1
00:00:02,280 --> 00:00:10,560
So we want to change our users roles here a bit because right now, our user here, appdev is only able

2
00:00:10,650 --> 00:00:13,560
to read and write in the shop database

3
00:00:13,830 --> 00:00:15,550
and then it's generally all right

4
00:00:15,570 --> 00:00:21,690
but let's say we have another database and that would be a blog that belongs to the shop,

5
00:00:21,720 --> 00:00:27,480
so it's also part of our shop application that we have a blog where we post about the latest new products

6
00:00:28,170 --> 00:00:33,390
and the same kind of app and therefore, the same developer should be able to work with that.

7
00:00:33,420 --> 00:00:35,160
How do we do that?

8
00:00:35,170 --> 00:00:40,130
Well we can update a user with the db update user command.

9
00:00:40,170 --> 00:00:45,520
Now the db update user command takes as a first argument the name of the user

10
00:00:45,540 --> 00:00:46,420
you want the update,

11
00:00:46,590 --> 00:00:47,420
so appdev

12
00:00:47,460 --> 00:00:48,930
in my example

13
00:00:49,230 --> 00:00:53,330
and then the second argument is the document where you describe the change to the user.

14
00:00:53,340 --> 00:00:57,620
Now this does not work like the update on the database with set or so

15
00:00:57,780 --> 00:01:02,370
but instead you now have a couple of key value pairs you can set and the full details can be found in

16
00:01:02,370 --> 00:01:07,220
the official docs of course, a link as always can be found in the last lecture of this module.

17
00:01:07,620 --> 00:01:13,960
So what you can do here is you can for example change the password if you want to but I don't want to,

18
00:01:14,100 --> 00:01:20,040
so what I will do here is I will simply assign new roles and now these roles will not be added to the

19
00:01:20,040 --> 00:01:22,050
old roles but will replace them,

20
00:01:22,080 --> 00:01:23,490
that's important.

21
00:01:23,490 --> 00:01:24,660
So of course I can add

22
00:01:24,660 --> 00:01:29,900
readWrite again to give that user the readWrite access to the database he's in

23
00:01:30,150 --> 00:01:32,070
but I want to do more than that,

24
00:01:32,130 --> 00:01:39,090
I also want to give the user readWrite access to the blog database and to do that, I add a second element

25
00:01:39,120 --> 00:01:40,260
to my roles array

26
00:01:40,380 --> 00:01:45,530
and that will be a document because if I just add a string like this, it will always just give the user

27
00:01:45,590 --> 00:01:48,920
readWrite access to the database the user was registered in.

28
00:01:49,110 --> 00:01:55,110
Now if I want to give access to a different database, I can do that by adding a document where I set

29
00:01:55,110 --> 00:01:57,470
the role to readWrite,

30
00:01:57,480 --> 00:02:02,430
I could also use a different role of course but I want to get readWrite access here and then I set

31
00:02:02,430 --> 00:02:07,350
the db explicitly and there, I could set this to blog.

32
00:02:07,350 --> 00:02:09,520
Now what do you think will happen if I hit enter?

33
00:02:10,430 --> 00:02:12,300
Well let's try out.

34
00:02:12,590 --> 00:02:14,370
We actually get an error that

35
00:02:14,450 --> 00:02:18,960
we are not authorized on shop to execute this command

36
00:02:19,070 --> 00:02:24,620
and the reason of course is that I'm still logged in with appdev and the appdev is allowed to read

37
00:02:24,620 --> 00:02:27,580
write data but not to change users.

38
00:02:27,590 --> 00:02:35,270
So what I actually need to do is I need to log out and switch to the other user, the first user we created

39
00:02:35,270 --> 00:02:36,190
.

40
00:02:36,320 --> 00:02:43,310
We can do this with db auth and there, username and password was Max but this will fail in the shop database

41
00:02:43,310 --> 00:02:45,750
because we created that user in the admin database,

42
00:02:45,920 --> 00:02:52,110
so we need to switch to the admin database and then, we can sign into this user and this now succeeded

43
00:02:52,520 --> 00:02:59,400
and now we can repeat that update command and I will just copy it from up there. It fails because now

44
00:02:59,400 --> 00:03:05,620
we are not finding that user in the admin database because remember, that user exists on the shop database,

45
00:03:05,640 --> 00:03:11,350
so let's actually quickly switch to shop and then execute this again

46
00:03:11,520 --> 00:03:17,230
and now this should have worked. And we can check this with the get user command and get our appdev

47
00:03:17,280 --> 00:03:18,040
user

48
00:03:18,180 --> 00:03:25,200
and we actually see the roles here and we see that now this user has still readWrite on the shop but

49
00:03:25,290 --> 00:03:31,980
also readWrite on the blog. Now with this added, we can log out again,

50
00:03:31,980 --> 00:03:38,310
so now we're logged out of our Max user who is allowed to create and edit the users and we can switch to

51
00:03:38,310 --> 00:03:47,180
shop where we have our other user and now authenticate it with appdev and dev.

52
00:03:47,190 --> 00:03:54,870
Now with this, we can switch to blog and we should be able to go to the post collection and insert one

53
00:03:54,930 --> 00:03:59,020
new post here with the title of this works.

54
00:04:00,630 --> 00:04:06,580
If I hit enter, I seem to have messed up with logging out and logging back in,

55
00:04:06,580 --> 00:04:14,280
so what I will quickly do is I will just restart my mongo shell with appdev dev against shop and

56
00:04:14,400 --> 00:04:19,750
after this succeeded, I'll use my blog database and retry my insert command

57
00:04:19,890 --> 00:04:21,000
and now this works.

58
00:04:21,000 --> 00:04:26,100
So now we can insert a post into the blog database even though the user exists on the shop database

59
00:04:26,340 --> 00:04:31,790
because we assigned two roles, actually the same role but two different databases.

60
00:04:31,800 --> 00:04:36,510
Now this is certainly something you have to grasp but it's actually not that complex.

61
00:04:36,510 --> 00:04:41,360
The database does not per say lock down the access the user has, the roles do

62
00:04:41,430 --> 00:04:47,520
but if you assign a role to a user, by default it is assigned to that user for the database the user was registered

63
00:04:47,520 --> 00:04:47,890
in

64
00:04:48,000 --> 00:04:54,570
but as I showed in this lecture, you can change that or extend that to other databases too if you explicitly

65
00:04:54,570 --> 00:04:57,360
specify the database a role should apply to.

66
00:04:57,600 --> 00:05:01,440
And this gives you as an administrator or as a user administrator

67
00:05:01,440 --> 00:05:04,140
a lot of power and a lot of flexibility of course.