Description
The root role does not include access to system.* collections. This is only documented indirectly and implicitly with a combination of http://docs.mongodb.org/manual/reference/resource-document/#specify-a-database-as-resource and http://docs.mongodb.org/manual/reference/built-in-roles/#root. Meanwhile, the http://docs.mongodb.org/manual/tutorial/add-admin-user/ tutorial does not mention any of this, and strongly implies that the root role has unrestricted access to the system. Users are thus likely to be surprised when they are unable to do certain operations on the system.* collections after authenticating as root.
Suggest:
- updating the language in http://docs.mongodb.org/manual/tutorial/add-admin-user/ to properly explain what the root role can and cannot actually do
- making the proviso in http://docs.mongodb.org/manual/reference/built-in-roles/ regarding non-system collections much more prominent
- clarifying in http://docs.mongodb.org/manual/reference/built-in-roles/#root that the root role can only do a limited set of operations with the system.* collections, making it unsuitable for a range of tasks with those collections (eg. running the validate command on system collections), not just restoring mongodumps that have users/roles defined.
Attachments
Issue Links
- is related to
-
SERVER-15893 root role should be able to run validate on system collections
-
- Closed
-