checkShardingIndex auth error for user-defined role with "find" privilege

XMLWordPrintableJSON

    • Type: Bug
    • Resolution: Done
    • Priority: Major - P3
    • 2.5.4
    • Affects Version/s: None
    • Component/s: Security
    • ALL
    • Hide 
      > db.runCommand({
... createRole: "testRole",
... privileges: [ {resource: {db: "test", collection: "x"}, actions: ["find"] } ],
... roles: [ ]
... })
{ "ok" : 1 }
> db.runCommand({
... createUser: "testUser",
... pwd: "password",
... roles: ["testRole"]
... })
{ "ok" : 1 }
> db.auth("testUser", "password")
1
> db.runCommand({checkShardingIndex: "test.x", keyPattern: {_id: 1}})
{
	"ok" : 0,
	"errmsg" : "not authorized on test to execute command { checkShardingIndex: \"test.x\", keyPattern: { _id: 1.0 } }",
	"code" : 13
}
      Show
      > db.runCommand({ ... createRole: "testRole" , ... privileges: [ {resource: {db: "test" , collection: "x" }, actions: [ "find" ] } ], ... roles: [ ] ... }) { "ok" : 1 } > db.runCommand({ ... createUser: "testUser" , ... pwd: "password" , ... roles: [ "testRole" ] ... }) { "ok" : 1 } > db.auth( "testUser" , "password" ) 1 > db.runCommand({checkShardingIndex: "test.x" , keyPattern: {_id: 1}}) { "ok" : 0, "errmsg" : "not authorized on test to execute command { checkShardingIndex: \" test.x\ ", keyPattern: { _id: 1.0 } }" , "code" : 13 }
    • None
    • None
    • None
    • None
    • None
    • None
    • None

      Expected: A user privileged to perform the "find" action on a collection should be able to run the checkShardingIndex on that collection.

      Actual: An authorization error such as the one below is returned.

      {
	"ok" : 0,
	"errmsg" : "not authorized on roles_commands_1 to execute command { checkShardingIndex: \"test.x\", keyPattern: { _id: 1.0 } }",
	"code" : 13
}

            Assignee:
            Spencer Brody (Inactive)
            Reporter:
            David Storch
            Votes:
            0 Vote for this issue
            Watchers:
            2 Start watching this issue

              Created:
              Updated:
              Resolved: