Minimum permission for using mongodump (to dump a specific db)

This minimal set of privileges seems to work fine for me (note that the built-in 'backup' role exists only in the 'admin' database'). The first privilege is needed to get rid of the [myDb.system.indexes: not authorized on myDb to execute command { count: "system.indexes", query: {} }] error:

db.createRole({
     role: "myDumpRole",
     privileges: [
       { resource: { db: "myDb", collection: "system.indexes" }, actions: [ "find"] },
       { resource: { db: "myDb", collection: "" }, actions: [ "find", "listCollections", "listIndexes", "indexStats"] }
     ]
});

Bad memory for me too. But finally figure it out... Actually it's so simple. You just need to add a user with the backup role for mongodump and restore role for mongorestore.

backup role: Provides minimal privileges needed for backing up data. This role provides sufficient privileges to use the MongoDB Cloud Manager backup agent, Ops Manager backup agent, or to use mongodump to back up an entire mongod instance.

restore role: Provides privileges needed to restore data from backups that do not include system.profile collection data. This role is sufficient when restoring data with mongorestore without the --oplogReplay option.

For example, you can create a backup user like this: 

> use admin
> db.createUser({
    user: "backupuser",
    pwd: "12345",
    roles: ["backup"]
})

TL;DR: For mongodb 2.4, you need at least a user with read role as well as userAdmin on the db. Or else you will run into the error we faced in the question when dumping system.users.bson on such db.

So we overlooked an important reference: man mongodump

However, you need to have mongodump 2.4.x to see the relevant section, so here is a reference via mongodb github docs:

Required User Privileges
------------------------

.. note:: User privileges changed in MongoDB 2.4.

The user must have appropriate privileges to read data from database
holding collections in order to use :program:`mongodump`. Consider the
following :doc:`required privileges </reference/system-defined-roles>` for
the following :program:`mongodump` operations:

.. list-table::
   :header-rows: 1

   * - Task
     - Required Privileges

   * - All collections in a database except ``system.users``.
     - :authrole:`read`. [#read-or-read-write]_

   * - All collections in a database, including ``system.users``.
     - :authrole:`read` [#read-or-read-write]_ and :authrole:`userAdmin`.

   * - All databases. [#profiling-exception]_
     - :authrole:`readAnyDatabase`, :authrole:`userAdminAnyDatabase`,
       and :authrole:`clusterAdmin`. [#cluster-admin]_

See :doc:`/reference/system-defined-roles` and
:doc:`/reference/privilege-documents` for more information on user
roles.

.. [#read-or-read-write] You may provision :authrole:`readWrite`
   instead of :authrole:`read`.

.. [#cluster-admin] :authrole:`clusterAdmin` provides the ability to
   run the :dbcommand:`listDatabases` command, to list all existing
   databases.

.. [#profiling-exception] If any database runs with profiling enabled,
   :program:`mongodump` may need the
   :authrole:`dbAdminAnyDatabase` privilege to dump the
   ``system.profile`` collection.

PS: there are currently no way to skip certain collection(s), so if you only have read or readWrite role on a db, you need to dump each collection individually.


Fortunately mongodump 3.0 is accepting options to skip certain collections.

This solved my problem not having admin access to the database to tweak permissions. Please keep in mind that you will not create full backups anymore.

mongodump --excludeCollection=system.indexes

or

mongodump --excludeCollectionsWithPrefix=system

Tags:

Mongodb

Recent Posts