[SERVER-19131] clusterManager role does not have permission for adding tag ranges - MongoDB

Details

Type: Bug
Status: Closed
Priority: Critical - P2
Resolution: Fixed
Affects Version/s: 2.6.5
Fix Version/s: 3.0.7, 3.1.7
Component/s: Security
Labels:
- authorization
Environment:
2.6.x

Backwards Compatibility:
Fully Compatible
Operating System:
ALL
Backport Completed:

3.0.7

Steps To Reproduce:

Hide

Launch an auth enabled cluster
Add user with [userAdminAnyDatabase, clusterManager] role at cluster level

Add a tag range enabled sharded cluster

sh.enableSharding("test")

sh.shardCollection("test.test", {_id: 1})

sh.addTagRange("test.test", {_id: 1}, {_id: 10}, "S1")

# The above statement should fail with authorization error.

Show

Launch an auth enabled cluster Add user with [userAdminAnyDatabase, clusterManager] role at cluster level Add a tag range enabled sharded cluster sh.enableSharding("test") sh.shardCollection("test.test", {_id: 1}) sh.addTagRange("test.test", {_id: 1}, {_id: 10}, "S1") # The above statement should fail with authorization error.

Sprint:
Security 7 08/10/15, Security 8 08/28/15

Description

The clusterManager role provides the necessary authorizations for managing cluster. Although most of the commands and the explicit updates on the collections like config.settings are authorized, some of lesser used operations like sh.addTagRange that performs an operation directly on the underlying collection config.tag are not authorized and needs an additional readWrite permission to be granted on the config database.

Issue Links

related to

SERVER-6357 Add tag based sharding commands

Closed

Activity

Comments

Ascending order - Click to sort in descending order

Hide

Permalink

Spencer T Brody added a comment - Jul 16 2015 09:33:31 PM +00:00

Yep, this is a real bug. The clusterManager role should be granted insert, update, and remove privileges on the config.tags collection

Show

Spencer T Brody added a comment - Jul 16 2015 09:33:31 PM +00:00 Yep, this is a real bug. The clusterManager role should be granted insert, update, and remove privileges on the config.tags collection

Hide

Permalink

Githook User added a comment - Aug 14 2015 08:34:15 PM +00:00

Author:

{u'name': u'Merry Mou', u'email': u'merry.mou@mongodb.com'}

Message: ~~SERVER-19131~~ Give clusterManager role privileges to config.tags
Branch: master
https://github.com/mongodb/mongo/commit/8fbd2f5bf969c1a06e85a5edd77d767d2c587193

Show

Githook User added a comment - Aug 14 2015 08:34:15 PM +00:00 Author: {u'name': u'Merry Mou', u'email': u'merry.mou@mongodb.com'} Message: SERVER-19131 Give clusterManager role privileges to config.tags Branch: master https://github.com/mongodb/mongo/commit/8fbd2f5bf969c1a06e85a5edd77d767d2c587193

Hide

Permalink

Githook User added a comment - Aug 31 2015 07:30:37 PM +00:00

Author:

{u'name': u'Merry Mou', u'email': u'merry.mou@mongodb.com'}

Message: ~~SERVER-19131~~ Give clusterManager role privileges to config.tags
Branch: v3.0
https://github.com/mongodb/mongo/commit/30ec554085a583ffa70a1f5e532496c50255d1d9

Show

Githook User added a comment - Aug 31 2015 07:30:37 PM +00:00 Author: {u'name': u'Merry Mou', u'email': u'merry.mou@mongodb.com'} Message: SERVER-19131 Give clusterManager role privileges to config.tags Branch: v3.0 https://github.com/mongodb/mongo/commit/30ec554085a583ffa70a1f5e532496c50255d1d9

People

Assignee:

Merry Mou (Inactive)

Reporter:

Anil Kumar (Inactive)

Participants:

Anil Kumar, Githook User, Merry Mou, Spencer T Brody

Votes:

0 Vote for this issue

Watchers:

6 Start watching this issue

Dates

Created:

Jun 25 2015 04:12:46 PM +00:00

Updated:

Oct 13 2015 08:41:09 PM +00:00

Resolved:

Aug 14 2015 08:38:46 PM +00:00

Agile

Completed Sprints:

Security 7 08/10/15 ended 10/Aug/15
Security 8 08/28/15 ended 31/Aug/15
View on Board