Details
Description
- createRole does not reject user-defined roles that have the same name as a builtin role. An entry gets written into admin.system.roles, but doesn't show up in the output of "show roles".
- Similarly, the updateRole will update this entry.
- dropRole won't remove it.
The workaround is to manually remove the entry from admin.system.roles (which requires sufficient privs to be granted to do that).
> db
|
admin
|
> db.version()
|
3.1.5
|
>
|
>
|
>
|
> db.system.roles.find()
|
> show roles
|
{
|
"role" : "__system",
|
"db" : "admin",
|
"isBuiltin" : true,
|
"roles" : [ ],
|
"inheritedRoles" : [ ]
|
}
|
{
|
"role" : "backup",
|
"db" : "admin",
|
"isBuiltin" : true,
|
"roles" : [ ],
|
"inheritedRoles" : [ ]
|
}
|
{
|
"role" : "clusterAdmin",
|
"db" : "admin",
|
"isBuiltin" : true,
|
"roles" : [ ],
|
"inheritedRoles" : [ ]
|
}
|
{
|
"role" : "clusterManager",
|
"db" : "admin",
|
"isBuiltin" : true,
|
"roles" : [ ],
|
"inheritedRoles" : [ ]
|
}
|
{
|
"role" : "clusterMonitor",
|
"db" : "admin",
|
"isBuiltin" : true,
|
"roles" : [ ],
|
"inheritedRoles" : [ ]
|
}
|
{
|
"role" : "dbAdmin",
|
"db" : "admin",
|
"isBuiltin" : true,
|
"roles" : [ ],
|
"inheritedRoles" : [ ]
|
}
|
{
|
"role" : "dbAdminAnyDatabase",
|
"db" : "admin",
|
"isBuiltin" : true,
|
"roles" : [ ],
|
"inheritedRoles" : [ ]
|
}
|
{
|
"role" : "dbOwner",
|
"db" : "admin",
|
"isBuiltin" : true,
|
"roles" : [ ],
|
"inheritedRoles" : [ ]
|
}
|
{
|
"role" : "hostManager",
|
"db" : "admin",
|
"isBuiltin" : true,
|
"roles" : [ ],
|
"inheritedRoles" : [ ]
|
}
|
{
|
"role" : "read",
|
"db" : "admin",
|
"isBuiltin" : true,
|
"roles" : [ ],
|
"inheritedRoles" : [ ]
|
}
|
{
|
"role" : "readAnyDatabase",
|
"db" : "admin",
|
"isBuiltin" : true,
|
"roles" : [ ],
|
"inheritedRoles" : [ ]
|
}
|
{
|
"role" : "readWrite",
|
"db" : "admin",
|
"isBuiltin" : true,
|
"roles" : [ ],
|
"inheritedRoles" : [ ]
|
}
|
{
|
"role" : "readWriteAnyDatabase",
|
"db" : "admin",
|
"isBuiltin" : true,
|
"roles" : [ ],
|
"inheritedRoles" : [ ]
|
}
|
{
|
"role" : "restore",
|
"db" : "admin",
|
"isBuiltin" : true,
|
"roles" : [ ],
|
"inheritedRoles" : [ ]
|
}
|
{
|
"role" : "root",
|
"db" : "admin",
|
"isBuiltin" : true,
|
"roles" : [ ],
|
"inheritedRoles" : [ ]
|
}
|
{
|
"role" : "userAdmin",
|
"db" : "admin",
|
"isBuiltin" : true,
|
"roles" : [ ],
|
"inheritedRoles" : [ ]
|
}
|
{
|
"role" : "userAdminAnyDatabase",
|
"db" : "admin",
|
"isBuiltin" : true,
|
"roles" : [ ],
|
"inheritedRoles" : [ ]
|
}
|
> db.createRole({role: "readWrite", roles: [], privileges: []})
|
{ "role" : "readWrite", "roles" : [ ], "privileges" : [ ] }
|
>
|
>
|
>
|
>
|
> db.system.roles.find()
|
{ "_id" : "admin.readWrite", "role" : "readWrite", "db" : "admin", "privileges" : [ ], "roles" : [ ] }
|
> show roles
|
{
|
"role" : "__system",
|
"db" : "admin",
|
"isBuiltin" : true,
|
"roles" : [ ],
|
"inheritedRoles" : [ ]
|
}
|
{
|
"role" : "backup",
|
"db" : "admin",
|
"isBuiltin" : true,
|
"roles" : [ ],
|
"inheritedRoles" : [ ]
|
}
|
{
|
"role" : "clusterAdmin",
|
"db" : "admin",
|
"isBuiltin" : true,
|
"roles" : [ ],
|
"inheritedRoles" : [ ]
|
}
|
{
|
"role" : "clusterManager",
|
"db" : "admin",
|
"isBuiltin" : true,
|
"roles" : [ ],
|
"inheritedRoles" : [ ]
|
}
|
{
|
"role" : "clusterMonitor",
|
"db" : "admin",
|
"isBuiltin" : true,
|
"roles" : [ ],
|
"inheritedRoles" : [ ]
|
}
|
{
|
"role" : "dbAdmin",
|
"db" : "admin",
|
"isBuiltin" : true,
|
"roles" : [ ],
|
"inheritedRoles" : [ ]
|
}
|
{
|
"role" : "dbAdminAnyDatabase",
|
"db" : "admin",
|
"isBuiltin" : true,
|
"roles" : [ ],
|
"inheritedRoles" : [ ]
|
}
|
{
|
"role" : "dbOwner",
|
"db" : "admin",
|
"isBuiltin" : true,
|
"roles" : [ ],
|
"inheritedRoles" : [ ]
|
}
|
{
|
"role" : "hostManager",
|
"db" : "admin",
|
"isBuiltin" : true,
|
"roles" : [ ],
|
"inheritedRoles" : [ ]
|
}
|
{
|
"role" : "read",
|
"db" : "admin",
|
"isBuiltin" : true,
|
"roles" : [ ],
|
"inheritedRoles" : [ ]
|
}
|
{
|
"role" : "readAnyDatabase",
|
"db" : "admin",
|
"isBuiltin" : true,
|
"roles" : [ ],
|
"inheritedRoles" : [ ]
|
}
|
{
|
"role" : "readWrite",
|
"db" : "admin",
|
"isBuiltin" : true,
|
"roles" : [ ],
|
"inheritedRoles" : [ ]
|
}
|
{
|
"role" : "readWriteAnyDatabase",
|
"db" : "admin",
|
"isBuiltin" : true,
|
"roles" : [ ],
|
"inheritedRoles" : [ ]
|
}
|
{
|
"role" : "restore",
|
"db" : "admin",
|
"isBuiltin" : true,
|
"roles" : [ ],
|
"inheritedRoles" : [ ]
|
}
|
{
|
"role" : "root",
|
"db" : "admin",
|
"isBuiltin" : true,
|
"roles" : [ ],
|
"inheritedRoles" : [ ]
|
}
|
{
|
"role" : "userAdmin",
|
"db" : "admin",
|
"isBuiltin" : true,
|
"roles" : [ ],
|
"inheritedRoles" : [ ]
|
}
|
{
|
"role" : "userAdminAnyDatabase",
|
"db" : "admin",
|
"isBuiltin" : true,
|
"roles" : [ ],
|
"inheritedRoles" : [ ]
|
}
|
>
|
>
|
>
|
>
|
