Uploaded image for project: 'Core Server'
  1. Core Server
  2. SERVER-13647

root role does not contain sufficient privileges for a mongorestore of a system with security enabled

    XMLWordPrintable

Details

    • Bug
    • Status: Closed
    • Major - P3
    • Resolution: Fixed
    • 2.6.0, 3.0.4
    • 3.0.7, 3.1.8
    • Security, Tools
    • None
    • Fully Compatible
    • ALL
    • Security 7 08/10/15, Security 8 08/28/15

    Description

      The "root" role is lacking several privileges present in "restore" role, such as the ability to insert directly into the system.users, system.roles, and system.version collections. These privileges are necessary to be able to use mongorestore to restore a system with authorization enabled, however granting them to the "root" role is also potentially problematic as it would allow users with the "root" role to manipulate admin.system.users, bypassing the safety checks present in the user management commands.

      If you try to use the "root" role to do a mongorestore when the dump contains system.users, system.roles or system.version entries, you will get an error like the following:

      mongorestore -u admin -p <pass> --drop -h 127.0.0.1:27017 "/mongodb_data_bak/backup"
      connected to: 127.0.0.1:27017
      2014-04-17T20:44:54.647+0000 going into namespace [admin.system.version]
      Restoring to admin.system.version without dropping. Restored data will be inserted without raising errors; check your server log
      1 objects found
      2014-04-17T20:44:54.648+0000 Creating index: { key:

      { _id: 1 }

      , name: "id", ns: "admin.system.version" }
      Error creating index admin.system.version: 13 err: "not authorized to create index on admin.system.version"
      Aborted (core dumped)

      Attachments

        1. core.13738
          57.68 MB

        Issue Links

          Activity

            People

              merry.mou Merry Mou
              dharshanr@scalegrid.net Dharshan Rangegowda
              Votes:
              0 Vote for this issue
              Watchers:
              6 Start watching this issue

              Dates

                Created:
                Updated:
                Resolved: