Loading...

XML

Word

Printable

JSON

Details

Type: Bug
Resolution: Done
Priority: Major - P3
Fix Version/s: 2.6.12, 3.0.7, 3.1.7
Affects Version/s: None
Component/s: Security
Labels:
None

Backwards Compatibility:
Fully Compatible
Operating System:
ALL
Backport Completed:

2.6.12, 3.0.7
Sprint:
Security 6 07/17/15, Security 7 08/10/15, Security 8 08/28/15

Description

createRole does not reject user-defined roles that have the same name as a builtin role. An entry gets written into admin.system.roles, but doesn't show up in the output of "show roles".
Similarly, the updateRole will update this entry.
dropRole won't remove it.

The workaround is to manually remove the entry from admin.system.roles (which requires sufficient privs to be granted to do that).

> db

admin

> db.version()

3.1.5

> db.system.roles.find()

> show roles

        "role" : "__system",

        "db" : "admin",

        "isBuiltin" : true,

        "roles" : [ ],

        "inheritedRoles" : [ ]

        "role" : "backup",

        "db" : "admin",

        "isBuiltin" : true,

        "roles" : [ ],

        "inheritedRoles" : [ ]

        "role" : "clusterAdmin",

        "db" : "admin",

        "isBuiltin" : true,

        "roles" : [ ],

        "inheritedRoles" : [ ]

        "role" : "clusterManager",

        "db" : "admin",

        "isBuiltin" : true,

        "roles" : [ ],

        "inheritedRoles" : [ ]

        "role" : "clusterMonitor",

        "db" : "admin",

        "isBuiltin" : true,

        "roles" : [ ],

        "inheritedRoles" : [ ]

        "role" : "dbAdmin",

        "db" : "admin",

        "isBuiltin" : true,

        "roles" : [ ],

        "inheritedRoles" : [ ]

        "role" : "dbAdminAnyDatabase",

        "db" : "admin",

        "isBuiltin" : true,

        "roles" : [ ],

        "inheritedRoles" : [ ]

        "role" : "dbOwner",

        "db" : "admin",

        "isBuiltin" : true,

        "roles" : [ ],

        "inheritedRoles" : [ ]

        "role" : "hostManager",

        "db" : "admin",

        "isBuiltin" : true,

        "roles" : [ ],

        "inheritedRoles" : [ ]

        "role" : "read",

        "db" : "admin",

        "isBuiltin" : true,

        "roles" : [ ],

        "inheritedRoles" : [ ]

        "role" : "readAnyDatabase",

        "db" : "admin",

        "isBuiltin" : true,

        "roles" : [ ],

        "inheritedRoles" : [ ]

        "role" : "readWrite",

        "db" : "admin",

        "isBuiltin" : true,

        "roles" : [ ],

        "inheritedRoles" : [ ]

        "role" : "readWriteAnyDatabase",

        "db" : "admin",

        "isBuiltin" : true,

        "roles" : [ ],

        "inheritedRoles" : [ ]

        "role" : "restore",

        "db" : "admin",

        "isBuiltin" : true,

        "roles" : [ ],

        "inheritedRoles" : [ ]

        "role" : "root",

        "db" : "admin",

        "isBuiltin" : true,

        "roles" : [ ],

        "inheritedRoles" : [ ]

        "role" : "userAdmin",

        "db" : "admin",

        "isBuiltin" : true,

        "roles" : [ ],

        "inheritedRoles" : [ ]

        "role" : "userAdminAnyDatabase",

        "db" : "admin",

        "isBuiltin" : true,

        "roles" : [ ],

        "inheritedRoles" : [ ]

> db.createRole({role: "readWrite", roles: [], privileges: []})

{ "role" : "readWrite", "roles" : [ ], "privileges" : [ ] }

> db.system.roles.find()

{ "_id" : "admin.readWrite", "role" : "readWrite", "db" : "admin", "privileges" : [ ], "roles" : [ ] }

> show roles

        "role" : "__system",

        "db" : "admin",

        "isBuiltin" : true,

        "roles" : [ ],

        "inheritedRoles" : [ ]

        "role" : "backup",

        "db" : "admin",

        "isBuiltin" : true,

        "roles" : [ ],

        "inheritedRoles" : [ ]

        "role" : "clusterAdmin",

        "db" : "admin",

        "isBuiltin" : true,

        "roles" : [ ],

        "inheritedRoles" : [ ]

        "role" : "clusterManager",

        "db" : "admin",

        "isBuiltin" : true,

        "roles" : [ ],

        "inheritedRoles" : [ ]

        "role" : "clusterMonitor",

        "db" : "admin",

        "isBuiltin" : true,

        "roles" : [ ],

        "inheritedRoles" : [ ]

        "role" : "dbAdmin",

        "db" : "admin",

        "isBuiltin" : true,

        "roles" : [ ],

        "inheritedRoles" : [ ]

        "role" : "dbAdminAnyDatabase",

        "db" : "admin",

        "isBuiltin" : true,

        "roles" : [ ],

        "inheritedRoles" : [ ]

        "role" : "dbOwner",

        "db" : "admin",

        "isBuiltin" : true,

        "roles" : [ ],

        "inheritedRoles" : [ ]

        "role" : "hostManager",

        "db" : "admin",

        "isBuiltin" : true,

        "roles" : [ ],

        "inheritedRoles" : [ ]

        "role" : "read",

        "db" : "admin",

        "isBuiltin" : true,

        "roles" : [ ],

        "inheritedRoles" : [ ]

        "role" : "readAnyDatabase",

        "db" : "admin",

        "isBuiltin" : true,

        "roles" : [ ],

        "inheritedRoles" : [ ]

        "role" : "readWrite",

        "db" : "admin",

        "isBuiltin" : true,

        "roles" : [ ],

        "inheritedRoles" : [ ]

        "role" : "readWriteAnyDatabase",

        "db" : "admin",

        "isBuiltin" : true,

        "roles" : [ ],

        "inheritedRoles" : [ ]

        "role" : "restore",

        "db" : "admin",

        "isBuiltin" : true,

        "roles" : [ ],

        "inheritedRoles" : [ ]

        "role" : "root",

        "db" : "admin",

        "isBuiltin" : true,

        "roles" : [ ],

        "inheritedRoles" : [ ]

        "role" : "userAdmin",

        "db" : "admin",

        "isBuiltin" : true,

        "roles" : [ ],

        "inheritedRoles" : [ ]

        "role" : "userAdminAnyDatabase",

        "db" : "admin",

        "isBuiltin" : true,

        "roles" : [ ],

        "inheritedRoles" : [ ]

> db.updateRole("readWrite", {roles: [{role:"root", db:"admin"}]})

> db.system.roles.find()

{ "_id" : "admin.readWrite", "role" : "readWrite", "db" : "admin", "privileges" : [ ], "roles" : [ { "role" : "root", "db" : "admin" } ] }

> show roles

        "role" : "__system",

        "db" : "admin",

        "isBuiltin" : true,

        "roles" : [ ],

        "inheritedRoles" : [ ]

        "role" : "backup",

        "db" : "admin",

        "isBuiltin" : true,

        "roles" : [ ],

        "inheritedRoles" : [ ]

        "role" : "clusterAdmin",

        "db" : "admin",

        "isBuiltin" : true,

        "roles" : [ ],

        "inheritedRoles" : [ ]

        "role" : "clusterManager",

        "db" : "admin",

        "isBuiltin" : true,

        "roles" : [ ],

        "inheritedRoles" : [ ]

        "role" : "clusterMonitor",

        "db" : "admin",

        "isBuiltin" : true,

        "roles" : [ ],

        "inheritedRoles" : [ ]

        "role" : "dbAdmin",

        "db" : "admin",

        "isBuiltin" : true,

        "roles" : [ ],

        "inheritedRoles" : [ ]

        "role" : "dbAdminAnyDatabase",

        "db" : "admin",

        "isBuiltin" : true,

        "roles" : [ ],

        "inheritedRoles" : [ ]

        "role" : "dbOwner",

        "db" : "admin",

        "isBuiltin" : true,

        "roles" : [ ],

        "inheritedRoles" : [ ]

        "role" : "hostManager",

        "db" : "admin",

        "isBuiltin" : true,

        "roles" : [ ],

        "inheritedRoles" : [ ]

        "role" : "read",

        "db" : "admin",

        "isBuiltin" : true,

        "roles" : [ ],

        "inheritedRoles" : [ ]

        "role" : "readAnyDatabase",

        "db" : "admin",

        "isBuiltin" : true,

        "roles" : [ ],

        "inheritedRoles" : [ ]

        "role" : "readWrite",

        "db" : "admin",

        "isBuiltin" : true,

        "roles" : [ ],

        "inheritedRoles" : [ ]

        "role" : "readWriteAnyDatabase",

        "db" : "admin",

        "isBuiltin" : true,

        "roles" : [ ],

        "inheritedRoles" : [ ]

        "role" : "restore",

        "db" : "admin",

        "isBuiltin" : true,

        "roles" : [ ],

        "inheritedRoles" : [ ]

        "role" : "root",

        "db" : "admin",

        "isBuiltin" : true,

        "roles" : [ ],

        "inheritedRoles" : [ ]

        "role" : "userAdmin",

        "db" : "admin",

        "isBuiltin" : true,

        "roles" : [ ],

        "inheritedRoles" : [ ]

        "role" : "userAdminAnyDatabase",

        "db" : "admin",

        "isBuiltin" : true,

        "roles" : [ ],

        "inheritedRoles" : [ ]

> db.dropRole("readWrite")

2015-07-06T13:28:13.292+1000 E QUERY    [main] Error: readWrite@admin is a built-in role and cannot be modified.

