Details
-
Bug
-
Resolution: Duplicate
-
Major - P3
-
None
-
3.0.5
-
None
-
ALL
-
Security A 10/09/15
Description
It seems that there is a permission issue on db.system.users.getIndexes() in 3.0. In 2.6, this seems to be working fine. Following are the steps that I used to replicate this issue:
- Install MongoDB 2.4 (Since users were stored in <database>.system.users collection in 2.4).
- Create user with readWrite and dbOwner role.
db.addUser( { user: "user", pwd: "user", roles: ["readWrite","dbOwner"] } )ankit(mongod-2.4.14) test> db.system.users.find(){"_id": ObjectId("55fb9dc4ab757ec03e77562d"),"user": "user","pwd": "fa26a506aa0f786a447bbd6d1caaa8b5","roles": ["readWrite","dbOwner"]} - Start MongoDB and execute following queries:
ankit:log-11213 ankit$ mongoMongoDB shell version: 2.4.14connecting to: testMongo-Hacker 0.0.8> db.auth("user","user")1> show collectionssystem.indexes → 0.000MB / 0.004MBsystem.users → NaNMB / NaNMB> db.system.users.getIndexes()[{"v": 1,"name": "_id_","key": {"_id": 1},"ns": "test.system.users"},{"v": 1,"name": "user_1_userSource_1","key": {"user": 1,"userSource": 1},"unique": true,"ns": "test.system.users"}] - Upgrade to 2.6 (Note that it requires authorization schema upgrade). Users will be copied to admin.system.users collection. But <database.system.users> collection still remains in the database in question.
- Connect via mongo client and execute following query:
connecting to: testMongo-Hacker 0.0.8> db.auth("user","user")1> show collectionssystem.indexes → 0.000MB / 0.004MBsystem.users → NaNMB / NaNMB> db.system.users.getIndexes()[{"v": 1,"name": "_id_","key": {"_id": 1},"ns": "test.system.users"},{"v": 1,"name": "user_1_userSource_1","key": {"user": 1,"userSource": 1},"unique": true,"ns": "test.system.users"}] - Upgrade to 3.0.5, connect via mongo and execute following command:
ankit:log-11213 ankit$ mongoMongoDB shell version: 3.0.5connecting to: test> db.auth("user","user")1> db.system.users.getIndexes()2015-09-18T11:01:15.116+0530 E QUERY Error: listIndexes failed: {"ok": 0,"errmsg": "not authorized on test to execute command { listIndexes: \"system.users\" }","code": 13}at Error (<anonymous>)at DBCollection._getIndexesCommand (src/mongo/shell/collection.js:1019:15)at DBCollection.getIndexes (src/mongo/shell/collection.js:1026:20)at (shell):1:17 at src/mongo/shell/collection.js:1019
Notice the permission issue coming in 3.0.5 while it was working fine in 2.6.
Attachments
Issue Links
- duplicates
-
SERVER-20460 listIndexes on 3.0 mongos with 2.6 mongods returns erroneous "not authorized"
-
- Closed
-
- is related to
-
SERVER-20460 listIndexes on 3.0 mongos with 2.6 mongods returns erroneous "not authorized"
-
- Closed
-