1 00:00:02,340 --> 00:00:08,720 In the last lecture, we created our first user with this special localhost exception and we assigned 2 00:00:08,930 --> 00:00:10,130 a role to the user. 3 00:00:10,160 --> 00:00:12,630 Now we did never create that role, 4 00:00:12,640 --> 00:00:18,470 instead mongodb ships with a bunch of built-in roles that basically cover all the typical use cases 5 00:00:18,470 --> 00:00:19,240 you have. 6 00:00:19,460 --> 00:00:24,020 You can also create your own roles but that is beyond the scope of this course because this will be 7 00:00:24,020 --> 00:00:25,480 a pure admin task, 8 00:00:25,520 --> 00:00:30,170 you'll find a link in the last lecture of this module though which links you to the official docs where 9 00:00:30,170 --> 00:00:31,970 you can learn how to create such roles, 10 00:00:31,970 --> 00:00:34,140 it's actually pretty simple. 11 00:00:34,160 --> 00:00:36,650 So let's talk about the built-in roles though. 12 00:00:36,980 --> 00:00:40,150 We got a bunch of built-in roles in mongodb, 13 00:00:40,390 --> 00:00:44,200 for example we got typical roles for users of a database, 14 00:00:44,200 --> 00:00:46,410 so the people who work with the data in there 15 00:00:46,510 --> 00:00:53,010 and there we got two roles, a read and a readWrite role and these roles are pretty self-explanatory. 16 00:00:53,050 --> 00:00:58,480 You either got a role for users who only need to find data, so who can run all these queries, use the 17 00:00:58,480 --> 00:01:04,060 aggregation framework but will not be able to insert or update or delete data, well or you got full 18 00:01:04,060 --> 00:01:05,500 access. 19 00:01:05,530 --> 00:01:11,170 You also get typical database admin roles, like the user admin or the db admin. 20 00:01:11,170 --> 00:01:17,100 Now the db admin is for example a role for people who have that role are able to manage the database 21 00:01:17,110 --> 00:01:24,790 obviously, to create collections, user admin is more geared towards creating and managing users as the 22 00:01:24,790 --> 00:01:25,960 name suggests. 23 00:01:26,030 --> 00:01:33,760 Now these roles will grant the user access to you for example readWrite data but only inside the database 24 00:01:34,390 --> 00:01:38,800 to which you assigned that role and I will show you how you can assign roles to databases in the next 25 00:01:38,800 --> 00:01:39,520 lecture. 26 00:01:39,850 --> 00:01:43,560 We also have special roles of which we used one in the last lecture, 27 00:01:43,870 --> 00:01:50,470 all database roles, you can assign all these roles on the left to users for multiple databases, so you 28 00:01:50,470 --> 00:01:56,230 could give one user the read role for two different databases but of course sometimes you will have 29 00:01:56,230 --> 00:01:59,810 a case where you want to give a user rights to do something 30 00:01:59,860 --> 00:02:06,820 in all databases and also in all future databases and you don't want to manually add like the read role 31 00:02:07,000 --> 00:02:13,180 to a user for every database manually and therefore, you have these all database roles. So we also have 32 00:02:13,180 --> 00:02:18,760 read, readWrite, user admin and db admin, so all the roles we already saw on the left two boxes here 33 00:02:18,850 --> 00:02:25,930 but now in a special set up that will always give the user access to all databases. And that is why we 34 00:02:25,930 --> 00:02:31,630 use the user admin any database role in the last lecture because we want to have a user who is allowed 35 00:02:31,690 --> 00:02:38,620 to create users for any database and in any database no matter if the database already exists or is created 36 00:02:38,620 --> 00:02:40,310 in the future and so on. 37 00:02:41,780 --> 00:02:45,400 Now besides these roles we also have cluster administration roles, 38 00:02:45,500 --> 00:02:48,510 now we haven't talked about clusters at this point. 