Uploaded image for project: 'Core Server'
  1. Core Server
  2. SERVER-13647

root role does not contain sufficient privileges for a mongorestore of a system with security enabled

    Details

    • Type: Bug
    • Status: Closed
    • Priority: Major - P3
    • Resolution: Fixed
    • Affects Version/s: 2.6.0, 3.0.4
    • Fix Version/s: 3.0.7, 3.1.8
    • Component/s: Security, Tools
    • Labels:
      None
    • Backwards Compatibility:
      Fully Compatible
    • Operating System:
      ALL
    • Backport Completed:
    • Sprint:
      Security 7 08/10/15, Security 8 08/28/15

      Description

      The "root" role is lacking several privileges present in "restore" role, such as the ability to insert directly into the system.users, system.roles, and system.version collections. These privileges are necessary to be able to use mongorestore to restore a system with authorization enabled, however granting them to the "root" role is also potentially problematic as it would allow users with the "root" role to manipulate admin.system.users, bypassing the safety checks present in the user management commands.

      If you try to use the "root" role to do a mongorestore when the dump contains system.users, system.roles or system.version entries, you will get an error like the following:

      mongorestore -u admin -p <pass> --drop -h 127.0.0.1:27017 "/mongodb_data_bak/backup"
      connected to: 127.0.0.1:27017
      2014-04-17T20:44:54.647+0000 going into namespace [admin.system.version]
      Restoring to admin.system.version without dropping. Restored data will be inserted without raising errors; check your server log
      1 objects found
      2014-04-17T20:44:54.648+0000 Creating index: { key:

      { _id: 1 }

      , name: "id", ns: "admin.system.version" }
      Error creating index admin.system.version: 13 err: "not authorized to create index on admin.system.version"
      Aborted (core dumped)

        Attachments

          Issue Links

            Activity

              People

              • Votes:
                0 Vote for this issue
                Watchers:
                6 Start watching this issue

                Dates

                • Created:
                  Updated:
                  Resolved: