Grant Right to Use $Eval on MongoDB 3.2

DZone 's Guide to

Grant Right to Use $Eval on MongoDB 3.2

How do you enable a user to execute the $eval command in MongoDB? You might not think this is an issue, but you might also be surprised. Read on to find out more.

· Database Zone ·
Free Resource

One of the side effects of enabling authorization on MongoDB is that, even if you create a user with “root” right, this account is not able to execute the $eval command. The symptom is, when you try to execute $eval you get this error:

mongodb Command '$eval' failed: not authorized on jarvis-framework-saga-test to execute command

This happens because $eval is somewhat deprecated, and it should not be used. Since it is a dangerous command, a user should have access to all action on all resources, and you need to create a role that has anyAction on anyResource.

If you really need to use $eval, you should create a role. Just connect to the admin database and create a new role with the command.

role: "executeEval", 
privileges: [ { 
resource: { anyResource: true }, 
actions: [ "anyAction" ] } ], 
roles: []
 } ) 

Now that you have this new role, just add it to all the users that need to use $eval. As an example, if you have a single admin user in the admin database, just run this against the admin DB.

db.grantRolesToUser("admin", [ { role: "executeFunctions", db: "admin" } ])

And now, the admin user can execute $eval against all databases.

mongodb ,database ,authorization ,users ,permissions

Published at DZone with permission of Ricci Gian Maria , DZone MVB. See the original article here.

Opinions expressed by DZone contributors are their own.

{{ parent.title || parent.header.title}}

{{ parent.tldr }}

{{ parent.urlSource.name }}