Don't allow non-admin users to have privileges outside of their db

XMLWordPrintableJSON

    • Type: Bug
    • Resolution: Done
    • Priority: Major - P3
    • None
    • Affects Version/s: None
    • Component/s: Security
    • ALL
    • None
    • 3
    • None
    • None
    • None
    • None
    • None
    • None

      Noticed the following inconsistency while testing 2.6 user-defined roles.

      When logged in as a user with userAdminAnyDatabase, it's not possible to create a role in a non-admin database that has privileges outside of that database (good). However, it is possible to create a user in a non-admin database that has privileges outside of that database (see below). This struck me as a little inconsistent. Is there a reason for this? Should it be fixed?

      > use admin
      switched to db admin
      > db.auth("jon","password")
      1
      >
      > use foo
      switched to db foo
      >
      >
      > db.createRole({role:"readinany", privileges:[{resource:{db:"", collection:""}, actions:["find"]}], roles:[]})
      2013-12-03T17:56:48.579+0000 Error: Roles on the 'foo' database cannot be granted privileges that target other databases
       or the cluster at src/mongo/shell/db.js:1294
      >
      >
      > db.createUser({user:"bob",pwd:"password",roles:[{role:"readWrite", db:"bar"}]})
      Successfully added user: {
              "user" : "bob",
              "roles" : [
                      {
                              "role" : "readWrite",
                              "db" : "bar"
                      }
              ]
      }
      >
      

            Assignee:
            Unassigned
            Reporter:
            Jon Rangel (Inactive)
            Votes:
            0 Vote for this issue
            Watchers:
            4 Start watching this issue

              Created:
              Updated:
              Resolved: