Uploaded image for project: 'Core Server'
  1. Core Server
  2. SERVER-19131

clusterManager role does not have permission for adding tag ranges

    Details

    • Type: Bug
    • Status: Closed
    • Priority: Critical - P2
    • Resolution: Fixed
    • Affects Version/s: 2.6.5
    • Fix Version/s: 3.0.7, 3.1.7
    • Component/s: Security
    • Labels:
    • Environment:
      2.6.x
    • Backwards Compatibility:
      Fully Compatible
    • Operating System:
      ALL
    • Backport Completed:
    • Steps To Reproduce:
      Hide
      • Launch an auth enabled cluster
      • Add user with [userAdminAnyDatabase, clusterManager] role at cluster level
      • Add a tag range enabled sharded cluster

        sh.enableSharding("test")
        sh.shardCollection("test.test", {_id: 1})
        sh.addTagRange("test.test", {_id: 1}, {_id: 10}, "S1")
        # The above statement should fail with authorization error.
        

      Show
      Launch an auth enabled cluster Add user with [userAdminAnyDatabase, clusterManager] role at cluster level Add a tag range enabled sharded cluster sh.enableSharding("test") sh.shardCollection("test.test", {_id: 1}) sh.addTagRange("test.test", {_id: 1}, {_id: 10}, "S1") # The above statement should fail with authorization error.
    • Sprint:
      Security 7 08/10/15, Security 8 08/28/15

      Description

      The clusterManager role provides the necessary authorizations for managing cluster. Although most of the commands and the explicit updates on the collections like config.settings are authorized, some of lesser used operations like sh.addTagRange that performs an operation directly on the underlying collection config.tag are not authorized and needs an additional readWrite permission to be granted on the config database.

        Issue Links

          Activity

          Hide
          spencer Spencer T Brody added a comment -

          Yep, this is a real bug. The clusterManager role should be granted insert, update, and remove privileges on the config.tags collection

          Show
          spencer Spencer T Brody added a comment - Yep, this is a real bug. The clusterManager role should be granted insert, update, and remove privileges on the config.tags collection
          Hide
          xgen-internal-githook Githook User added a comment -

          Author:

          {u'name': u'Merry Mou', u'email': u'merry.mou@mongodb.com'}

          Message: SERVER-19131 Give clusterManager role privileges to config.tags
          Branch: master
          https://github.com/mongodb/mongo/commit/8fbd2f5bf969c1a06e85a5edd77d767d2c587193

          Show
          xgen-internal-githook Githook User added a comment - Author: {u'name': u'Merry Mou', u'email': u'merry.mou@mongodb.com'} Message: SERVER-19131 Give clusterManager role privileges to config.tags Branch: master https://github.com/mongodb/mongo/commit/8fbd2f5bf969c1a06e85a5edd77d767d2c587193
          Hide
          xgen-internal-githook Githook User added a comment -

          Author:

          {u'name': u'Merry Mou', u'email': u'merry.mou@mongodb.com'}

          Message: SERVER-19131 Give clusterManager role privileges to config.tags
          Branch: v3.0
          https://github.com/mongodb/mongo/commit/30ec554085a583ffa70a1f5e532496c50255d1d9

          Show
          xgen-internal-githook Githook User added a comment - Author: {u'name': u'Merry Mou', u'email': u'merry.mou@mongodb.com'} Message: SERVER-19131 Give clusterManager role privileges to config.tags Branch: v3.0 https://github.com/mongodb/mongo/commit/30ec554085a583ffa70a1f5e532496c50255d1d9

            People

            • Votes:
              0 Vote for this issue
              Watchers:
              6 Start watching this issue

              Dates

              • Created:
                Updated:
                Resolved:

                  Agile