Uploaded image for project: 'Documentation'
  1. Documentation
  2. DOCS-4269

Clarify that the root role does not have access to system.* collections

    XMLWordPrintable

    Details

    • Type: Improvement
    • Status: Closed
    • Priority: Major - P3
    • Resolution: Fixed
    • Affects Version/s: None
    • Fix Version/s: v1.3.13
    • Component/s: manual
    • Labels:
      None
    • # Replies:
      2
    • Last comment by Customer:
      false
    • Actual Time:
      4

      Description

      The root role does not include access to system.* collections. This is only documented indirectly and implicitly with a combination of http://docs.mongodb.org/manual/reference/resource-document/#specify-a-database-as-resource and http://docs.mongodb.org/manual/reference/built-in-roles/#root. Meanwhile, the http://docs.mongodb.org/manual/tutorial/add-admin-user/ tutorial does not mention any of this, and strongly implies that the root role has unrestricted access to the system. Users are thus likely to be surprised when they are unable to do certain operations on the system.* collections after authenticating as root.

      Suggest:

      1. updating the language in http://docs.mongodb.org/manual/tutorial/add-admin-user/ to properly explain what the root role can and cannot actually do
      2. making the proviso in http://docs.mongodb.org/manual/reference/built-in-roles/ regarding non-system collections much more prominent
      3. clarifying in http://docs.mongodb.org/manual/reference/built-in-roles/#root that the root role can only do a limited set of operations with the system.* collections, making it unsuitable for a range of tasks with those collections (eg. running the validate command on system collections), not just restoring mongodumps that have users/roles defined.

        Attachments

          Issue Links

            Activity

              People

              • Votes:
                0 Vote for this issue
                Watchers:
                3 Start watching this issue

                Dates

                • Created:
                  Updated:
                  Resolved:
                  Days since reply:
                  5 years, 6 weeks, 1 day ago
                  Date of 1st Reply: