[SERVER-19131] clusterManager role does not have permission for adding tag ranges - MongoDB

Details

Type: Bug
Status: Closed
Priority: Critical - P2
Resolution: Fixed
Affects Version/s: 2.6.5
Fix Version/s: 3.0.7, 3.1.7
Component/s: Security
Labels:
- authorization
Environment:
2.6.x

Backwards Compatibility:
Fully Compatible
Operating System:
ALL
Backport Completed:

3.0.7

Steps To Reproduce:

Hide

Launch an auth enabled cluster
Add user with [userAdminAnyDatabase, clusterManager] role at cluster level

Add a tag range enabled sharded cluster

sh.enableSharding("test")

sh.shardCollection("test.test", {_id: 1})

sh.addTagRange("test.test", {_id: 1}, {_id: 10}, "S1")

# The above statement should fail with authorization error.

Show

Launch an auth enabled cluster Add user with [userAdminAnyDatabase, clusterManager] role at cluster level Add a tag range enabled sharded cluster sh.enableSharding("test") sh.shardCollection("test.test", {_id: 1}) sh.addTagRange("test.test", {_id: 1}, {_id: 10}, "S1") # The above statement should fail with authorization error.

Sprint:
Security 7 08/10/15, Security 8 08/28/15

Description

The clusterManager role provides the necessary authorizations for managing cluster. Although most of the commands and the explicit updates on the collections like config.settings are authorized, some of lesser used operations like sh.addTagRange that performs an operation directly on the underlying collection config.tag are not authorized and needs an additional readWrite permission to be granted on the config database.

Attachments

Issue Links

related to

SERVER-6357 Add tag based sharding commands

Closed

Activity

People

Assignee:

Merry Mou

Reporter:

Anil Kumar

Participants:

Anil Kumar, Githook User, Merry Mou, Spencer T Brody

Votes:

0 Vote for this issue

Watchers:

5 Start watching this issue

Dates

Created:

Jun 25 2015 04:12:46 PM UTC

Updated:

Oct 13 2015 08:41:09 PM UTC

Resolved:

Aug 14 2015 08:38:46 PM UTC