Uploaded image for project: 'Core Server'
  1. Core Server
  2. SERVER-26734

indexStats action is not sufficient privileges for $indexStats operator

    XMLWordPrintable

Details

    • Bug
    • Status: Closed
    • Major - P3
    • Resolution: Fixed
    • None
    • 3.2.13, 3.4.2, 3.5.2
    • Querying, Security
    • None
    • Fully Compatible
    • ALL
    • v3.4, v3.2
    • Hide

      1) Create user "test" with "dbOwner" role on a database
      2) Use "test" user to create a role granting the "indexStats" action
      3) Use "test" user to grant role from step 2 to "test" user
      4) Attempt to use $indexStats on a collection

      Show
      1) Create user "test" with "dbOwner" role on a database 2) Use "test" user to create a role granting the "indexStats" action 3) Use "test" user to grant role from step 2 to "test" user 4) Attempt to use $indexStats on a collection
    • Query 2017-01-23

    Description

      Per the $indexStats documentation (https://docs.mongodb.com/manual/reference/operator/aggregation/indexStats/) : "If running with access control, the user must have privileges that include indexStats action."

      A database user with "dbOwner" database privileges is able to grant themselves privileges which include the "indexStats" action in their respective database. These privileges do not allow the user to use the $indexStats aggregation operator.

      // connected with "test_user" to "roles" db
      db.getUser("test_user")
       
      // User is a dbOwner in the "roles" database:
      // {
      // 	"_id" : "roles.test_user",
      // 	"user" : "test_user",
      // 	"db" : "roles",
      // 	"roles" : [
      // 		{
      // 			"role" : "dbOwner",
      // 			"db" : "roles"
      // 		}
      // 	]
      // }
       
      // Create role granting indexStats action
      db.runCommand({ createRole: "index_stats_role",
        privileges: [
          { resource: { "db": "roles", "collection" : "" }, actions: [  "indexStats" ] },
        ],
        "roles" : []
      })
       
      // Grant role to user 
      db.grantRolesToUser( "test_user", [ { "role" : "index_stats_role", "db" : "roles" } ])
       
      db.getUser("test_user")
      // User now has the role with the "indexStats" action:
      // {
      // 	"_id" : "roles.test_user",
      // 	"user" : "test_user",
      // 	"db" : "roles",
      // 	"roles" : [
      // 		{
      // 			"role" : "index_stats_role",
      // 			"db" : "roles"
      // 		},
      // 		{
      // 			"role" : "dbOwner",
      // 			"db" : "roles"
      // 		}
      // 	]
      // }
       
      // Exiting and re-connect 
       
      // Try to execute $indexStats operator 
      db.names.aggregate([ { "$indexStats" : { } } ] )
       
      // Error: 
      // 
      // assert: command failed: {
      // 	"ok" : 0,
      // 	"errmsg" : "not authorized on test to execute command { aggregate: \"names\", pipeline: [ { $indexStats: {} } ], cursor: {} }",
      // 	"code" : 13
      // } : aggregate failed
      // Error: command failed: {
      // 	"ok" : 0,
      // 	"errmsg" : "not authorized on test to execute command { aggregate: \"names\", pipeline: [ { $indexStats: {} } ], cursor: {} }",
      // 	"code" : 13
      // } : aggregate failed
      //     at Error (<anonymous>)
      //     at doassert (src/mongo/shell/assert.js:11:14)
      //     at Function.assert.commandWorked (src/mongo/shell/assert.js:254:5)
      //     at DBCollection.aggregate (src/mongo/shell/collection.js:1278:12)
      //     at (shell):1:10
      // 2016-10-18T16:33:56.028-0700 E QUERY    Error: command failed: {
      // 	"ok" : 0,
      // 	"errmsg" : "not authorized on test to execute command { aggregate: \"names\", pipeline: [ { $indexStats: {} } ], cursor: {} }",
      // 	"code" : 13
      // } : aggregate failed
      //     at Error (<anonymous>)
      //     at doassert (src/mongo/shell/assert.js:11:14)
      //     at Function.assert.commandWorked (src/mongo/shell/assert.js:254:5)
      //     at DBCollection.aggregate (src/mongo/shell/collection.js:1278:12)
      //     at (shell):1:10 at src/mongo/shell/assert.js:13
      

      However, a database user with the built-in "clusterMonitor" role is able to use the operator, as it has the "indexStats" action (https://docs.mongodb.com/v3.2/reference/built-in-roles/#clusterMonitor).

      Can the "indexStats" action be assigned by itself, or must it be coupled with other actions? Ideally, I would like to be able to assign this privilege without offering all the permissions provided in the clusterMonitor role.

      Attachments

        Issue Links

          Activity

            People

              james.wahlin@mongodb.com James Wahlin
              adamaharrison@gmail.com Adam Harrison
              Votes:
              2 Vote for this issue
              Watchers:
              10 Start watching this issue

              Dates

                Created:
                Updated:
                Resolved: