Uploaded image for project: 'Core Server'
  1. Core Server
  2. SERVER-13647

root role does not contain sufficient privileges for a mongorestore of a system with security enabled

    • Type: Icon: Bug Bug
    • Resolution: Done
    • Priority: Icon: Major - P3 Major - P3
    • 3.0.7, 3.1.8
    • Affects Version/s: 2.6.0, 3.0.4
    • Component/s: Security, Tools
    • Labels:
    • Fully Compatible
    • ALL
    • Security 7 08/10/15, Security 8 08/28/15

      The "root" role is lacking several privileges present in "restore" role, such as the ability to insert directly into the system.users, system.roles, and system.version collections. These privileges are necessary to be able to use mongorestore to restore a system with authorization enabled, however granting them to the "root" role is also potentially problematic as it would allow users with the "root" role to manipulate admin.system.users, bypassing the safety checks present in the user management commands.

      If you try to use the "root" role to do a mongorestore when the dump contains system.users, system.roles or system.version entries, you will get an error like the following:

      mongorestore -u admin -p <pass> --drop -h "/mongodb_data_bak/backup"
      connected to:
      2014-04-17T20:44:54.647+0000 going into namespace [admin.system.version]
      Restoring to admin.system.version without dropping. Restored data will be inserted without raising errors; check your server log
      1 objects found
      2014-04-17T20:44:54.648+0000 Creating index: { key:

      { _id: 1 }

      , name: "id", ns: "admin.system.version" }
      Error creating index admin.system.version: 13 err: "not authorized to create index on admin.system.version"
      Aborted (core dumped)

        1. core.13738
          57.68 MB

            merry.mou Merry Mou
            dharshanr@scalegrid.net Dharshan Rangegowda
            0 Vote for this issue
            6 Start watching this issue