clusterManager role does not have permission for adding tag ranges

XMLWordPrintableJSON

    • Type: Bug
    • Resolution: Done
    • Priority: Critical - P2
    • 3.0.7, 3.1.7
    • Affects Version/s: 2.6.5
    • Component/s: Security
    • Environment:
      2.6.x
    • Fully Compatible
    • ALL
    • Hide
      • Launch an auth enabled cluster
      • Add user with [userAdminAnyDatabase, clusterManager] role at cluster level
      • Add a tag range enabled sharded cluster 
        sh.enableSharding("test")
sh.shardCollection("test.test", {_id: 1})
sh.addTagRange("test.test", {_id: 1}, {_id: 10}, "S1")
# The above statement should fail with authorization error.
      Show
      Launch an auth enabled cluster Add user with [userAdminAnyDatabase, clusterManager] role at cluster level Add a tag range enabled sharded cluster sh.enableSharding( "test" ) sh.shardCollection( "test.test" , {_id: 1}) sh.addTagRange( "test.test" , {_id: 1}, {_id: 10}, "S1" ) # The above statement should fail with authorization error.
    • Security 7 08/10/15, Security 8 08/28/15
    • None
    • 0
    • None
    • None
    • None
    • None
    • None
    • None
    • None

      The clusterManager role provides the necessary authorizations for managing cluster. Although most of the commands and the explicit updates on the collections like config.settings are authorized, some of lesser used operations like sh.addTagRange that performs an operation directly on the underlying collection config.tag are not authorized and needs an additional readWrite permission to be granted on the config database.

            Assignee:
            Merry Mou (Inactive)
            Reporter:
            Anil Kumar (Inactive)
            Votes:
            0 Vote for this issue
            Watchers:
            5 Start watching this issue

              Created:
              Updated:
              Resolved: