## Creating MongoDB Users And Roles

Be sure to start your MongoDB instance with the `--auth` flag 

In [11]:
from pymongo import MongoClient
from getpass import getpass

### Connect To Admin Database

In [12]:
mongodb_uri = "mongodb://localhost:27017/"
db_name = "admin"

In [13]:
client = MongoClient(mongodb_uri)
db = client[db_name]

### Creating Your First Admin User

In [15]:
try:
    db.command("createUser", "admin_user", pwd = getpass("New User Password: "), roles = ["userAdminAnyDatabase"] )
    print("User created successfully.")
except Exception as e:
    print(f"An error occurred: {e}")

An error occurred: User "admin_user@admin" already exists, full error: {'ok': 0.0, 'errmsg': 'User "admin_user@admin" already exists', 'code': 51003, 'codeName': 'Location51003'}


##### Creating a new user in Mongo Shell:
```javascript
db.createUser({user: 'your_username', pwd: passwordPrompt(), roles: ['userAdminAnyDatabase']})
```

### Login Helper Function

In [16]:
client = None

def login(username=None, password=None, auth_source=None, host="localhost", port=27017):
    global client
    if username == None: username=input("User Name: ")
    if password == None: password=getpass("Enter Password: ")
    if auth_source == None: auth_source=input("Auth Source: ")

    client = MongoClient(host=host, port=port)
    client[auth_source].authenticate(username, password)

#### URI String Format:
``` python
"mongodb://your_user_name:your_password@localhost:27017/?authSource=db_name"
```

##### Logging In through the MongoDB Shell:

```javascript
use your_auth_source_db_name
db.auth("your_username")
```

### Login As Your New User

In [17]:
login()

TypeError: 'Collection' object is not callable. If you meant to call the 'authenticate' method on a 'Database' object it is failing because no such method exists.

In [19]:
client.list_database_names()

['admin',
 'aggregation_test',
 'c12_agg_db',
 'config',
 'contacts_db',
 'course-goals',
 'entertainment',
 'local',
 'my_store',
 'numerical_demo',
 'performance_db',
 'persons_index_demo',
 'schema_demo',
 'secure_demo',
 'shop',
 'swfavorites',
 'test',
 'tv_database',
 'userdb']

In [20]:
### Will Result in Error (this user does not have read privledges)
#db = client["my_store"]
#db.products.find_one({})

### Create A User With Read/Write Privledges 

In [None]:
db = client["my_store"]
db.command("createUser", "app_dev", pwd = getpass("New User Password: "), roles = ["readWrite"] )

New User Password: ········


{'ok': 1.0}

In [None]:
login()

User Name: app_dev
Enter Password: ········
Auth Source: my_store


In [21]:
client.list_database_names()

['admin',
 'aggregation_test',
 'c12_agg_db',
 'config',
 'contacts_db',
 'course-goals',
 'entertainment',
 'local',
 'my_store',
 'numerical_demo',
 'performance_db',
 'persons_index_demo',
 'schema_demo',
 'secure_demo',
 'shop',
 'swfavorites',
 'test',
 'tv_database',
 'userdb']

In [22]:
db = client["my_store"]
db.products.find_one({})

{'_id': ObjectId('687919b346a75f5f28626440'), 'name': 'Boat', 'price': '5.50'}

### Creating Custom Roles

In [None]:
### Log back into admin user account
login()

User Name: admin_user
Enter Password: ········
Auth Source: admin


In [23]:
db = client["admin"]
db.command("grantRolesToUser", grantRolesToUser="admin_user", roles=["userAdmin"])

{'ok': 1.0}

##### Grant Roles To User in MongoDB Shell:

```javascript
db.grantRolesToUser( "your_username", [ "role_name_1", "role_name_2" ] )
```

In [24]:
db.command("createRole", "product_data_analyst_role", privileges= [
                                { "resource": {"db": "my_store", "collection": "products" }, 
                                  "actions": ["find"] 
                                },
                                { "resource": {"db": "", "collection": ""}, 
                                  "actions": ["changeOwnPassword", "changeOwnCustomData"] 
                                }
                            ],
           roles=[]
          )

