Uploaded image for project: 'Core Server'
  1. Core Server
  2. SERVER-19284

Should not be able to create role with same name as builtin role

    XMLWordPrintable

    Details

    • Type: Bug
    • Status: Closed
    • Priority: Major - P3
    • Resolution: Fixed
    • Affects Version/s: None
    • Fix Version/s: 2.6.12, 3.0.7, 3.1.7
    • Component/s: Security
    • Labels:
      None
    • Backwards Compatibility:
      Fully Compatible
    • Operating System:
      ALL
    • Backport Completed:
    • Sprint:
      Security 6 07/17/15, Security 7 08/10/15, Security 8 08/28/15

      Description

      1. createRole does not reject user-defined roles that have the same name as a builtin role. An entry gets written into admin.system.roles, but doesn't show up in the output of "show roles".
      2. Similarly, the updateRole will update this entry.
      3. dropRole won't remove it.

      The workaround is to manually remove the entry from admin.system.roles (which requires sufficient privs to be granted to do that).

      > db
      admin
      > db.version()
      3.1.5
      > 
      > 
      > 
      > db.system.roles.find()
      > show roles
      {
              "role" : "__system",
              "db" : "admin",
              "isBuiltin" : true,
              "roles" : [ ],
              "inheritedRoles" : [ ]
      }
      {
              "role" : "backup",
              "db" : "admin",
              "isBuiltin" : true,
              "roles" : [ ],
              "inheritedRoles" : [ ]
      }
      {
              "role" : "clusterAdmin",
              "db" : "admin",
              "isBuiltin" : true,
              "roles" : [ ],
              "inheritedRoles" : [ ]
      }
      {
              "role" : "clusterManager",
              "db" : "admin",
              "isBuiltin" : true,
              "roles" : [ ],
              "inheritedRoles" : [ ]
      }
      {
              "role" : "clusterMonitor",
              "db" : "admin",
              "isBuiltin" : true,
              "roles" : [ ],
              "inheritedRoles" : [ ]
      }
      {
              "role" : "dbAdmin",
              "db" : "admin",
              "isBuiltin" : true,
              "roles" : [ ],
              "inheritedRoles" : [ ]
      }
      {
              "role" : "dbAdminAnyDatabase",
              "db" : "admin",
              "isBuiltin" : true,
              "roles" : [ ],
              "inheritedRoles" : [ ]
      }
      {
              "role" : "dbOwner",
              "db" : "admin",
              "isBuiltin" : true,
              "roles" : [ ],
              "inheritedRoles" : [ ]
      }
      {
              "role" : "hostManager",
              "db" : "admin",
              "isBuiltin" : true,
              "roles" : [ ],
              "inheritedRoles" : [ ]
      }
      {
              "role" : "read",
              "db" : "admin",
              "isBuiltin" : true,
              "roles" : [ ],
              "inheritedRoles" : [ ]
      }
      {
              "role" : "readAnyDatabase",
              "db" : "admin",
              "isBuiltin" : true,
              "roles" : [ ],
              "inheritedRoles" : [ ]
      }
      {
              "role" : "readWrite",
              "db" : "admin",
              "isBuiltin" : true,
              "roles" : [ ],
              "inheritedRoles" : [ ]
      }
      {
              "role" : "readWriteAnyDatabase",
              "db" : "admin",
              "isBuiltin" : true,
              "roles" : [ ],
              "inheritedRoles" : [ ]
      }
      {
              "role" : "restore",
              "db" : "admin",
              "isBuiltin" : true,
              "roles" : [ ],
              "inheritedRoles" : [ ]
      }
      {
              "role" : "root",
              "db" : "admin",
              "isBuiltin" : true,
              "roles" : [ ],
              "inheritedRoles" : [ ]
      }
      {
              "role" : "userAdmin",
              "db" : "admin",
              "isBuiltin" : true,
              "roles" : [ ],
              "inheritedRoles" : [ ]
      }
      {
              "role" : "userAdminAnyDatabase",
              "db" : "admin",
              "isBuiltin" : true,
              "roles" : [ ],
              "inheritedRoles" : [ ]
      }
      > db.createRole({role: "readWrite", roles: [], privileges: []})
      { "role" : "readWrite", "roles" : [ ], "privileges" : [ ] }
      > 
      > 
      > 
      > 
      > db.system.roles.find()
      { "_id" : "admin.readWrite", "role" : "readWrite", "db" : "admin", "privileges" : [ ], "roles" : [ ] }
      > show roles
      {
              "role" : "__system",
              "db" : "admin",
              "isBuiltin" : true,
              "roles" : [ ],
              "inheritedRoles" : [ ]
      }
      {
              "role" : "backup",
              "db" : "admin",
              "isBuiltin" : true,
              "roles" : [ ],
              "inheritedRoles" : [ ]
      }
      {
              "role" : "clusterAdmin",
              "db" : "admin",
              "isBuiltin" : true,
              "roles" : [ ],
              "inheritedRoles" : [ ]
      }
      {
              "role" : "clusterManager",
              "db" : "admin",
              "isBuiltin" : true,
              "roles" : [ ],
              "inheritedRoles" : [ ]
      }
      {
              "role" : "clusterMonitor",
              "db" : "admin",
              "isBuiltin" : true,
              "roles" : [ ],
              "inheritedRoles" : [ ]
      }
      {
              "role" : "dbAdmin",
              "db" : "admin",
              "isBuiltin" : true,
              "roles" : [ ],
              "inheritedRoles" : [ ]
      }
      {
              "role" : "dbAdminAnyDatabase",
              "db" : "admin",
              "isBuiltin" : true,
              "roles" : [ ],
              "inheritedRoles" : [ ]
      }
      {
              "role" : "dbOwner",
              "db" : "admin",
              "isBuiltin" : true,
              "roles" : [ ],
              "inheritedRoles" : [ ]
      }
      {
              "role" : "hostManager",
              "db" : "admin",
              "isBuiltin" : true,
              "roles" : [ ],
              "inheritedRoles" : [ ]
      }
      {
              "role" : "read",
              "db" : "admin",
              "isBuiltin" : true,
              "roles" : [ ],
              "inheritedRoles" : [ ]
      }
      {
              "role" : "readAnyDatabase",
              "db" : "admin",
              "isBuiltin" : true,
              "roles" : [ ],
              "inheritedRoles" : [ ]
      }
      {
              "role" : "readWrite",
              "db" : "admin",
              "isBuiltin" : true,
              "roles" : [ ],
              "inheritedRoles" : [ ]
      }
      {
              "role" : "readWriteAnyDatabase",
              "db" : "admin",
              "isBuiltin" : true,
              "roles" : [ ],
              "inheritedRoles" : [ ]
      }
      {
              "role" : "restore",
              "db" : "admin",
              "isBuiltin" : true,
              "roles" : [ ],
              "inheritedRoles" : [ ]
      }
      {
              "role" : "root",
              "db" : "admin",
              "isBuiltin" : true,
              "roles" : [ ],
              "inheritedRoles" : [ ]
      }
      {
              "role" : "userAdmin",
              "db" : "admin",
              "isBuiltin" : true,
              "roles" : [ ],
              "inheritedRoles" : [ ]
      }
      {
              "role" : "userAdminAnyDatabase",
              "db" : "admin",
              "isBuiltin" : true,
              "roles" : [ ],
              "inheritedRoles" : [ ]
      }
      > 
      > 
      > 
      > 
      > db.updateRole("readWrite", {roles: [{role:"root", db:"admin"}]})
      > db.system.roles.find()
      { "_id" : "admin.readWrite", "role" : "readWrite", "db" : "admin", "privileges" : [ ], "roles" : [ { "role" : "root", "db" : "admin" } ] }
      > show roles
      {
              "role" : "__system",
              "db" : "admin",
              "isBuiltin" : true,
              "roles" : [ ],
              "inheritedRoles" : [ ]
      }
      {
              "role" : "backup",
              "db" : "admin",
              "isBuiltin" : true,
              "roles" : [ ],
              "inheritedRoles" : [ ]
      }
      {
              "role" : "clusterAdmin",
              "db" : "admin",
              "isBuiltin" : true,
              "roles" : [ ],
              "inheritedRoles" : [ ]
      }
      {
              "role" : "clusterManager",
              "db" : "admin",
              "isBuiltin" : true,
              "roles" : [ ],
              "inheritedRoles" : [ ]
      }
      {
              "role" : "clusterMonitor",
              "db" : "admin",
              "isBuiltin" : true,
              "roles" : [ ],
              "inheritedRoles" : [ ]
      }
      {
              "role" : "dbAdmin",
              "db" : "admin",
              "isBuiltin" : true,
              "roles" : [ ],
              "inheritedRoles" : [ ]
      }
      {
              "role" : "dbAdminAnyDatabase",
              "db" : "admin",
              "isBuiltin" : true,
              "roles" : [ ],
              "inheritedRoles" : [ ]
      }
      {
              "role" : "dbOwner",
              "db" : "admin",
              "isBuiltin" : true,
              "roles" : [ ],
              "inheritedRoles" : [ ]
      }
      {
              "role" : "hostManager",
              "db" : "admin",
              "isBuiltin" : true,
              "roles" : [ ],
              "inheritedRoles" : [ ]
      }
      {
              "role" : "read",
              "db" : "admin",
              "isBuiltin" : true,
              "roles" : [ ],
              "inheritedRoles" : [ ]
      }
      {
              "role" : "readAnyDatabase",
              "db" : "admin",
              "isBuiltin" : true,
              "roles" : [ ],
              "inheritedRoles" : [ ]
      }
      {
              "role" : "readWrite",
              "db" : "admin",
              "isBuiltin" : true,
              "roles" : [ ],
              "inheritedRoles" : [ ]
      }
      {
              "role" : "readWriteAnyDatabase",
              "db" : "admin",
              "isBuiltin" : true,
              "roles" : [ ],
              "inheritedRoles" : [ ]
      }
      {
              "role" : "restore",
              "db" : "admin",
              "isBuiltin" : true,
              "roles" : [ ],
              "inheritedRoles" : [ ]
      }
      {
              "role" : "root",
              "db" : "admin",
              "isBuiltin" : true,
              "roles" : [ ],
              "inheritedRoles" : [ ]
      }
      {
              "role" : "userAdmin",
              "db" : "admin",
              "isBuiltin" : true,
              "roles" : [ ],
              "inheritedRoles" : [ ]
      }
      {
              "role" : "userAdminAnyDatabase",
              "db" : "admin",
              "isBuiltin" : true,
              "roles" : [ ],
              "inheritedRoles" : [ ]
      }
      > 
      > 
      > 
      > 
      > 
      > db.dropRole("readWrite")
      2015-07-06T13:28:13.292+1000 E QUERY    [main] Error: readWrite@admin is a built-in role and cannot be modified.
          at Error (<anonymous>)
          at DB.dropRole (src/mongo/shell/db.js:1498:11)
          at (shell):1:4 at src/mongo/shell/db.js:1498
      > db.system.roles.find()
      { "_id" : "admin.readWrite", "role" : "readWrite", "db" : "admin", "privileges" : [ ], "roles" : [ { "role" : "root", "db" : "admin" } ] }
      > db.system.roles.remove({_id:"admin.readWrite"})
      WriteResult({
              "writeError" : {
                      "code" : 13,
                      "errmsg" : "not authorized on admin to execute command { delete: \"system.roles\", deletes: [ { q: {}, limit: 0.0 } ], ordered: true }"
              }
      })
      > 
      > 
      > 
      > 
      > 
      > db.createRole({role:"foo",roles:[], privileges:[{resource:{db:"admin",collection:"system.roles"}, actions:["remove"]}]})
      {
              "role" : "foo",
              "roles" : [ ],
              "privileges" : [
                      {
                              "resource" : {
                                      "db" : "admin",
                                      "collection" : "system.roles"
                              },
                              "actions" : [
                                      "remove"
                              ]
                      }
              ]
      }
      > db.grantRolesToUser("user", ["foo"])
      > db.system.roles.remove({_id:"admin.readWrite"})
      WriteResult({ "nRemoved" : 1 })
      > db.system.roles.find()
      { "_id" : "admin.foo", "role" : "foo", "db" : "admin", "privileges" : [ { "resource" : { "db" : "admin", "collection" : "system.roles" }, "actions" : [ "remove" ] } ], "roles" : [ ] }
      > show roles
      {
              "role" : "__system",
              "db" : "admin",
              "isBuiltin" : true,
              "roles" : [ ],
              "inheritedRoles" : [ ]
      }
      {
              "role" : "backup",
              "db" : "admin",
              "isBuiltin" : true,
              "roles" : [ ],
              "inheritedRoles" : [ ]
      }
      {
              "role" : "clusterAdmin",
              "db" : "admin",
              "isBuiltin" : true,
              "roles" : [ ],
              "inheritedRoles" : [ ]
      }
      {
              "role" : "clusterManager",
              "db" : "admin",
              "isBuiltin" : true,
              "roles" : [ ],
              "inheritedRoles" : [ ]
      }
      {
              "role" : "clusterMonitor",
              "db" : "admin",
              "isBuiltin" : true,
              "roles" : [ ],
              "inheritedRoles" : [ ]
      }
      {
              "role" : "dbAdmin",
              "db" : "admin",
              "isBuiltin" : true,
              "roles" : [ ],
              "inheritedRoles" : [ ]
      }
      {
              "role" : "dbAdminAnyDatabase",
              "db" : "admin",
              "isBuiltin" : true,
              "roles" : [ ],
              "inheritedRoles" : [ ]
      }
      {
              "role" : "dbOwner",
              "db" : "admin",
              "isBuiltin" : true,
              "roles" : [ ],
              "inheritedRoles" : [ ]
      }
      {
              "role" : "foo",
              "db" : "admin",
              "isBuiltin" : false,
              "roles" : [ ],
              "inheritedRoles" : [ ]
      }
      {
              "role" : "hostManager",
              "db" : "admin",
              "isBuiltin" : true,
              "roles" : [ ],
              "inheritedRoles" : [ ]
      }
      {
              "role" : "read",
              "db" : "admin",
              "isBuiltin" : true,
              "roles" : [ ],
              "inheritedRoles" : [ ]
      }
      {
              "role" : "readAnyDatabase",
              "db" : "admin",
              "isBuiltin" : true,
              "roles" : [ ],
              "inheritedRoles" : [ ]
      }
      {
              "role" : "readWrite",
              "db" : "admin",
              "isBuiltin" : true,
              "roles" : [ ],
              "inheritedRoles" : [ ]
      }
      {
              "role" : "readWriteAnyDatabase",
              "db" : "admin",
              "isBuiltin" : true,
              "roles" : [ ],
              "inheritedRoles" : [ ]
      }
      {
              "role" : "restore",
              "db" : "admin",
              "isBuiltin" : true,
              "roles" : [ ],
              "inheritedRoles" : [ ]
      }
      {
              "role" : "root",
              "db" : "admin",
              "isBuiltin" : true,
              "roles" : [ ],
              "inheritedRoles" : [ ]
      }
      {
              "role" : "userAdmin",
              "db" : "admin",
              "isBuiltin" : true,
              "roles" : [ ],
              "inheritedRoles" : [ ]
      }
      {
              "role" : "userAdminAnyDatabase",
              "db" : "admin",
              "isBuiltin" : true,
              "roles" : [ ],
              "inheritedRoles" : [ ]
      }
      

        Attachments

          Activity

            People

            • Votes:
              0 Vote for this issue
              Watchers:
              5 Start watching this issue

              Dates

              • Created:
                Updated:
                Resolved: