Uploaded image for project: 'Core Server'
  1. Core Server
  2. SERVER-34822

RoleGraph update should ignore index creation on non-role collections

    • Type: Icon: Bug Bug
    • Resolution: Fixed
    • Priority: Icon: Critical - P2 Critical - P2
    • 3.6.6, 4.0.0-rc5, 4.1.1
    • Affects Version/s: None
    • Component/s: Security
    • Labels:
    • Fully Compatible
    • ALL
    • v4.0, v3.6
    • Platforms 2018-06-04

      Create a replicaset. Create a collection on the admin database. Create a role which inherits from other roles. Grant the role to a user. Create an index on the collection using the createIndex command. Connect to a secondary, and authenticate as the user. The user will have no privileges granted from transitively inherited roles. The secondary will include the following statement in its logs:

      2018-05-03T14:21:50.795-0400 E ACCESS   [repl writer worker 1] Unsupported modification to roles collection in oplog; restart
      this process to reenable user-defined roles; OplogOperationUnsupported: Unsupported oplog operation; Oplog entry: { op: "c", ns: "admin.$cmd", o: { createIndexes: "col", v: 2, key: { data: 1.0 }, name: "data_1" } }

      The RoleGraph update procedure observes a command affecting the admin database which it doesn't understand. As a result, it disables role transitivity. It should be taught that createIndex on a collection other than system.roles is safe.

            spencer.jackson@mongodb.com Spencer Jackson
            spencer.jackson@mongodb.com Spencer Jackson
            0 Vote for this issue
            4 Start watching this issue