auth errors for mapReduce and group commands with user-defined roles

XMLWordPrintableJSON

    • Type: Bug
    • Resolution: Done
    • Priority: Major - P3
    • 2.5.4
    • Affects Version/s: None
    • Component/s: Security
    • ALL
    • Hide 
      > db.x.insert({groupby: 1, n: 5})
> db.x.insert({groupby: 1, n: 6})
> db.runCommand({
... createRole: "testRole",
... privileges: [ {resource: {db: "test", collection: "x"}, actions: ["find"] } ],
... roles: [ ]
... })
{ "ok" : 1 }
> db.runCommand({
... createUser: "testUser",
... pwd: "password",
... roles: ["testRole"]
... })
{ "ok" : 1 }
> db.auth("testUser", "password")
1
> db.runCommand({
... mapreduce: "x",
... map: function () { emit(this.groupby, this.n) },
... reduce: function (id,emits) { return Array.sum(emits); },
... out: {inline: 1}
... })
{
	"errmsg" : "exception: nextSafe(): { $err: \"not authorized for query on test.system.js\", code: 13 }",
	"code" : 13106,
	"ok" : 0
}
      Show
      > db.x.insert({groupby: 1, n: 5}) > db.x.insert({groupby: 1, n: 6}) > db.runCommand({ ... createRole: "testRole" , ... privileges: [ {resource: {db: "test" , collection: "x" }, actions: [ "find" ] } ], ... roles: [ ] ... }) { "ok" : 1 } > db.runCommand({ ... createUser: "testUser" , ... pwd: "password" , ... roles: [ "testRole" ] ... }) { "ok" : 1 } > db.auth( "testUser" , "password" ) 1 > db.runCommand({ ... mapreduce: "x" , ... map: function () { emit( this .groupby, this .n) }, ... reduce: function (id,emits) { return Array.sum(emits); }, ... out: {inline: 1} ... }) { "errmsg" : "exception: nextSafe(): { $err: \" not authorized for query on test.system.js\ ", code: 13 }" , "code" : 13106, "ok" : 0 }
    • None
    • None
    • None
    • None
    • None
    • None
    • None

      Expected

      A user privileged to perform the "find" action on a collection should be able to run the "group" command on that collection. Similarly, a user with "find" on a collection should be able to run mapReduce on that collection, so long as inline output is specified.

      Actual

      The user is unauthorized, with the command returning an error such as the following:

      {
	"errmsg" : "exception: nextSafe(): { $err: \"not authorized for query on roles_commands_1.system.js\", code: 13 }",
	"code" : 13106,
	"ok" : 0
}

            Assignee:
            Spencer Brody (Inactive)
            Reporter:
            David Storch
            Votes:
            0 Vote for this issue
            Watchers:
            2 Start watching this issue

              Created:
              Updated:
              Resolved: