Uploaded image for project: 'Core Server'
  1. Core Server
  2. SERVER-34822

RoleGraph update should ignore index creation on non-role collections

    XMLWordPrintable

    Details

    • Type: Bug
    • Status: Closed
    • Priority: Critical - P2
    • Resolution: Fixed
    • Affects Version/s: None
    • Fix Version/s: 3.6.6, 4.0.0-rc5, 4.1.1
    • Component/s: Security
    • Labels:
    • Backwards Compatibility:
      Fully Compatible
    • Operating System:
      ALL
    • Backport Requested:
      v4.0, v3.6
    • Sprint:
      Platforms 2018-06-04
    • Case:

      Description

      Create a replicaset. Create a collection on the admin database. Create a role which inherits from other roles. Grant the role to a user. Create an index on the collection using the createIndex command. Connect to a secondary, and authenticate as the user. The user will have no privileges granted from transitively inherited roles. The secondary will include the following statement in its logs:

      2018-05-03T14:21:50.795-0400 E ACCESS   [repl writer worker 1] Unsupported modification to roles collection in oplog; restart
      this process to reenable user-defined roles; OplogOperationUnsupported: Unsupported oplog operation; Oplog entry: { op: "c", ns: "admin.$cmd", o: { createIndexes: "col", v: 2, key: { data: 1.0 }, name: "data_1" } }

      The RoleGraph update procedure observes a command affecting the admin database which it doesn't understand. As a result, it disables role transitivity. It should be taught that createIndex on a collection other than system.roles is safe.

        Attachments

          Activity

            People

            Assignee:
            spencer.jackson Spencer Jackson
            Reporter:
            spencer.jackson Spencer Jackson
            Participants:
            Votes:
            0 Vote for this issue
            Watchers:
            4 Start watching this issue

              Dates

              Created:
              Updated:
              Resolved: