Uploaded image for project: 'Core Server'
  1. Core Server
  2. SERVER-16944

dbAdminAnyDatabase should have full parity with dbAdmin for a given database

    XMLWordPrintableJSON

Details

    • Bug
    • Status: Closed
    • Major - P3
    • Resolution: Fixed
    • None
    • 3.0.1, 3.1.0
    • Admin, Security
    • None
    • Minor Change
    • ALL

    Description

      Original reported in SERVER-14355:

      This is not fixed in MongoDB 2.6.6 – using a user with root and restore privileges was not sufficient to create the system.profile collection:

      myReplicaSet:PRIMARY> db.system.users.find({user:"myAdminUser"}).pretty()
      		 
      {
      		 
          "_id" : "admin.myAdminUser",
      		 
          "user" : "myAdminUser",
      		 
          "db" : "admin",
      		 
          "credentials" : {
      		 
              "MONGODB-CR" : "XXXXXXXXXXXXXXXXXXXXXX"
      		 
          },
      		 
          "roles" : [
      		 
              {
      		 
                  "role" : "restore",
      		 
                  "db" : "admin"
      		 
              },
      		 
              {
      		 
                  "role" : "root",
      		 
                  "db" : "admin"
      		 
              }
      		 
          ]
      		 
      }
      		 
      myReplicaSet:PRIMARY> use myDb
      		 
      switched to db myDb
      		 
      myReplicaSet:PRIMARY> db.createCollection("system.profile", {capped: true, size: 262144000})
      		 
      {
      		 
          "ok" : 0,
      		 
          "errmsg" : "not authorized on myDb to execute command { create: \"system.profile\", capped: true, size: 262144000.0 }",
      		 
          "code" : 13
      		 
      }
      		 
      myReplicaSet:PRIMARY> use admin
      		 
      switched to db admin
      		 
      myReplicaSet:PRIMARY> db.grantRolesToUser("myAdminUser",[{role:"dbAdmin",db:"myDb"}])
      		 
      myReplicaSet:PRIMARY> use myDb
      		 
      switched to db myDb
      		 
      myReplicaSet:PRIMARY> db.createCollection("system.profile", {capped: true, size: 262144000})
      		 
      { "ok" : 1 }
      		 
      myReplicaSet:PRIMARY> db.setProfilingLevel(2)
      		 
      { "was" : 0, "slowms" : 100, "ok" : 1 }
      		 
      myReplicaSet:PRIMARY>

      http://docs.mongodb.org/manual/reference/built-in-roles/#root says that root includes dbAdminAnyDatabase which http://docs.mongodb.org/manual/reference/built-in-roles/#dbAdminAnyDatabase describes as "Provides the same access to database administration operations as dbAdmin, except it applies to all databases in the cluster." Yet I had to manually add dbAdmin for myDb in order to create the system.profiles collection.

      If we instead follow the later note in http://docs.mongodb.org/manual/reference/built-in-roles/#root that the restore role is needed to write or restore system.* collections, then again, this is not working as described, as restore was not sufficient either to create the system.profile collection.

      Attachments

        Issue Links

          related to

          Bug - A problem which impairs or prevents the functions of the product. DOCS-4702 root role does have access to system.* collections

          • Major - P3 - Major loss of function.
          • Closed

          Bug - A problem which impairs or prevents the functions of the product. SERVER-14355 Allow dbAdmin role to manually create system.profile collections

          • Major - P3 - Major loss of function.
          • Closed

          Activity

            People

              spencer@mongodb.com Spencer Brody (Inactive)
              ramon.fernandez@mongodb.com Ramon Fernandez Marina
              Votes:
              1 Vote for this issue
              Watchers:
              5 Start watching this issue

              Dates

                Created:
                Updated:
                Resolved: