Uploaded image for project: 'Core Server'
  1. Core Server
  2. SERVER-13804

The built-in roles "restore" doesn't have insert privileges on system.roles collection

    XMLWordPrintable

    Details

    • Type: Bug
    • Status: Closed
    • Priority: Major - P3
    • Resolution: Fixed
    • Affects Version/s: 2.6.0, 2.6.1
    • Fix Version/s: 2.6.2, 2.7.1
    • Component/s: Security
    • Labels:
      None

      Description

      Issue Status as of May 16, 2014

      ISSUE SUMMARY
      The built-in role restore, added for 2.6, provides privileges to run mongorestore to restore data to a MongoDB instance running with authentication, but this role does not contain the privilege to update the system.roles collection (via insert).

      USER IMPACT
      mongorestore fails when run using a user with restore role if the dump being restored contains admin.system.roles entries (i.e. user-defined roles), resulting in a partial import only.

      WORKAROUNDS
      Create a new role with with the right permissions, and then create a new user that has this new role (replace USER, PASSWORD with appropriate credentials):

      use admin;
      db.createRole({role:"fullrestore",
        privileges:[{resource:{db:"admin",collection:"system.roles"},
        actions:["insert","collMod","createCollection","createIndex","dropCollection","find","remove","update"]}],
        roles:["restore"]})
       
      db.createUser({user:"USER",pwd:"PASSWORD",roles:["fullrestore"]})

      Use this new user with mongorestore.

      AFFECTED VERSIONS
      MongoDB production versions 2.6.0 and 2.6.1 are affected by this issue.

      FIX VERSION
      The fix is included in the 2.6.2 production release.

      RESOLUTION DETAILS
      The built-in role restore now has the appropriate privileges, so a user with this role can run mongorestore to restore data including user-defined roles to a MongoDB instance.

      Original description.

      mongorestore will fail if we run it using a user with restore roles.

      > show users
      ......
      {
      	"_id" : "admin.restore",
      	"user" : "restore",
      	"db" : "admin",
      	"roles" : [
      		{
      			"role" : "restore",
      			"db" : "admin"
      		}
      	]
      }
       
      bash-3.2$ mongorestore --port 33333 -u restore -p restore -d test --authenticationDatabase admin --restoreDbUsersAndRoles dump/test/
      connected to: 127.0.0.1:33333
      2014-05-01T14:32:14.520+1000 Restoring users for the test database to admin.system.users
      2014-05-01T14:32:14.520+1000 	going into namespace [admin.system.users]
      Restoring to admin.system.users without dropping. Restored data will be inserted without raising errors; check your server log
      file dump/test/$admin.system.users.bson empty, skipping
      2014-05-01T14:32:14.530+1000 	Creating index: { key: { _id: 1 }, name: "_id_", ns: "admin.system.users" }
      2014-05-01T14:32:14.530+1000 	Creating index: { unique: true, key: { user: 1, db: 1 }, name: "user_1_db_1", ns: "admin.system.users" }
      2014-05-01T14:32:14.530+1000 Restoring roles for the test database to admin.system.roles
      2014-05-01T14:32:14.530+1000 	going into namespace [admin.system.roles]
      Restoring to admin.system.roles without dropping. Restored data will be inserted without raising errors; check your server log
      file dump/test/$admin.system.roles.bson empty, skipping
      2014-05-01T14:32:14.534+1000 	Creating index: { key: { _id: 1 }, name: "_id_", ns: "admin.system.roles" }
      Error creating index admin.system.roles: 13 err: "not authorized to create index on admin.system.roles"
      Abort trap: 6

      === TODOs for this ticket ===

      • Add required permissions to the restore role
      • Complement jstests/tool/dumprestore_auth2.js to test mongorestore properly with user with role "restore"

        Attachments

          Issue Links

            Activity

              People

              • Votes:
                0 Vote for this issue
                Watchers:
                7 Start watching this issue

                Dates

                • Created:
                  Updated:
                  Resolved: