Navigation

User Authorization Model

New in version 2.5.

The MongoDB Connector for BI restricts which database administration, data definition, and data manipulation statements authenticated users can run. The following table maps a SQL statement and corresponding MySQL privilege to the required MongoDB privilege action:

MySQL Statement MySQL Privilege MongoDB Privilege
FLUSH LOGS RELOAD Only available to the BI Connector’s admin user specified by the --mongo-username option or the mongodb.net.auth.username setting.
FLUSH SAMPLE Not in MySQL

Depends on your sampling configuration:

Standalone Reader:

  • find for all sampled namespaces
  • insert and update for all databases in the cluster

Clustered Reader:

The statement is not permitted in this mode.

Clustered Writer:

KILL
  • PROCESS privilege to view all threads
  • SUPER privilege to kill all threads and statements
  • No privilege required to view and kill your own threads and statements
  • killop to kill other user’s connections or queries
  • No privilege required to kill your own connection or query
ALTER TABLE

ALTER, CREATE, and INSERT privileges for the table.

Renaming a table requires ALTER and DROP on the old table, as well as ALTER, CREATE, and INSERT on the new table.

Depends on your sampling configuration:

Standalone Reader:

insert and update for all databases in the cluster.

Clustered Reader:

Not permitted in this mode.

Clustered Writer:

insert and update on the schema database specified by --sampleSource.

SET (Variables)

SUPER privilege is required to set global variables.

Setting a session variable generally does not require any privilege, although there are exceptions that require the SUPER privilege (such as sql_log_bin).

Either the BI Connector’s admin user, as specified by the --mongo-username option or the mongodb.net.auth.username setting, or any MongoDB user with the inprog privilege can set global variables.

No privilege required to set session variables.

SHOW CHARACTER SET No privilege required. No privilege required.
SHOW COLLATION No privilege required. No privilege required.
SHOW COLUMNS Displays column information for each column where the user has some privilege. Column information is not displayed for columns where the user does not have some privilege. find on the proper collections.
SHOW CREATE DATABASE No privilege required. find on the proper database.
SHOW CREATE TABLE Some privilege for the table. find on the proper database or collection.
SHOW {DATABASES | SCHEMAS} SHOW DATABASES privilege. find on the proper database or collection.
SHOW {INDEX | INDEXES | KEYS} This statement requires some privilege for any column in the table. find on the proper collection.
SHOW PROCESSLIST

PROCESS privilege to view all processes.

No privilege required to view your own processes.

inprog to view all processes.

No privilege required to view your own processes.

SHOW STATUS No privilege required. No privilege required.
SHOW TABLES

Lists non-temporary tables in a given database where the user has some privilege.

If you do not have any privilege for a base table or view, it does not show up in the output from SHOW TABLES.

listCollections on a database displays all tables from that database.

find on a collection only shows the tables from that collection.

SHOW VARIABLES No privilege required. No privilege required.