Uploaded image for project: 'Core Server'
  1. Core Server
  2. SERVER-14701

The "backup" auth role should allow running the "collstats" command for all resources

    • Type: Icon: Bug Bug
    • Resolution: Done
    • Priority: Icon: Major - P3 Major - P3
    • 2.6.4, 2.7.5
    • Affects Version/s: None
    • Component/s: Security
    • None
    • Fully Compatible
    • ALL

      This is an extension of SERVER-13727. Unfortunately, that ticket did not specify that this privilege is necessary for all collections, including the system collections

      Here's what my user looks like:

      backup_test:PRIMARY> db.system.users.find({user:'mms-backup-agent'}).pretty()
      {
      	"_id" : "admin.mms-backup-agent",
      	"user" : "mms-backup-agent",
      	"db" : "admin",
      	"credentials" : {
      		"MONGODB-CR" : "6187ca3816a65edef454cc6de1e05fb7"
      	},
      	"roles" : [
      		{
      			"role" : "backup",
      			"db" : "admin"
      		}
      	]
      }
      

      and here's what happens when I try to perform collstats on system.users:

      backup_test:PRIMARY> db.auth('mms-backup-agent','10gen')
      1
      backup_test:PRIMARY>  db.runCommand({ collstats: "system.users" });
      {
      	"ok" : 0,
      	"errmsg" : "not authorized on admin to execute command { collstats: \"system.users\" }",
      	"code" : 13
      }
      backup_test:PRIMARY> 
      backup_test:PRIMARY> use food
      switched to db food
      backup_test:PRIMARY> db.runCommand({ collstats: "desert" });
      {
      	"ns" : "food.desert",
      	"count" : 1,
      	"size" : 48,
      	"avgObjSize" : 48,
      	"storageSize" : 8192,
      	"numExtents" : 1,
      	"nindexes" : 1,
      	"lastExtentSize" : 8192,
      	"paddingFactor" : 1,
      	"systemFlags" : 1,
      	"userFlags" : 1,
      	"totalIndexSize" : 8176,
      	"indexSizes" : {
      		"_id_" : 8176
      	},
      	"ok" : 1
      }
      

      Notice that I can perform collstats on a regular collection like food.desert.

      I think the problem is here. I'm guessing that system.users is not a "normal resource".

            Assignee:
            amalia.hawkins@10gen.com Amalia Hawkins
            Reporter:
            cailin.nelson@mongodb.com Cailin Nelson (Inactive)
            Votes:
            0 Vote for this issue
            Watchers:
            4 Start watching this issue

              Created:
              Updated:
              Resolved: