Uploaded image for project: 'Core Server'
  1. Core Server
  2. SERVER-12276

Don't allow non-admin users to have privileges outside of their db

    XMLWordPrintable

    Details

    • Type: Bug
    • Status: Closed
    • Priority: Major - P3
    • Resolution: Works as Designed
    • Affects Version/s: None
    • Fix Version/s: None
    • Component/s: Security
    • Labels:
    • Operating System:
      ALL

      Description

      Noticed the following inconsistency while testing 2.6 user-defined roles.

      When logged in as a user with userAdminAnyDatabase, it's not possible to create a role in a non-admin database that has privileges outside of that database (good). However, it is possible to create a user in a non-admin database that has privileges outside of that database (see below). This struck me as a little inconsistent. Is there a reason for this? Should it be fixed?

      > use admin
      switched to db admin
      > db.auth("jon","password")
      1
      >
      > use foo
      switched to db foo
      >
      >
      > db.createRole({role:"readinany", privileges:[{resource:{db:"", collection:""}, actions:["find"]}], roles:[]})
      2013-12-03T17:56:48.579+0000 Error: Roles on the 'foo' database cannot be granted privileges that target other databases
       or the cluster at src/mongo/shell/db.js:1294
      >
      >
      > db.createUser({user:"bob",pwd:"password",roles:[{role:"readWrite", db:"bar"}]})
      Successfully added user: {
              "user" : "bob",
              "roles" : [
                      {
                              "role" : "readWrite",
                              "db" : "bar"
                      }
              ]
      }
      >

        Attachments

          Activity

            People

            • Votes:
              0 Vote for this issue
              Watchers:
              4 Start watching this issue

              Dates

              • Created:
                Updated:
                Resolved: