Uploaded image for project: 'Core Server'
  1. Core Server
  2. SERVER-26734

indexStats action is not sufficient privileges for $indexStats operator

    Details

    • Type: Bug
    • Status: Closed
    • Priority: Major - P3
    • Resolution: Fixed
    • Affects Version/s: None
    • Fix Version/s: 3.2.13, 3.4.2, 3.5.2
    • Component/s: Querying, Security
    • Labels:
      None
    • Backwards Compatibility:
      Fully Compatible
    • Operating System:
      ALL
    • Backport Requested:
      v3.4, v3.2
    • Steps To Reproduce:
      Hide

      1) Create user "test" with "dbOwner" role on a database
      2) Use "test" user to create a role granting the "indexStats" action
      3) Use "test" user to grant role from step 2 to "test" user
      4) Attempt to use $indexStats on a collection

      Show
      1) Create user "test" with "dbOwner" role on a database 2) Use "test" user to create a role granting the "indexStats" action 3) Use "test" user to grant role from step 2 to "test" user 4) Attempt to use $indexStats on a collection
    • Sprint:
      Query 2017-01-23

      Description

      Per the $indexStats documentation (https://docs.mongodb.com/manual/reference/operator/aggregation/indexStats/) : "If running with access control, the user must have privileges that include indexStats action."

      A database user with "dbOwner" database privileges is able to grant themselves privileges which include the "indexStats" action in their respective database. These privileges do not allow the user to use the $indexStats aggregation operator.

      // connected with "test_user" to "roles" db
      db.getUser("test_user")
       
      // User is a dbOwner in the "roles" database:
      // {
      // 	"_id" : "roles.test_user",
      // 	"user" : "test_user",
      // 	"db" : "roles",
      // 	"roles" : [
      // 		{
      // 			"role" : "dbOwner",
      // 			"db" : "roles"
      // 		}
      // 	]
      // }
       
      // Create role granting indexStats action
      db.runCommand({ createRole: "index_stats_role",
        privileges: [
          { resource: { "db": "roles", "collection" : "" }, actions: [  "indexStats" ] },
        ],
        "roles" : []
      })
       
      // Grant role to user 
      db.grantRolesToUser( "test_user", [ { "role" : "index_stats_role", "db" : "roles" } ])
       
      db.getUser("test_user")
      // User now has the role with the "indexStats" action:
      // {
      // 	"_id" : "roles.test_user",
      // 	"user" : "test_user",
      // 	"db" : "roles",
      // 	"roles" : [
      // 		{
      // 			"role" : "index_stats_role",
      // 			"db" : "roles"
      // 		},
      // 		{
      // 			"role" : "dbOwner",
      // 			"db" : "roles"
      // 		}
      // 	]
      // }
       
      // Exiting and re-connect 
       
      // Try to execute $indexStats operator 
      db.names.aggregate([ { "$indexStats" : { } } ] )
       
      // Error: 
      // 
      // assert: command failed: {
      // 	"ok" : 0,
      // 	"errmsg" : "not authorized on test to execute command { aggregate: \"names\", pipeline: [ { $indexStats: {} } ], cursor: {} }",
      // 	"code" : 13
      // } : aggregate failed
      // Error: command failed: {
      // 	"ok" : 0,
      // 	"errmsg" : "not authorized on test to execute command { aggregate: \"names\", pipeline: [ { $indexStats: {} } ], cursor: {} }",
      // 	"code" : 13
      // } : aggregate failed
      //     at Error (<anonymous>)
      //     at doassert (src/mongo/shell/assert.js:11:14)
      //     at Function.assert.commandWorked (src/mongo/shell/assert.js:254:5)
      //     at DBCollection.aggregate (src/mongo/shell/collection.js:1278:12)
      //     at (shell):1:10
      // 2016-10-18T16:33:56.028-0700 E QUERY    Error: command failed: {
      // 	"ok" : 0,
      // 	"errmsg" : "not authorized on test to execute command { aggregate: \"names\", pipeline: [ { $indexStats: {} } ], cursor: {} }",
      // 	"code" : 13
      // } : aggregate failed
      //     at Error (<anonymous>)
      //     at doassert (src/mongo/shell/assert.js:11:14)
      //     at Function.assert.commandWorked (src/mongo/shell/assert.js:254:5)
      //     at DBCollection.aggregate (src/mongo/shell/collection.js:1278:12)
      //     at (shell):1:10 at src/mongo/shell/assert.js:13
      

      However, a database user with the built-in "clusterMonitor" role is able to use the operator, as it has the "indexStats" action (https://docs.mongodb.com/v3.2/reference/built-in-roles/#clusterMonitor).

      Can the "indexStats" action be assigned by itself, or must it be coupled with other actions? Ideally, I would like to be able to assign this privilege without offering all the permissions provided in the clusterMonitor role.

        Issue Links

          Activity

          Hide
          ramon.fernandez Ramon Fernandez added a comment -

          Thanks for your report Adam, we're investigating.

          Show
          ramon.fernandez Ramon Fernandez added a comment - Thanks for your report Adam, we're investigating.
          Hide
          aharrison Adam Harrison added a comment -

          Hi Ramon,

          I just wanted to follow-up to see if you had any updates on this issue.

          Thanks!

          Adam

          Show
          aharrison Adam Harrison added a comment - Hi Ramon, I just wanted to follow-up to see if you had any updates on this issue. Thanks! Adam
          Hide
          thomas.schubert Thomas Schubert added a comment -

          Hi Adam Harrison,

          Sorry for the delay getting back to you. We're able to reproduce this bug and will update this ticket as we work towards a fix. The issue is that currently the privilege check to execute $indexStats requires global privilege to execute this command on any database. As you correctly identify, you currently would need to use the built-in role "clusterMonitor" to execute $indexStats.

          Kind regards,
          Thomas

          Show
          thomas.schubert Thomas Schubert added a comment - Hi Adam Harrison , Sorry for the delay getting back to you. We're able to reproduce this bug and will update this ticket as we work towards a fix. The issue is that currently the privilege check to execute $indexStats requires global privilege to execute this command on any database. As you correctly identify, you currently would need to use the built-in role "clusterMonitor" to execute $indexStats. Kind regards, Thomas
          Hide
          kyle.suarez Kyle Suarez added a comment -

          It appears that this was deliberately done as a part of SERVER-2227, though I agree we should fix it. Rather than requiring the indexStats action for all normal resources in AuthorizationSession::checkAuthForAggregate(), we should require it only for the target namespace of the aggregation.

          Show
          kyle.suarez Kyle Suarez added a comment - It appears that this was deliberately done as a part of SERVER-2227 , though I agree we should fix it. Rather than requiring the indexStats action for all normal resources in AuthorizationSession::checkAuthForAggregate() , we should require it only for the target namespace of the aggregation.
          Hide
          xgen-internal-githook Githook User added a comment -

          Author:

          {u'username': u'jameswahlin', u'name': u'James Wahlin', u'email': u'james.wahlin@10gen.com'}

          Message: SERVER-26734 indexStats action is not sufficient for $indexStats
          Branch: master
          https://github.com/mongodb/mongo/commit/67257272a057635640318842ea05b28e8499f71a

          Show
          xgen-internal-githook Githook User added a comment - Author: {u'username': u'jameswahlin', u'name': u'James Wahlin', u'email': u'james.wahlin@10gen.com'} Message: SERVER-26734 indexStats action is not sufficient for $indexStats Branch: master https://github.com/mongodb/mongo/commit/67257272a057635640318842ea05b28e8499f71a
          Hide
          xgen-internal-githook Githook User added a comment -

          Author:

          {u'username': u'jameswahlin', u'name': u'James Wahlin', u'email': u'james.wahlin@10gen.com'}

          Message: SERVER-26734 indexStats action is not sufficient for $indexStats

          (cherry picked from commit 67257272a057635640318842ea05b28e8499f71a)
          Branch: v3.4
          https://github.com/mongodb/mongo/commit/5dc3dac650f87a436fd6f8954bca581f9789f7f9

          Show
          xgen-internal-githook Githook User added a comment - Author: {u'username': u'jameswahlin', u'name': u'James Wahlin', u'email': u'james.wahlin@10gen.com'} Message: SERVER-26734 indexStats action is not sufficient for $indexStats (cherry picked from commit 67257272a057635640318842ea05b28e8499f71a) Branch: v3.4 https://github.com/mongodb/mongo/commit/5dc3dac650f87a436fd6f8954bca581f9789f7f9
          Hide
          xgen-internal-githook Githook User added a comment -

          Author:

          {u'username': u'ksuarz', u'name': u'Kyle Suarez', u'email': u'ksuarz@gmail.com'}

          Message: SERVER-26734 indexStats action is not sufficient for $indexStats
          Branch: v3.2
          https://github.com/mongodb/mongo/commit/8e1842875126b5dbefee425d764819e01aa5f67a

          Show
          xgen-internal-githook Githook User added a comment - Author: {u'username': u'ksuarz', u'name': u'Kyle Suarez', u'email': u'ksuarz@gmail.com'} Message: SERVER-26734 indexStats action is not sufficient for $indexStats Branch: v3.2 https://github.com/mongodb/mongo/commit/8e1842875126b5dbefee425d764819e01aa5f67a

            People

            • Votes:
              2 Vote for this issue
              Watchers:
              12 Start watching this issue

              Dates

              • Created:
                Updated:
                Resolved:

                  Agile