ISSUE SUMMARY
The built-in role restore, added for 2.6, provides privileges to run mongorestore to restore data to a MongoDB instance running with authentication, but this role does not contain the privilege to update the system.roles collection (via insert).
USER IMPACT
mongorestore fails when run using a user with restore role if the dump being restored contains admin.system.roles entries (i.e. user-defined roles), resulting in a partial import only.
WORKAROUNDS
Create a new role with with the right permissions, and then create a new user that has this new role (replace USER, PASSWORD with appropriate credentials):
use admin;
db.createRole({role:"fullrestore",
privileges:[{resource:{db:"admin",collection:"system.roles"},
actions:["insert","collMod","createCollection","createIndex","dropCollection","find","remove","update"]}],
roles:["restore"]})
db.createUser({user:"USER",pwd:"PASSWORD",roles:["fullrestore"]})
Use this new user with mongorestore.
AFFECTED VERSIONS
MongoDB production versions 2.6.0 and 2.6.1 are affected by this issue.
FIX VERSION
The fix is included in the 2.6.2 production release.
RESOLUTION DETAILS
The built-in role restore now has the appropriate privileges, so a user with this role can run mongorestore to restore data including user-defined roles to a MongoDB instance.
Original description.
mongorestore will fail if we run it using a user with restore roles.
> show users
......
{
"_id" : "admin.restore",
"user" : "restore",
"db" : "admin",
"roles" : [
{
"role" : "restore",
"db" : "admin"
}
]
}
bash-3.2$ mongorestore --port 33333 -u restore -p restore -d test --authenticationDatabase admin --restoreDbUsersAndRoles dump/test/
connected to: 127.0.0.1:33333
2014-05-01T14:32:14.520+1000 Restoring users for the test database to admin.system.users
2014-05-01T14:32:14.520+1000 going into namespace [admin.system.users]
Restoring to admin.system.users without dropping. Restored data will be inserted without raising errors; check your server log
file dump/test/$admin.system.users.bson empty, skipping
2014-05-01T14:32:14.530+1000 Creating index: { key: { _id: 1 }, name: "_id_", ns: "admin.system.users" }
2014-05-01T14:32:14.530+1000 Creating index: { unique: true, key: { user: 1, db: 1 }, name: "user_1_db_1", ns: "admin.system.users" }
2014-05-01T14:32:14.530+1000 Restoring roles for the test database to admin.system.roles
2014-05-01T14:32:14.530+1000 going into namespace [admin.system.roles]
Restoring to admin.system.roles without dropping. Restored data will be inserted without raising errors; check your server log
file dump/test/$admin.system.roles.bson empty, skipping
2014-05-01T14:32:14.534+1000 Creating index: { key: { _id: 1 }, name: "_id_", ns: "admin.system.roles" }
Error creating index admin.system.roles: 13 err: "not authorized to create index on admin.system.roles"
Abort trap: 6
=== TODOs for this ticket ===
- Add required permissions to the restore role
- Complement jstests/tool/dumprestore_auth2.js to test mongorestore properly with user with role "restore"
- is depended on by
-
SERVER-13869 Update jstests/tool/dumprestore_auth2.js to test mongorestore with user with role "restore"
-
- Closed
-
- is duplicated by
-
-
- Closed
-