Uploaded image for project: 'Core Server'
  1. Core Server
  2. SERVER-16944

dbAdminAnyDatabase should have full parity with dbAdmin for a given database

    XMLWordPrintable

    Details

    • Type: Bug
    • Status: Closed
    • Priority: Major - P3
    • Resolution: Fixed
    • Affects Version/s: None
    • Fix Version/s: 3.0.1, 3.1.0
    • Component/s: Admin, Security
    • Labels:
      None
    • Backwards Compatibility:
      Minor Change
    • Operating System:
      ALL
    • Backport Completed:

      Description

      Original reported in SERVER-14355:

      This is not fixed in MongoDB 2.6.6 – using a user with root and restore privileges was not sufficient to create the system.profile collection:

      myReplicaSet:PRIMARY> db.system.users.find({user:"myAdminUser"}).pretty()
      {
          "_id" : "admin.myAdminUser",
          "user" : "myAdminUser",
          "db" : "admin",
          "credentials" : {
              "MONGODB-CR" : "XXXXXXXXXXXXXXXXXXXXXX"
          },
          "roles" : [
              {
                  "role" : "restore",
                  "db" : "admin"
              },
              {
                  "role" : "root",
                  "db" : "admin"
              }
          ]
      }
      myReplicaSet:PRIMARY> use myDb
      switched to db myDb
      myReplicaSet:PRIMARY> db.createCollection("system.profile", {capped: true, size: 262144000})
      {
          "ok" : 0,
          "errmsg" : "not authorized on myDb to execute command { create: \"system.profile\", capped: true, size: 262144000.0 }",
          "code" : 13
      }
      myReplicaSet:PRIMARY> use admin
      switched to db admin
      myReplicaSet:PRIMARY> db.grantRolesToUser("myAdminUser",[{role:"dbAdmin",db:"myDb"}])
      myReplicaSet:PRIMARY> use myDb
      switched to db myDb
      myReplicaSet:PRIMARY> db.createCollection("system.profile", {capped: true, size: 262144000})
      { "ok" : 1 }
      myReplicaSet:PRIMARY> db.setProfilingLevel(2)
      { "was" : 0, "slowms" : 100, "ok" : 1 }
      myReplicaSet:PRIMARY> 
      

      http://docs.mongodb.org/manual/reference/built-in-roles/#root says that root includes dbAdminAnyDatabase which http://docs.mongodb.org/manual/reference/built-in-roles/#dbAdminAnyDatabase describes as "Provides the same access to database administration operations as dbAdmin, except it applies to all databases in the cluster." Yet I had to manually add dbAdmin for myDb in order to create the system.profiles collection.

      If we instead follow the later note in http://docs.mongodb.org/manual/reference/built-in-roles/#root that the restore role is needed to write or restore system.* collections, then again, this is not working as described, as restore was not sufficient either to create the system.profile collection.

        Attachments

          Issue Links

            Activity

              People

              • Votes:
                1 Vote for this issue
                Watchers:
                5 Start watching this issue

                Dates

                • Created:
                  Updated:
                  Resolved: