MongoDB Index Builds – Preventing Users From Triggering New Builds

Index builds on MongoDB production clusters need to be handled with the utmost care. We have documented the issues in detail in one of our previous blog posts - The Perils of Building Indexes on MongoDB.

Depending on the size of your data, both foreground and background builds can bring your cluster down. So, how do you prevent your users from accidentally triggering index builds from the MongoDB CLI? The short answer is that you cannot. However, what you can do is remove the "CreateIndex" privilege from most of your users so that they cannot accidentally trigger an index build from the CLI. There should be very few users in your system who have access to write data to the database. Among these users, even fewer should have permission to build indexes. For a primer on how to use MongoDB roles, please refer to the documentation - Manage Users and Roles.

The best option to implement this is to create your own custom role and remove the ‘CreateIndex’ privilege for your users. However, we did not want to build the list of permissions by hand since this will be different for each context and possibly MongoDB version. We put together this small script to use one of the existing built-in roles, and removed the ‘CreateIndex’ privilege from this role. In this example, we are using the builtin "readWrite" role and removing the "CreateIndex' privilege from this role:

xxxxxxxxxx

var privs = db.getRole('readWrite',{ showPrivileges: true });

privs.privileges.forEach(function (item, index) {

  var index = item.actions.indexOf("createIndex");

  if (index !== -1) item.actions.splice(index, 1);

});

db.createRole({role:"readWriteNoIndex",privileges:privs.privileges,roles:[]});

1. Save the contents of the code snippet as createRole.js.
2. Run the script using the syntax below:

mongo -u <user> -p <p> <host>:27017/<db name> --authenticationDatabase admin createRole.js

Once the role is created, you can use this role to create users going forward.