Original reported in SERVER-14355:
This is not fixed in MongoDB 2.6.6 – using a user with root and restore privileges was not sufficient to create the system.profile collection:
myReplicaSet:PRIMARY> db.system.users.find({user:"myAdminUser"}).pretty()
{
"_id" : "admin.myAdminUser",
"user" : "myAdminUser",
"db" : "admin",
"credentials" : {
"MONGODB-CR" : "XXXXXXXXXXXXXXXXXXXXXX"
},
"roles" : [
{
"role" : "restore",
"db" : "admin"
},
{
"role" : "root",
"db" : "admin"
}
]
}
myReplicaSet:PRIMARY> use myDb
switched to db myDb
myReplicaSet:PRIMARY> db.createCollection("system.profile", {capped: true, size: 262144000})
{
"ok" : 0,
"errmsg" : "not authorized on myDb to execute command { create: \"system.profile\", capped: true, size: 262144000.0 }",
"code" : 13
}
myReplicaSet:PRIMARY> use admin
switched to db admin
myReplicaSet:PRIMARY> db.grantRolesToUser("myAdminUser",[{role:"dbAdmin",db:"myDb"}])
myReplicaSet:PRIMARY> use myDb
switched to db myDb
myReplicaSet:PRIMARY> db.createCollection("system.profile", {capped: true, size: 262144000})
{ "ok" : 1 }
myReplicaSet:PRIMARY> db.setProfilingLevel(2)
{ "was" : 0, "slowms" : 100, "ok" : 1 }
myReplicaSet:PRIMARY>
http://docs.mongodb.org/manual/reference/built-in-roles/#root says that root includes dbAdminAnyDatabase which http://docs.mongodb.org/manual/reference/built-in-roles/#dbAdminAnyDatabase describes as "Provides the same access to database administration operations as dbAdmin, except it applies to all databases in the cluster." Yet I had to manually add dbAdmin for myDb in order to create the system.profiles collection.
If we instead follow the later note in http://docs.mongodb.org/manual/reference/built-in-roles/#root that the restore role is needed to write or restore system.* collections, then again, this is not working as described, as restore was not sufficient either to create the system.profile collection.
- related to
-
SERVER-14355 Allow dbAdmin role to manually create system.profile collections
-
- Closed
-