Using updateRole, it is possible to create a role that contains a reference to itself:
> db.runCommand(
{ updateRole: "king", roles: [ "king" ] })
Running this command gives the following error:
ERROR: Inconsistent role graph during authorization manager intialization. Only direct privileges available. Cycle in dependency graph: king@test -> king@test after applying oplog entry u
Querying for the role afterwards with rolesInfo yields the following result:
{"roles":[
{"role":"king",
"db":"test",
"roles":[
],
"indirectRoles":[],
"privileges":[],
"warnings":["Role graph state inconsistent; only direct privileges available."]}],
"ok":1}
afterwards, subsequent role-related commands (like createRole, dropRole) throw the same error that the updateRole command generated.
It seems that grantRolesToRole also allows for this:
> db.runCommand(
{ createRole: "princess", privileges: [], roles: [] });
> db.runCommand(
);
ERROR: Inconsistent role graph during authorization manager intialization. Only direct privileges available. Cycle in dependency graph: princess@testAuth -> princess@testAuth after applying oplog entry u
{"roles":[
{"role":"princess",
"db":"testAuth",
"roles":[
],
"indirectRoles":[],
"privileges":[],
"warnings":["Role graph state inconsistent; only direct privileges available."]}],
"ok":1}