{'ok': 1.0}

##### Create a new Role in MongoDB Shell:
```javascript
db.createRole({role: 'your_role_name', 
               privileges: [{ 
                   resource: {db: "your_db_name", collection: "your_collection_name"}, 
                   actions: ["action_name_1", "action_name_2] 
               }],
               roles: [{role: "existing_role_name", db: "your_db_name"}]
              })
```

In [26]:
'''db.command("createUser", "Jess", pwd = getpass("New User Password: "), roles = ["product_data_analyst_role"],
           customData={"name": "Jessica Redmann", "role": "Data Analyst", "email": "jess.r@company_name.com"} 
          )'''

'db.command("createUser", "Jess", pwd = getpass("New User Password: "), roles = ["product_data_analyst_role"],\n           customData={"name": "Jessica Redmann", "role": "Data Analyst", "email": "jess.r@company_name.com"} \n          )'

In [27]:
db.command("usersInfo", 1)

{'users': [{'_id': 'admin.admin_user',
   'userId': Binary(b'\x86S\x82n\x9b\x92Jp\xb1V\x04=\xae\xe10\x03', 4),
   'user': 'admin_user',
   'db': 'admin',
   'roles': [{'role': 'userAdmin', 'db': 'admin'},
    {'role': 'userAdminAnyDatabase', 'db': 'admin'}],
   'mechanisms': ['SCRAM-SHA-1', 'SCRAM-SHA-256']},
  {'_id': 'admin.testUser',
   'userId': Binary(b't\x16\x1d\x91\xec\xbfK\x91\x83\xfd\x03\xb6\xd5P\xf1m', 4),
   'user': 'testUser',
   'db': 'admin',
   'roles': [{'role': 'readWrite', 'db': 'secure_demo'},
    {'role': 'read', 'db': 'test'}],
   'mechanisms': ['SCRAM-SHA-1', 'SCRAM-SHA-256']}],
 'ok': 1.0}

In [28]:
db.command("rolesInfo", 1, showPrivileges=True)

{'roles': [{'_id': 'admin.product_data_analyst_role',
   'role': 'product_data_analyst_role',
   'db': 'admin',
   'privileges': [{'resource': {'db': 'my_store', 'collection': 'products'},
     'actions': ['find']},
    {'resource': {'db': '', 'collection': ''},
     'actions': ['changeOwnPassword', 'changeOwnCustomData']}],
   'roles': [],
   'isBuiltin': False,
   'inheritedRoles': [],
   'inheritedPrivileges': [{'resource': {'db': 'my_store',
      'collection': 'products'},
     'actions': ['find']},
    {'resource': {'db': '', 'collection': ''},
     'actions': ['changeOwnPassword', 'changeOwnCustomData']}]}],
 'ok': 1.0}

In [None]:
login()

User Name: Jess
Enter Password: ········
Auth Source: admin


In [29]:
db = client["my_store"]
db.products.find_one({})

{'_id': ObjectId('687919b346a75f5f28626440'), 'name': 'Boat', 'price': '5.50'}

In [None]:
# Gets an Operation failure (unauthorized to find on users collections, only products)
# db.users.find_one({})

In [None]:
db = client["admin"]
db.command("updateUser", updateUser="Jess", pwd=getpass("Enter New Password: "))

Enter New Password: ········


{'ok': 1.0}

In [None]:
login()

User Name: Jess
Enter Password: ········
Auth Source: admin


### Deleting Users / Roles

##### Login as user with userAdmin role

In [None]:
login()

User Name: admin_user
Enter Password: ········
Auth Source: admin


In [None]:
db = client["my_store"]
db.command("dropUser", "app_dev")

{'ok': 1.0}

In [None]:
db = client["admin"]
db.command("dropUser", "Jess")

{'ok': 1.0}

In [None]:
db = client["admin"]
db.command("dropRole", "product_data_analyst_role")

{'ok': 1.0}

In [None]:
db = client["admin"]
db.command("dropUser", "admin_user")

{'ok': 1.0}