Loading...

XML

Word

Printable

JSON

Type: Bug
Resolution: Done
Priority: Major - P3
Fix Version/s: None
Affects Version/s: None
Component/s: Security
Labels:
- 26qa

Operating System:
ALL
CAR Domain/s:
None

Aha! Reference:
None
Tracking Level:
None
Risk Status:
None
Exec Notes:
None
Goal Name(s):
None
Goal Link:
None

Noticed the following inconsistency while testing 2.6 user-defined roles.

When logged in as a user with userAdminAnyDatabase, it's not possible to create a role in a non-admin database that has privileges outside of that database (good). However, it is possible to create a user in a non-admin database that has privileges outside of that database (see below). This struck me as a little inconsistent. Is there a reason for this? Should it be fixed?

> use admin
switched to db admin
> db.auth("jon","password")
1
>
> use foo
switched to db foo
>
>
> db.createRole({role:"readinany", privileges:[{resource:{db:"", collection:""}, actions:["find"]}], roles:[]})
2013-12-03T17:56:48.579+0000 Error: Roles on the 'foo' database cannot be granted privileges that target other databases
 or the cluster at src/mongo/shell/db.js:1294
>
>
> db.createUser({user:"bob",pwd:"password",roles:[{role:"readWrite", db:"bar"}]})
Successfully added user: {
        "user" : "bob",
        "roles" : [
                {
                        "role" : "readWrite",
                        "db" : "bar"
                }
        ]
}
>

Assignee:: Unassigned
Reporter:: Jon Rangel (Inactive)
Participants:: Andy Schwerin, Jon Rangel
Votes:: 0 Vote for this issue
Watchers:: 4 Start watching this issue

Created:: Jan 07 2014 06:09:09 PM UTC
Updated:: Dec 10 2014 11:10:21 PM UTC
Resolved:: Jan 07 2014 10:31:52 PM UTC

Details

Description

Attachments

Activity

People

Dates