute the code.
  • With your own user, password, and database content, add this code as part of the Docker init-script if you use Docker to start your database.
  1. This section allows you to create a role with the specific action:
  2. db.createRole(
        {
            role: "liquibase_role",
            privileges: [{resource: {db: 'yourdb', collection: ''}, actions: ['collMod']}],
            roles: [
                { role: "readWrite", db: "yourdb" }
            ]
        }
    )
  3. Assign the roles to your new created user:
  4. db.createUser(
        {
            user: "lbuser",
            pwd: "password",
            roles: [
                {
                    role: "liquibase_role",
                    db: "yourdb"
                }
            ]
        }
    );

Related links