Details
Description
Original reported in SERVER-14355:
This is not fixed in MongoDB 2.6.6 – using a user with root and restore privileges was not sufficient to create the system.profile collection:
myReplicaSet:PRIMARY> db.system.users.find({user:"myAdminUser"}).pretty()
|
{
|
"_id" : "admin.myAdminUser",
|
"user" : "myAdminUser",
|
"db" : "admin",
|
"credentials" : {
|
"MONGODB-CR" : "XXXXXXXXXXXXXXXXXXXXXX"
|
},
|
"roles" : [
|
{
|
"role" : "restore",
|
"db" : "admin"
|
},
|
{
|
"role" : "root",
|
"db" : "admin"
|
}
|
]
|
}
|
myReplicaSet:PRIMARY> use myDb
|
switched to db myDb
|
myReplicaSet:PRIMARY> db.createCollection("system.profile", {capped: true, size: 262144000})
|
{
|
"ok" : 0,
|
"errmsg" : "not authorized on myDb to execute command { create: \"system.profile\", capped: true, size: 262144000.0 }",
|
"code" : 13
|
}
|
myReplicaSet:PRIMARY> use admin
|
switched to db admin
|
myReplicaSet:PRIMARY> db.grantRolesToUser("myAdminUser",[{role:"dbAdmin",db:"myDb"}])
|
myReplicaSet:PRIMARY> use myDb
|
switched to db myDb
|
myReplicaSet:PRIMARY> db.createCollection("system.profile", {capped: true, size: 262144000})
|
{ "ok" : 1 }
|
myReplicaSet:PRIMARY> db.setProfilingLevel(2)
|
{ "was" : 0, "slowms" : 100, "ok" : 1 }
|
myReplicaSet:PRIMARY>
|
http://docs.mongodb.org/manual/reference/built-in-roles/#root says that root includes dbAdminAnyDatabase which http://docs.mongodb.org/manual/reference/built-in-roles/#dbAdminAnyDatabase describes as "Provides the same access to database administration operations as dbAdmin, except it applies to all databases in the cluster." Yet I had to manually add dbAdmin for myDb in order to create the system.profiles collection.
If we instead follow the later note in http://docs.mongodb.org/manual/reference/built-in-roles/#root that the restore role is needed to write or restore system.* collections, then again, this is not working as described, as restore was not sufficient either to create the system.profile collection.
Attachments
Issue Links
- related to
-
DOCS-4702 root role does have access to system.* collections
-
- Closed
-
-
SERVER-14355 Allow dbAdmin role to manually create system.profile collections
-
- Closed
-