Noticed the following inconsistency while testing 2.6 user-defined roles.
When logged in as a user with userAdminAnyDatabase, it's not possible to create a role in a non-admin database that has privileges outside of that database (good). However, it is possible to create a user in a non-admin database that has privileges outside of that database (see below). This struck me as a little inconsistent. Is there a reason for this? Should it be fixed?
> use admin switched to db admin > db.auth("jon","password") 1 > > use foo switched to db foo > > > db.createRole({role:"readinany", privileges:[{resource:{db:"", collection:""}, actions:["find"]}], roles:[]}) 2013-12-03T17:56:48.579+0000 Error: Roles on the 'foo' database cannot be granted privileges that target other databases or the cluster at src/mongo/shell/db.js:1294 > > > db.createUser({user:"bob",pwd:"password",roles:[{role:"readWrite", db:"bar"}]}) Successfully added user: { "user" : "bob", "roles" : [ { "role" : "readWrite", "db" : "bar" } ] } >