> db.updateRole("readWrite", {roles: [{role:"root", db:"admin"}]})
|
> db.system.roles.find()
|
{ "_id" : "admin.readWrite", "role" : "readWrite", "db" : "admin", "privileges" : [ ], "roles" : [ { "role" : "root", "db" : "admin" } ] }
|
> show roles
|
{
|
"role" : "__system",
|
"db" : "admin",
|
"isBuiltin" : true,
|
"roles" : [ ],
|
"inheritedRoles" : [ ]
|
}
|
{
|
"role" : "backup",
|
"db" : "admin",
|
"isBuiltin" : true,
|
"roles" : [ ],
|
"inheritedRoles" : [ ]
|
}
|
{
|
"role" : "clusterAdmin",
|
"db" : "admin",
|
"isBuiltin" : true,
|
"roles" : [ ],
|
"inheritedRoles" : [ ]
|
}
|
{
|
"role" : "clusterManager",
|
"db" : "admin",
|
"isBuiltin" : true,
|
"roles" : [ ],
|
"inheritedRoles" : [ ]
|
}
|
{
|
"role" : "clusterMonitor",
|
"db" : "admin",
|
"isBuiltin" : true,
|
"roles" : [ ],
|
"inheritedRoles" : [ ]
|
}
|
{
|
"role" : "dbAdmin",
|
"db" : "admin",
|
"isBuiltin" : true,
|
"roles" : [ ],
|
"inheritedRoles" : [ ]
|
}
|
{
|
"role" : "dbAdminAnyDatabase",
|
"db" : "admin",
|
"isBuiltin" : true,
|
"roles" : [ ],
|
"inheritedRoles" : [ ]
|
}
|
{
|
"role" : "dbOwner",
|
"db" : "admin",
|
"isBuiltin" : true,
|
"roles" : [ ],
|
"inheritedRoles" : [ ]
|
}
|
{
|
"role" : "hostManager",
|
"db" : "admin",
|
"isBuiltin" : true,
|
"roles" : [ ],
|
"inheritedRoles" : [ ]
|
}
|
{
|
"role" : "read",
|
"db" : "admin",
|
"isBuiltin" : true,
|
"roles" : [ ],
|
"inheritedRoles" : [ ]
|
}
|
{
|
"role" : "readAnyDatabase",
|
"db" : "admin",
|
"isBuiltin" : true,
|
"roles" : [ ],
|
"inheritedRoles" : [ ]
|
}
|
{
|
"role" : "readWrite",
|
"db" : "admin",
|
"isBuiltin" : true,
|
"roles" : [ ],
|
"inheritedRoles" : [ ]
|
}
|
{
|
"role" : "readWriteAnyDatabase",
|
"db" : "admin",
|
"isBuiltin" : true,
|
"roles" : [ ],
|
"inheritedRoles" : [ ]
|
}
|
{
|
"role" : "restore",
|
"db" : "admin",
|
"isBuiltin" : true,
|
"roles" : [ ],
|
"inheritedRoles" : [ ]
|
}
|
{
|
"role" : "root",
|
"db" : "admin",
|
"isBuiltin" : true,
|
"roles" : [ ],
|
"inheritedRoles" : [ ]
|
}
|
{
|
"role" : "userAdmin",
|
"db" : "admin",
|
"isBuiltin" : true,
|
"roles" : [ ],
|
"inheritedRoles" : [ ]
|
}
|
{
|
"role" : "userAdminAnyDatabase",
|
"db" : "admin",
|
"isBuiltin" : true,
|
"roles" : [ ],
|
"inheritedRoles" : [ ]
|
}
|
>
|
>
|
>
|
>
|
>
|
> db.dropRole("readWrite")
|
2015-07-06T13:28:13.292+1000 E QUERY [main] Error: readWrite@admin is a built-in role and cannot be modified.
|
at Error (<anonymous>)
|
at DB.dropRole (src/mongo/shell/db.js:1498:11)
|
at (shell):1:4 at src/mongo/shell/db.js:1498
|
> db.system.roles.find()
|
{ "_id" : "admin.readWrite", "role" : "readWrite", "db" : "admin", "privileges" : [ ], "roles" : [ { "role" : "root", "db" : "admin" } ] }
|
> db.system.roles.remove({_id:"admin.readWrite"})
|
WriteResult({
|
"writeError" : {
|
"code" : 13,
|
"errmsg" : "not authorized on admin to execute command { delete: \"system.roles\", deletes: [ { q: {}, limit: 0.0 } ], ordered: true }"
|
}
|
})
|
>
|
>
|
>
|
>
|
>
|
> db.createRole({role:"foo",roles:[], privileges:[{resource:{db:"admin",collection:"system.roles"}, actions:["remove"]}]})
|
{
|
"role" : "foo",
|
"roles" : [ ],
|
"privileges" : [
|
{
|
"resource" : {
|
"db" : "admin",
|
"collection" : "system.roles"
|
},
|
"actions" : [
|
"remove"
|
]
|
}
|
]
|
}
|
> db.grantRolesToUser("user", ["foo"])
|
> db.system.roles.remove({_id:"admin.readWrite"})
|
WriteResult({ "nRemoved" : 1 })
|
> db.system.roles.find()
|
{ "_id" : "admin.foo", "role" : "foo", "db" : "admin", "privileges" : [ { "resource" : { "db" : "admin", "collection" : "system.roles" }, "actions" : [ "remove" ] } ], "roles" : [ ] }
|
> show roles
|
{
|
"role" : "__system",
|
"db" : "admin",
|
"isBuiltin" : true,
|
"roles" : [ ],
|
"inheritedRoles" : [ ]
|
}
|
{
|
"role" : "backup",
|
"db" : "admin",
|
"isBuiltin" : true,
|
"roles" : [ ],
|
"inheritedRoles" : [ ]
|
}
|
{
|
"role" : "clusterAdmin",
|
"db" : "admin",
|
"isBuiltin" : true,
|
"roles" : [ ],
|
"inheritedRoles" : [ ]
|
}
|
{
|
"role" : "clusterManager",
|
"db" : "admin",
|
"isBuiltin" : true,
|
"roles" : [ ],
|
"inheritedRoles" : [ ]
|
}
|
{
|
"role" : "clusterMonitor",
|
"db" : "admin",
|
"isBuiltin" : true,
|
"roles" : [ ],
|
"inheritedRoles" : [ ]
|
}
|
{
|
"role" : "dbAdmin",
|
"db" : "admin",
|
"isBuiltin" : true,
|
"roles" : [ ],
|
"inheritedRoles" : [ ]
|
}
|
{
|
"role" : "dbAdminAnyDatabase",
|
"db" : "admin",
|
"isBuiltin" : true,
|
"roles" : [ ],
|
"inheritedRoles" : [ ]
|
}
|
{
|
"role" : "dbOwner",
|
"db" : "admin",
|
"isBuiltin" : true,
|
"roles" : [ ],
|
"inheritedRoles" : [ ]
|
}
|
{
|
"role" : "foo",
|
"db" : "admin",
|
"isBuiltin" : false,
|
"roles" : [ ],
|
"inheritedRoles" : [ ]
|
}
|
{
|
"role" : "hostManager",
|
"db" : "admin",
|
"isBuiltin" : true,
|
"roles" : [ ],
|
"inheritedRoles" : [ ]
|
}
|
{
|
"role" : "read",
|
"db" : "admin",
|
"isBuiltin" : true,
|
"roles" : [ ],
|
"inheritedRoles" : [ ]
|
}
|
{
|
"role" : "readAnyDatabase",
|
"db" : "admin",
|
"isBuiltin" : true,
|
"roles" : [ ],
|
"inheritedRoles" : [ ]
|
}
|
{
|
"role" : "readWrite",
|
"db" : "admin",
|
"isBuiltin" : true,
|
"roles" : [ ],
|
"inheritedRoles" : [ ]
|
}
|
{
|
"role" : "readWriteAnyDatabase",
|
"db" : "admin",
|
"isBuiltin" : true,
|
"roles" : [ ],
|
"inheritedRoles" : [ ]
|
}
|
{
|
"role" : "restore",
|
"db" : "admin",
|
"isBuiltin" : true,
|
"roles" : [ ],
|
"inheritedRoles" : [ ]
|
}
|
{
|
"role" : "root",
|
"db" : "admin",
|
"isBuiltin" : true,
|
"roles" : [ ],
|
"inheritedRoles" : [ ]
|
}
|
{
|
"role" : "userAdmin",
|
"db" : "admin",
|
"isBuiltin" : true,
|
"roles" : [ ],
|
"inheritedRoles" : [ ]
|
}
|
{
|
"role" : "userAdminAnyDatabase",
|
"db" : "admin",
|
"isBuiltin" : true,
|
"roles" : [ ],
|
"inheritedRoles" : [ ]
|
}
|