    at Error (<anonymous>)

    at DB.dropRole (src/mongo/shell/db.js:1498:11)

    at (shell):1:4 at src/mongo/shell/db.js:1498

> db.system.roles.find()

{ "_id" : "admin.readWrite", "role" : "readWrite", "db" : "admin", "privileges" : [ ], "roles" : [ { "role" : "root", "db" : "admin" } ] }

> db.system.roles.remove({_id:"admin.readWrite"})

WriteResult({

        "writeError" : {

                "code" : 13,

                "errmsg" : "not authorized on admin to execute command { delete: \"system.roles\", deletes: [ { q: {}, limit: 0.0 } ], ordered: true }"

})

> db.createRole({role:"foo",roles:[], privileges:[{resource:{db:"admin",collection:"system.roles"}, actions:["remove"]}]})

        "role" : "foo",

        "roles" : [ ],

        "privileges" : [

                        "resource" : {

                                "db" : "admin",

                                "collection" : "system.roles"

},

                        "actions" : [

                                "remove"

> db.grantRolesToUser("user", ["foo"])

> db.system.roles.remove({_id:"admin.readWrite"})

WriteResult({ "nRemoved" : 1 })

> db.system.roles.find()

{ "_id" : "admin.foo", "role" : "foo", "db" : "admin", "privileges" : [ { "resource" : { "db" : "admin", "collection" : "system.roles" }, "actions" : [ "remove" ] } ], "roles" : [ ] }

> show roles

        "role" : "__system",

        "db" : "admin",

        "isBuiltin" : true,

        "roles" : [ ],

        "inheritedRoles" : [ ]

        "role" : "backup",

        "db" : "admin",

        "isBuiltin" : true,

        "roles" : [ ],

        "inheritedRoles" : [ ]

        "role" : "clusterAdmin",

        "db" : "admin",

        "isBuiltin" : true,

        "roles" : [ ],

        "inheritedRoles" : [ ]

        "role" : "clusterManager",

        "db" : "admin",

        "isBuiltin" : true,

        "roles" : [ ],

        "inheritedRoles" : [ ]

        "role" : "clusterMonitor",

        "db" : "admin",

        "isBuiltin" : true,

        "roles" : [ ],

        "inheritedRoles" : [ ]

        "role" : "dbAdmin",

        "db" : "admin",

        "isBuiltin" : true,

        "roles" : [ ],

        "inheritedRoles" : [ ]

        "role" : "dbAdminAnyDatabase",

        "db" : "admin",

        "isBuiltin" : true,

        "roles" : [ ],

        "inheritedRoles" : [ ]

        "role" : "dbOwner",

        "db" : "admin",

        "isBuiltin" : true,

        "roles" : [ ],

        "inheritedRoles" : [ ]

        "role" : "foo",

        "db" : "admin",

        "isBuiltin" : false,

        "roles" : [ ],

        "inheritedRoles" : [ ]

        "role" : "hostManager",

        "db" : "admin",

        "isBuiltin" : true,

        "roles" : [ ],

        "inheritedRoles" : [ ]

        "role" : "read",

        "db" : "admin",

        "isBuiltin" : true,

        "roles" : [ ],

        "inheritedRoles" : [ ]

        "role" : "readAnyDatabase",

        "db" : "admin",

        "isBuiltin" : true,

        "roles" : [ ],

        "inheritedRoles" : [ ]

        "role" : "readWrite",

        "db" : "admin",

        "isBuiltin" : true,

        "roles" : [ ],

        "inheritedRoles" : [ ]

        "role" : "readWriteAnyDatabase",

        "db" : "admin",

        "isBuiltin" : true,

        "roles" : [ ],

        "inheritedRoles" : [ ]

        "role" : "restore",

        "db" : "admin",

        "isBuiltin" : true,

        "roles" : [ ],

        "inheritedRoles" : [ ]

        "role" : "root",

        "db" : "admin",

        "isBuiltin" : true,

        "roles" : [ ],

        "inheritedRoles" : [ ]

        "role" : "userAdmin",

        "db" : "admin",

        "isBuiltin" : true,

        "roles" : [ ],

        "inheritedRoles" : [ ]

        "role" : "userAdminAnyDatabase",

        "db" : "admin",

        "isBuiltin" : true,

        "roles" : [ ],

        "inheritedRoles" : [ ]

Attachments

- - Sort By Name
  - Sort By Date
  - Ascending
  - Descending
  - Thumbnails
  - List
  - Download All

createBuiltinRole.js
0.7 kB
Jul 07 2015 04:57:26 AM UTC

Activity

People

Assignee:: Merry Mou

Reporter:: Kevin Pulo

Participants:: Andy Schwerin, Githook User, Kevin Pulo, Merry Mou

Votes:: 0 Vote for this issue

Watchers:: 5 Start watching this issue

Dates

Created:: Jul 06 2015 03:47:05 AM UTC

Updated:: Feb 05 2016 02:29:40 PM UTC

Resolved:: Aug 14 2015 05:42:46 PM UTC