39 00:02:48,530 --> 00:02:56,330 Clusters are essentially constructs where you have multiple mongodb servers working together, 40 00:02:56,450 --> 00:03:03,020 this is used for scaling so that you can actually well have multiple machines running mongodb servers 41 00:03:03,050 --> 00:03:09,020 and store your data which then work together and managing these clusters of servers is of course a meaningful 42 00:03:09,020 --> 00:03:14,600 task, it is performed by people who know what they're doing and they have their own rights and you can 43 00:03:14,600 --> 00:03:18,360 assign their own rights to let them do their job. 44 00:03:18,380 --> 00:03:22,970 You also have special backup and restore roles in case you have some users who are only responsible 45 00:03:22,970 --> 00:03:23,690 for that, 46 00:03:23,870 --> 00:03:29,420 so these really are roles that just allow you to do that, backup the database or restore it 47 00:03:29,750 --> 00:03:32,500 and then there are super user roles. 48 00:03:32,600 --> 00:03:36,370 Now these are also roles we saw before except for root, 49 00:03:36,410 --> 00:03:43,970 now the idea here is if you assign the db owner or a user admin role to the admin database and I will 50 00:03:43,970 --> 00:03:45,950 show you how to assign roles to a database, 51 00:03:45,980 --> 00:03:51,200 so to a user and then to a specific database, if you assign them to the admin database, this will kind 52 00:03:51,200 --> 00:03:57,680 of be a special case because the admin database is a special database and these users are then able 53 00:03:57,680 --> 00:04:01,100 to create new users and also change their own role 54 00:04:01,130 --> 00:04:02,800 and that's why it's a super user. 55 00:04:02,840 --> 00:04:09,920 All these roles here basically allow a user to create new users and change users, so these users can create 56 00:04:09,920 --> 00:04:10,970 whatever they need 57 00:04:11,000 --> 00:04:13,070 and therefore these are very powerful roles. 58 00:04:13,100 --> 00:04:15,540 The root role is basically the most powerful role, 59 00:04:15,620 --> 00:04:18,830 if you assign this to a user, this user can do everything, 60 00:04:18,950 --> 00:04:24,410 so basically that will then be a user who has the same rights we had previously in this course before 61 00:04:24,410 --> 00:04:29,070 we started locking down the database with --auth. 62 00:04:29,090 --> 00:04:31,240 So these are the built-in roles, 63 00:04:31,310 --> 00:04:34,880 now you can learn way more about them in the official docs of course. 64 00:04:34,880 --> 00:04:38,970 The quickest way to get there is to just google for mongodb built-in roles 65 00:04:39,170 --> 00:04:48,600 and then there is a whole article in the official docs which talks about the official roles, also grouped 66 00:04:48,610 --> 00:04:54,700 in different categories as I did it on the slide and there, you do not only see a description of the 67 00:04:54,700 --> 00:05:01,900 role, you also see which actions this role unlocks because remember, a role is just a group of privileges, 68 00:05:01,960 --> 00:05:03,950 so these are essentially the privileges. 69 00:05:04,120 --> 00:05:09,970 So here you see the read role gives you access to the find command but also to the command to list 70 00:05:09,970 --> 00:05:13,490 collections which you do in the shell with show collections. 71 00:05:13,690 --> 00:05:19,390 So you can read through all the roles here and see what people who have that role are actually allowed 72 00:05:19,390 --> 00:05:19,930 to do 73 00:05:19,960 --> 00:05:22,940 which is of course a very powerful feature. 74 00:05:22,990 --> 00:05:25,410 Now with that, we know which roles exist 75 00:05:25,420 --> 00:05:32,110 but one thing I could imagine that is still unclear is how exactly you assign a role to a user and you 76 00:05:32,110 --> 00:05:35,410 control to which database this role then applies. 77 00:05:35,420 --> 00:05:37,600 So let's have a look at this in the next lectures.