Uploaded image for project: 'Core Server'
  1. Core Server
  2. SERVER-11310

auth errors for mapReduce and group commands with user-defined roles

    XMLWordPrintableJSON

Details

    • Icon: Bug Bug
    • Resolution: Done
    • Icon: Major - P3 Major - P3
    • 2.5.4
    • None
    • Security
    • ALL
    • Hide

      > db.x.insert({groupby: 1, n: 5})
      > db.x.insert({groupby: 1, n: 6})
      > db.runCommand({
      ... createRole: "testRole",
      ... privileges: [ {resource: {db: "test", collection: "x"}, actions: ["find"] } ],
      ... roles: [ ]
      ... })
      { "ok" : 1 }
      > db.runCommand({
      ... createUser: "testUser",
      ... pwd: "password",
      ... roles: ["testRole"]
      ... })
      { "ok" : 1 }
      > db.auth("testUser", "password")
      1
      > db.runCommand({
      ... mapreduce: "x",
      ... map: function () { emit(this.groupby, this.n) },
      ... reduce: function (id,emits) { return Array.sum(emits); },
      ... out: {inline: 1}
      ... })
      {
      	"errmsg" : "exception: nextSafe(): { $err: \"not authorized for query on test.system.js\", code: 13 }",
      	"code" : 13106,
      	"ok" : 0
      }

      Show
      > db.x.insert({groupby: 1, n: 5}) > db.x.insert({groupby: 1, n: 6}) > db.runCommand({ ... createRole: "testRole", ... privileges: [ {resource: {db: "test", collection: "x"}, actions: ["find"] } ], ... roles: [ ] ... }) { "ok" : 1 } > db.runCommand({ ... createUser: "testUser", ... pwd: "password", ... roles: ["testRole"] ... }) { "ok" : 1 } > db.auth("testUser", "password") 1 > db.runCommand({ ... mapreduce: "x", ... map: function () { emit(this.groupby, this.n) }, ... reduce: function (id,emits) { return Array.sum(emits); }, ... out: {inline: 1} ... }) { "errmsg" : "exception: nextSafe(): { $err: \"not authorized for query on test.system.js\", code: 13 }", "code" : 13106, "ok" : 0 }

    Description

      Expected

      A user privileged to perform the "find" action on a collection should be able to run the "group" command on that collection. Similarly, a user with "find" on a collection should be able to run mapReduce on that collection, so long as inline output is specified.

      Actual

      The user is unauthorized, with the command returning an error such as the following:

      {
      	"errmsg" : "exception: nextSafe(): { $err: \"not authorized for query on roles_commands_1.system.js\", code: 13 }",
      	"code" : 13106,
      	"ok" : 0
      }

      Attachments

        Activity

          People

            spencer@mongodb.com Spencer Brody (Inactive)
            david.storch@mongodb.com David Storch
            Votes:
            0 Vote for this issue
            Watchers:
            2 Start watching this issue

            Dates

              Created:
              Updated:
              Resolved: