Uploaded image for project: 'Core Server'
  1. Core Server
  2. SERVER-16944

dbAdminAnyDatabase should have full parity with dbAdmin for a given database

    • Type: Icon: Bug Bug
    • Resolution: Done
    • Priority: Icon: Major - P3 Major - P3
    • 3.0.1, 3.1.0
    • Affects Version/s: None
    • Component/s: Admin, Security
    • None
    • Minor Change
    • ALL

      Original reported in SERVER-14355:

      This is not fixed in MongoDB 2.6.6 – using a user with root and restore privileges was not sufficient to create the system.profile collection:

      myReplicaSet:PRIMARY> db.system.users.find({user:"myAdminUser"}).pretty()
      {
          "_id" : "admin.myAdminUser",
          "user" : "myAdminUser",
          "db" : "admin",
          "credentials" : {
              "MONGODB-CR" : "XXXXXXXXXXXXXXXXXXXXXX"
          },
          "roles" : [
              {
                  "role" : "restore",
                  "db" : "admin"
              },
              {
                  "role" : "root",
                  "db" : "admin"
              }
          ]
      }
      myReplicaSet:PRIMARY> use myDb
      switched to db myDb
      myReplicaSet:PRIMARY> db.createCollection("system.profile", {capped: true, size: 262144000})
      {
          "ok" : 0,
          "errmsg" : "not authorized on myDb to execute command { create: \"system.profile\", capped: true, size: 262144000.0 }",
          "code" : 13
      }
      myReplicaSet:PRIMARY> use admin
      switched to db admin
      myReplicaSet:PRIMARY> db.grantRolesToUser("myAdminUser",[{role:"dbAdmin",db:"myDb"}])
      myReplicaSet:PRIMARY> use myDb
      switched to db myDb
      myReplicaSet:PRIMARY> db.createCollection("system.profile", {capped: true, size: 262144000})
      { "ok" : 1 }
      myReplicaSet:PRIMARY> db.setProfilingLevel(2)
      { "was" : 0, "slowms" : 100, "ok" : 1 }
      myReplicaSet:PRIMARY> 
      

      http://docs.mongodb.org/manual/reference/built-in-roles/#root says that root includes dbAdminAnyDatabase which http://docs.mongodb.org/manual/reference/built-in-roles/#dbAdminAnyDatabase describes as "Provides the same access to database administration operations as dbAdmin, except it applies to all databases in the cluster." Yet I had to manually add dbAdmin for myDb in order to create the system.profiles collection.

      If we instead follow the later note in http://docs.mongodb.org/manual/reference/built-in-roles/#root that the restore role is needed to write or restore system.* collections, then again, this is not working as described, as restore was not sufficient either to create the system.profile collection.

            Assignee:
            spencer@mongodb.com Spencer Brody (Inactive)
            Reporter:
            ramon.fernandez@mongodb.com Ramon Fernandez Marina
            Votes:
            1 Vote for this issue
            Watchers:
            5 Start watching this issue

              Created:
              Updated:
              Resolved: