## Creating MongoDB Users And Roles

Be sure to start your MongoDB instance with the `--auth` flag 

In [1]:
from pymongo import MongoClient
from getpass import getpass

### Connect To Admin Database

In [2]:
mongodb_uri = "mongodb://localhost:27017/"
db_name = "admin"

In [3]:
client = MongoClient(mongodb_uri)
db = client[db_name]

### Creating Your First Admin User

In [4]:
db.command("createUser", "admin_user", pwd = getpass("New User Password: "), roles = ["userAdminAnyDatabase"] )

New User Password: ········


{'ok': 1.0}

##### Creating a new user in Mongo Shell:
```javascript
db.createUser({user: 'your_username', pwd: passwordPrompt(), roles: ['userAdminAnyDatabase']})
```

### Login Helper Function

In [5]:
client = None

def login(username=None, password=None, auth_source=None, host="localhost", port=27017):
    global client
    if username == None: username=input("User Name: ")
    if password == None: password=getpass("Enter Password: ")
    if auth_source == None: auth_source=input("Auth Source: ")

    client = MongoClient(host=host, port=port)
    client[auth_source].authenticate(username, password)

#### URI String Format:
``` python
"mongodb://your_user_name:your_password@localhost:27017/?authSource=db_name"
```

##### Logging In through the MongoDB Shell:

```javascript
use your_auth_source_db_name
db.auth("your_username")
```

### Login As Your New User

In [6]:
login()

User Name: admin_user
Enter Password: ········
Auth Source: admin


In [7]:
client.list_database_names()

['admin',
 'advanced_features',
 'aggregation_test',
 'config',
 'local',
 'my_store',
 'video_game']

In [9]:
### Will Result in Error (this user does not have read privledges)
#db = client["my_store"]
#db.products.find_one({})

### Create A User With Read/Write Privledges 

In [10]:
db = client["my_store"]
db.command("createUser", "app_dev", pwd = getpass("New User Password: "), roles = ["readWrite"] )

New User Password: ········


{'ok': 1.0}

In [11]:
login()

User Name: app_dev
Enter Password: ········
Auth Source: my_store


In [12]:
client.list_database_names()

['admin',
 'advanced_features',
 'aggregation_test',
 'config',
 'local',
 'my_store',
 'video_game']

In [13]:
db = client["my_store"]
db.products.find_one({})

{'_id': ObjectId('61add44dc64307306cc87b66'),
 'product_name': 'Bag',
 'price': 26.7904,
 'seller': 'Raymond'}

### Creating Custom Roles

In [14]:
### Log back into admin user account
login()

User Name: admin_user
Enter Password: ········
Auth Source: admin


In [15]:
db = client["admin"]
db.command("grantRolesToUser", grantRolesToUser="admin_user", roles=["userAdmin"])

{'ok': 1.0}

##### Grant Roles To User in MongoDB Shell:

```javascript
db.grantRolesToUser( "your_username", [ "role_name_1", "role_name_2" ] )
```

In [16]:
db.command("createRole", "product_data_analyst_role", privileges= [
                                { "resource": {"db": "my_store", "collection": "products" }, 
                                  "actions": ["find"] 
                                },
                                { "resource": {"db": "", "collection": ""}, 
                                  "actions": ["changeOwnPassword", "changeOwnCustomData"] 
                                }
                            ],
           roles=[]
          )

{'ok': 1.0}

##### Create a new Role in MongoDB Shell:
```javascript
db.createRole({role: 'your_role_name', 
               privileges: [{ 
                   resource: {db: "your_db_name", collection: "your_collection_name"}, 
                   actions: ["action_name_1", "action_name_2] 
               }],
               roles: [{role: "existing_role_name", db: "your_db_name"}]
              })
```

In [17]:
db.command("createUser", "Jess", pwd = getpass("New User Password: "), roles = ["product_data_analyst_role"],
           customData={"name": "Jessica Redmann", "role": "Data Analyst", "email": "jess.r@company_name.com"} 
          )

New User Password: ········


{'ok': 1.0}

In [18]:
db.command("usersInfo", 1)

{'users': [{'_id': 'admin.Jess',
   'userId': UUID('d239f696-5a02-4537-92d7-1744b80ea8cf'),
   'user': 'Jess',
   'db': 'admin',
   'customData': {'name': 'Jessica Redmann',
    'role': 'Data Analyst',
    'email': 'jess.r@company_name.com'},
   'roles': [{'role': 'product_data_analyst_role', 'db': 'admin'}],
   'mechanisms': ['SCRAM-SHA-1', 'SCRAM-SHA-256']},
  {'_id': 'admin.admin_user',
   'userId': UUID('51413790-6bc6-4319-8f78-f3f93c7bd5fb'),
   'user': 'admin_user',
   'db': 'admin',
   'roles': [{'role': 'userAdminAnyDatabase', 'db': 'admin'},
    {'role': 'userAdmin', 'db': 'admin'}],
   'mechanisms': ['SCRAM-SHA-1', 'SCRAM-SHA-256']}],
 'ok': 1.0}

In [20]:
db.command("rolesInfo", 1, showPrivileges=True)

{'roles': [{'_id': 'admin.product_data_analyst_role',
   'role': 'product_data_analyst_role',
   'db': 'admin',
   'privileges': [{'resource': {'db': 'my_store', 'collection': 'products'},
     'actions': ['find']},
    {'resource': {'db': '', 'collection': ''},
     'actions': ['changeOwnPassword', 'changeOwnCustomData']}],
   'roles': [],
   'isBuiltin': False,
   'inheritedRoles': [],
   'inheritedPrivileges': [{'resource': {'db': 'my_store',
      'collection': 'products'},
     'actions': ['find']},
    {'resource': {'db': '', 'collection': ''},
     'actions': ['changeOwnPassword', 'changeOwnCustomData']}]}],
 'ok': 1.0}

In [21]:
login()

User Name: Jess
Enter Password: ········
Auth Source: admin


In [22]:
db = client["my_store"]
db.products.find_one({})

{'_id': ObjectId('61add44dc64307306cc87b66'),
 'product_name': 'Bag',
 'price': 26.7904,
 'seller': 'Raymond'}

In [24]:
# Gets an Operation failure (unauthorized to find on users collections, only products)
# db.users.find_one({})

In [25]:
db = client["admin"]
db.command("updateUser", updateUser="Jess", pwd=getpass("Enter New Password: "))

Enter New Password: ········


{'ok': 1.0}

In [27]:
login()

User Name: Jess
Enter Password: ········
Auth Source: admin


### Deleting Users / Roles

##### Login as user with userAdmin role

In [28]:
login()

User Name: admin_user
Enter Password: ········
Auth Source: admin


In [31]:
db = client["my_store"]
db.command("dropUser", "app_dev")

{'ok': 1.0}

In [34]:
db = client["admin"]
db.command("dropUser", "Jess")

{'ok': 1.0}

In [36]:
db = client["admin"]
db.command("dropRole", "product_data_analyst_role")

{'ok': 1.0}

In [38]:
db = client["admin"]
db.command("dropUser", "admin_user")

{'ok': 1.0}