-
Type:
Bug
-
Resolution: Done
-
Priority:
Major - P3
-
None
-
Affects Version/s: None
-
Component/s: Security
-
None
-
ALL
-
-
None
-
None
-
None
-
None
-
None
-
None
-
None
1. I created a role with changeOwnPassword privilege
mongos> db.getRole("changeOwnPasswordRole",{showPrivileges:true})
{
"role" : "changeOwnPasswordRole",
"db" : "admin",
"isBuiltin" : false,
"roles" : [ ],
"inheritedRoles" : [ ],
"privileges" : [
{
"resource" : {
"cluster" : true
},
"actions" : [
"changeOwnPassword"
]
}
],
"inheritedPrivileges" : [
{
"resource" : {
"cluster" : true
},
"actions" : [
"changeOwnPassword"
]
}
]
}
mongos>
2. I granted the role to non-admin read-only user
mongos> db.getUser("sdutta")
{
"_id" : "admin.sdutta",
"user" : "sdutta",
"db" : "admin",
"roles" : [
{
"role" : "changeOwnPasswordRole",
"db" : "admin"
},
{
"role" : "readAnyDatabase",
"db" : "admin"
}
]
}
3. Tried to change password without luck. I hope it’s not expecting readWrite.
mongos> db.changeUserPassword("sdutta","test2")
2017-01-17T18:38:29.078-0500 E QUERY [thread1] Error: Updating user failed: not authorized on admin to execute command { updateUser: "sdutta", pwd: "xxx", writeConcern: { w: "majority", wtimeout: 30000.0 }, digestPassword: false } :
_getErrorWithCode src/mongo/shell/utils.js:25:13
DB.prototype.updateUser src/mongo/shell/db.js:1319:15
DB.prototype.changeUserPassword src/mongo/shell/db.js:1323:9
@(shell):1:1
BTW, we are using following versions -
MongoDB shell version: 3.2.5
MongoS version 3.2.5
git version: 34e65e5383f7ea1726332cb175b73077ec4a1b02
OpenSSL version: OpenSSL 1.0.1e-fips 11 Feb 2013
Thanks!