Uploaded image for project: 'Core Server'
  1. Core Server
  2. SERVER-27755

Unable to change own password of non-admin user

    XMLWordPrintableJSON

Details

    • Icon: Bug Bug
    • Resolution: Done
    • Icon: Major - P3 Major - P3
    • None
    • None
    • Security
    • None
    • ALL
    • Hide

      1.       Create a role with changeOwnPassword privilege
       
      mongos> db.getRole("changeOwnPasswordRole",{showPrivileges:true})
       
      {
       
              "role" : "changeOwnPasswordRole",
       
              "db" : "admin",
       
              "isBuiltin" : false,
       
              "roles" : [ ],
       
              "inheritedRoles" : [ ],
       
              "privileges" : [
       
                      {
       
                              "resource" : {
       
                                      "cluster" : true
       
                              },
       
                              "actions" : [
       
                                      "changeOwnPassword"
       
                              ]
       
                      }
       
              ],
       
              "inheritedPrivileges" : [
       
                      {
       
                              "resource" : {
       
                                      "cluster" : true
       
                              },
       
                              "actions" : [
       
                                      "changeOwnPassword"
       
                              ]
       
                      }
       
              ]
       
      }
       
      mongos>
       
       
       
      2.       Grante the role to non-admin read-only user
       
      mongos> db.getUser("sdutta")
       
      {
       
              "_id" : "admin.sdutta",
       
              "user" : "sdutta",
       
              "db" : "admin",
       
              "roles" : [
       
                      {
       
                              "role" : "changeOwnPasswordRole",
       
                              "db" : "admin"
       
                      },
       
                      {
       
                              "role" : "readAnyDatabase",
       
                              "db" : "admin"
       
                      }
       
              ]
       
      }
       
       
       
      3.       Try to change password after logging in as sdutta
       
      mongos> db.changeUserPassword("sdutta","test2")
      

      Thanks!

      Show
      1. Create a role with changeOwnPassword privilege   mongos> db.getRole("changeOwnPasswordRole",{showPrivileges:true})   {   "role" : "changeOwnPasswordRole",   "db" : "admin",   "isBuiltin" : false,   "roles" : [ ],   "inheritedRoles" : [ ],   "privileges" : [   {   "resource" : {   "cluster" : true   },   "actions" : [   "changeOwnPassword"   ]   }   ],   "inheritedPrivileges" : [   {   "resource" : {   "cluster" : true   },   "actions" : [   "changeOwnPassword"   ]   }   ]   }   mongos>     2. Grante the role to non-admin read-only user   mongos> db.getUser("sdutta")   {   "_id" : "admin.sdutta",   "user" : "sdutta",   "db" : "admin",   "roles" : [   {   "role" : "changeOwnPasswordRole",   "db" : "admin"   },   {   "role" : "readAnyDatabase",   "db" : "admin"   }   ]   }     3. Try to change password after logging in as sdutta   mongos> db.changeUserPassword("sdutta","test2") Thanks!

    Description

      1. I created a role with changeOwnPassword privilege

      mongos> db.getRole("changeOwnPasswordRole",{showPrivileges:true})
      {
       
              "role" : "changeOwnPasswordRole",
       
              "db" : "admin",
       
              "isBuiltin" : false,
       
              "roles" : [ ],
       
              "inheritedRoles" : [ ],
       
              "privileges" : [
       
                      {
       
                              "resource" : {
       
                                      "cluster" : true
       
                              },
       
                              "actions" : [
       
                                      "changeOwnPassword"
       
                              ]
       
                      }
       
              ],
       
              "inheritedPrivileges" : [
       
                      {
       
                              "resource" : {
       
                                      "cluster" : true
       
                              },
       
                              "actions" : [
       
                                      "changeOwnPassword"
       
                              ]
       
                      }
       
              ]
       
      }
       
      mongos>
      

      2. I granted the role to non-admin read-only user

      mongos> db.getUser("sdutta")
      {
              "_id" : "admin.sdutta",
              "user" : "sdutta",
              "db" : "admin",
              "roles" : [
                      {
                              "role" : "changeOwnPasswordRole",
                              "db" : "admin"
                      },
                      {
                              "role" : "readAnyDatabase",
                              "db" : "admin"
                      }
              ]
      }
      

      3. Tried to change password without luck. I hope it’s not expecting readWrite.

      mongos> db.changeUserPassword("sdutta","test2")
       
      2017-01-17T18:38:29.078-0500 E QUERY    [thread1] Error: Updating user failed: not authorized on admin to execute command { updateUser: "sdutta", pwd: "xxx", writeConcern: { w: "majority", wtimeout: 30000.0 }, digestPassword: false } :
       
      _getErrorWithCode src/mongo/shell/utils.js:25:13
       
      DB.prototype.updateUser src/mongo/shell/db.js:1319:15
       
      DB.prototype.changeUserPassword src/mongo/shell/db.js:1323:9
       
      @(shell):1:1
      

      BTW, we are using following versions -

      MongoDB shell version: 3.2.5

      MongoS version 3.2.5
      git version: 34e65e5383f7ea1726332cb175b73077ec4a1b02
      OpenSSL version: OpenSSL 1.0.1e-fips 11 Feb 2013

      Thanks!

      Attachments

        Activity

          People

            mark.agarunov Mark Agarunov
            suduttaus Sumanta Dutta
            Votes:
            0 Vote for this issue
            Watchers:
            4 Start watching this issue

            Dates

              Created:
              Updated:
              Resolved: