Uploaded image for project: 'Core Server'
  1. Core Server
  2. SERVER-26734

indexStats action is not sufficient privileges for $indexStats operator

    Details

    • Type: Bug
    • Status: Closed
    • Priority: Major - P3
    • Resolution: Fixed
    • Affects Version/s: None
    • Fix Version/s: 3.2.13, 3.4.2, 3.5.2
    • Component/s: Querying, Security
    • Labels:
      None
    • Backwards Compatibility:
      Fully Compatible
    • Operating System:
      ALL
    • Backport Requested:
      v3.4, v3.2
    • Steps To Reproduce:
      Hide

      1) Create user "test" with "dbOwner" role on a database
      2) Use "test" user to create a role granting the "indexStats" action
      3) Use "test" user to grant role from step 2 to "test" user
      4) Attempt to use $indexStats on a collection

      Show
      1) Create user "test" with "dbOwner" role on a database 2) Use "test" user to create a role granting the "indexStats" action 3) Use "test" user to grant role from step 2 to "test" user 4) Attempt to use $indexStats on a collection
    • Sprint:
      Query 2017-01-23

      Description

      Per the $indexStats documentation (https://docs.mongodb.com/manual/reference/operator/aggregation/indexStats/) : "If running with access control, the user must have privileges that include indexStats action."

      A database user with "dbOwner" database privileges is able to grant themselves privileges which include the "indexStats" action in their respective database. These privileges do not allow the user to use the $indexStats aggregation operator.

      // connected with "test_user" to "roles" db
      db.getUser("test_user")
       
      // User is a dbOwner in the "roles" database:
      // {
      // 	"_id" : "roles.test_user",
      // 	"user" : "test_user",
      // 	"db" : "roles",
      // 	"roles" : [
      // 		{
      // 			"role" : "dbOwner",
      // 			"db" : "roles"
      // 		}
      // 	]
      // }
       
      // Create role granting indexStats action
      db.runCommand({ createRole: "index_stats_role",
        privileges: [
          { resource: { "db": "roles", "collection" : "" }, actions: [  "indexStats" ] },
        ],
        "roles" : []
      })
       
      // Grant role to user 
      db.grantRolesToUser( "test_user", [ { "role" : "index_stats_role", "db" : "roles" } ])
       
      db.getUser("test_user")
      // User now has the role with the "indexStats" action:
      // {
      // 	"_id" : "roles.test_user",
      // 	"user" : "test_user",
      // 	"db" : "roles",
      // 	"roles" : [
      // 		{
      // 			"role" : "index_stats_role",
      // 			"db" : "roles"
      // 		},
      // 		{
      // 			"role" : "dbOwner",
      // 			"db" : "roles"
      // 		}
      // 	]
      // }
       
      // Exiting and re-connect 
       
      // Try to execute $indexStats operator 
      db.names.aggregate([ { "$indexStats" : { } } ] )
       
      // Error: 
      // 
      // assert: command failed: {
      // 	"ok" : 0,
      // 	"errmsg" : "not authorized on test to execute command { aggregate: \"names\", pipeline: [ { $indexStats: {} } ], cursor: {} }",
      // 	"code" : 13
      // } : aggregate failed
      // Error: command failed: {
      // 	"ok" : 0,
      // 	"errmsg" : "not authorized on test to execute command { aggregate: \"names\", pipeline: [ { $indexStats: {} } ], cursor: {} }",
      // 	"code" : 13
      // } : aggregate failed
      //     at Error (<anonymous>)
      //     at doassert (src/mongo/shell/assert.js:11:14)
      //     at Function.assert.commandWorked (src/mongo/shell/assert.js:254:5)
      //     at DBCollection.aggregate (src/mongo/shell/collection.js:1278:12)
      //     at (shell):1:10
      // 2016-10-18T16:33:56.028-0700 E QUERY    Error: command failed: {
      // 	"ok" : 0,
      // 	"errmsg" : "not authorized on test to execute command { aggregate: \"names\", pipeline: [ { $indexStats: {} } ], cursor: {} }",
      // 	"code" : 13
      // } : aggregate failed
      //     at Error (<anonymous>)
      //     at doassert (src/mongo/shell/assert.js:11:14)
      //     at Function.assert.commandWorked (src/mongo/shell/assert.js:254:5)
      //     at DBCollection.aggregate (src/mongo/shell/collection.js:1278:12)
      //     at (shell):1:10 at src/mongo/shell/assert.js:13
      

      However, a database user with the built-in "clusterMonitor" role is able to use the operator, as it has the "indexStats" action (https://docs.mongodb.com/v3.2/reference/built-in-roles/#clusterMonitor).

      Can the "indexStats" action be assigned by itself, or must it be coupled with other actions? Ideally, I would like to be able to assign this privilege without offering all the permissions provided in the clusterMonitor role.

        Attachments

          Issue Links

            Activity

              People

              • Votes:
                2 Vote for this issue
                Watchers:
                12 Start watching this issue

                Dates

                • Created:
                  Updated:
                  Resolved: