Details
-
Improvement
-
Resolution: Unresolved
-
Major - P3
-
None
-
None
-
None
-
Server Security
-
(copied to CRM)
Description
I am trying to create a user for my application which will inherit from "read" role and will allow write operations except for being able to create/drop collections and create/drop indexes.
Bug can be reproduced as follows.
Step1 – Create a database and a collection using admin privileges.
db name: intacct-db1
|
collection name: col1 (insert some dummy data)
|
Step2 – Create a role: (This role inherits from read role and than adds writes operations excluding add/drop collections and indexes)
db.createRole(
|
|
|
{
|
role: "Role-Intacct-App-ReadWrite-intacct-db1",
|
privileges: [
|
{resource:{db: "intacct-db1" , collection: "" } , actions: ["collStats","convertToCapped","dbHash","dbStats","find","insert","killCursors","listIndexes","listCollections","remove","update" ] }
|
],
|
roles: ["read"]
|
}
|
)
|
Step3 – Create a user with this role.
db.createUser({
|
user:"intacct-app",
|
pwd:"somepassword",
|
roles:[
|
{role:"Role-Intacct-App-ReadWrite-intacct-db1", db:"intacct-db1"},
|
{role: "clusterMonitor", db:"admin"}
|
]
|
})
|
Step 4 — Disconnect and reconnect using the user above.
Step 5 — use intacct-db1 database and create a new collection.
use intacct-db1
|
db.createCollection("col-name")
|
db.showCollections().
|
This seems to be a bug. I specifically excluded Create Collection privilege from the role !
Attachments
Issue Links
- mentioned in
-
Page Loading...