Recent Posts

MongoDB and its' evil Map Reduce twin

As discussed in earlier posts, MongoDB, is my current back-end database, as such, experimenting with its' capabilities seems trivial.

The permission hazard of old tools and new were already solved here

Due to one of my colleague request to use the map reduce mechanism MongoDB allows, another issue has been revealed with the permissions.


We have a collection with read permission, and we would like to output the map reduce function to another collection with write permissions.

So far, it seems trivial, but the plot thickens, when testing with the above permissions we get an error return code 13, operation is not authorized.

Please note that the permission related to the Map-Reduce and server side scripts is not mentioned in the MongoDB documentation.

The Undocumented not existing solution:

The permission required to use map reduce is Write permission for both the source collection and target collection of the Map-Reduce operation.

This leads to the inability to use map reduce if you are not willing to bend the permission scheme, which as it is well known, once you bend it once, all hell might and will break loose someday.

Do not use map reduce functionality, use the aggregation framework instead, other than that, it is recommended not to enable server side JavaScript, due to its vulnerability as mentioned in the production security notes

I hope this short manual helped you, if not let me know in comments section

  • Facebook
  • Twitter
  • LinkedIn

©2017 by Dror Asaf. Proudly created with