Uploaded image for project: 'Core Server'
  1. Core Server
  2. SERVER-15181

Granting a user "insert", but not "createCollection" does not prevent them from creating collections

    XMLWordPrintable

    Details

    • Type: Bug
    • Status: Closed
    • Priority: Major - P3
    • Resolution: Works as Designed
    • Affects Version/s: 2.6.3
    • Fix Version/s: None
    • Component/s: Security
    • Labels:
      None
    • Operating System:
      ALL
    • Steps To Reproduce:
      Hide

      > use test
      switched to db test
      > db.createRole({ role: "insertonly", privileges: [ {resource: {db: "test", collection: ""}, actions: [ "insert"]}], roles: []})
      {
              "role" : "insertonly",
              "privileges" : [
                      {
                              "resource" : {
                                      "db" : "test",
                                      "collection" : ""
                              },
                              "actions" : [
                                      "insert"
                              ]
                      }
              ],
              "roles" : [ ]
      }
      > db.createUser({"user": "foo", "pwd": "password", "roles": [ {role: "insertonly", db: "test"}]})
      Successfully added user: {
              "user" : "foo",
              "roles" : [
                      {
                              "role" : "insertonly",
                              "db" : "test"
                      }
              ]
      }

      victorhooi@oswin-rmbp ~> mongo -u foo -p password test
      MongoDB shell version: 2.6.3
      connecting to: test
      > use test
      switched to db test
      > db.thisisanewcollection.insert({name: "ernie", type: "cat"})
      WriteResult({ "nInserted" : 1 })
      > db.createCollection("secondnewcollection")
      { "ok" : 1 }

      > show collections
      secondnewcollection
      system.indexes
      thisisanewcollection

      Show
      > use test switched to db test > db.createRole({ role: "insertonly", privileges: [ {resource: {db: "test", collection: ""}, actions: [ "insert"]}], roles: []}) { "role" : "insertonly", "privileges" : [ { "resource" : { "db" : "test", "collection" : "" }, "actions" : [ "insert" ] } ], "roles" : [ ] } > db.createUser({"user": "foo", "pwd": "password", "roles": [ {role: "insertonly", db: "test"}]}) Successfully added user: { "user" : "foo", "roles" : [ { "role" : "insertonly", "db" : "test" } ] } victorhooi@oswin-rmbp ~> mongo -u foo -p password test MongoDB shell version: 2.6.3 connecting to: test > use test switched to db test > db.thisisanewcollection.insert({name: "ernie", type: "cat"}) WriteResult({ "nInserted" : 1 }) > db.createCollection("secondnewcollection") { "ok" : 1 } > show collections secondnewcollection system.indexes thisisanewcollection

      Description

      I created a new user role that only had the "insert" privilege.

      > use test
      switched to db test
      > db.createRole({ role: "insertonly", privileges: [ {resource: {db: "test", collection: ""}, actions: [ "insert"]}], roles: []})
      {
              "role" : "insertonly",
              "privileges" : [
                      {
                              "resource" : {
                                      "db" : "test",
                                      "collection" : ""
                              },
                              "actions" : [
                                      "insert"
                              ]
                      }
              ],
              "roles" : [ ]
      }

      I then added a new user that only had this role:

      > db.createUser({"user": "foo", "pwd": "password", "roles": [ {role: "insertonly", db: "test"}]})
      Successfully added user: {
              "user" : "foo",
              "roles" : [
                      {
                              "role" : "insertonly",
                              "db" : "test"
                      }
              ]
      }

      I then list the collections in test:

      > show collections

      I then authenticate as this user in a new mongo shell. I am able to create a new collection implicitly, by adding to an empty collection:

      > use test
      switched to db test
      > db.thisisanewcollection.insert({name: "ernie", type: "cat"})
      WriteResult({ "nInserted" : 1 })

      I am also able to create a new collection explicitly, by calling db.createCollection():

      > db.createCollection("secondnewcollection")
      { "ok" : 1 }

      I can verify both of these collection are there by running show collections (as the admin user):

      > show collections
      secondnewcollection
      system.indexes
      thisisanewcollection

      So there are two issues here - a user possessing only the "insert" privilege is able to:

      1. Create collections implicitly by adding to a non-existent collection
      2. Create collections explicitly by calling db.createCollection().

      I believe 2. is a definite buggy behaviour.

      For 1., this may or may not be against intentions (based on the comment at https://github.com/mongodb/mongo/blob/266b75ca868a95fd2a4e30e3cf4898de1e13698d/src/mongo/db/dbcommands.cpp#L525). However, if it is intended, it it not made clear in the documentation, and also, we should raise a new SERVER ticket to add this functionality in - that is, it is certainly desirable to be have a way of preventing users from creating new collections at will.

        Attachments

          Activity

            People

            Assignee:
            ramon.fernandez Ramon Fernandez Marina
            Reporter:
            victor.hooi Victor Hooi
            Participants:
            Votes:
            0 Vote for this issue
            Watchers:
            9 Start watching this issue

              Dates

              Created:
              Updated:
              Resolved: