Uploaded image for project: 'Core Server'
  1. Core Server
  2. SERVER-38545

Inconsistency between different roles when inserting to system.js with bypassDocumentValidation=true

    • Type: Icon: Bug Bug
    • Resolution: Works as Designed
    • Priority: Icon: Major - P3 Major - P3
    • None
    • Affects Version/s: None
    • Component/s: None
    • Labels:
      None
    • ALL
    • Hide
      1. Create two users: one with role restore, one with role readWriteAnyDatabase.
      2. Attempt to run an insert on system.js with bypassDocumentValidation=true on each user
      3. If auth is enabled, one should succeed, and the other will fail.
      > db.createUser({user: "ted", pwd: "ted", roles: [{role: "root", db: "admin"}]})
      Successfully added user: {
              "user" : "ted",
              "roles" : [
                      {
                              "role" : "root",
                              "db" : "admin"
                      }
              ]
      }
      > db.auth("ted", "ted")
      1
      > db.createUser({user: "dave", pwd: "dave", roles: [{role: "restore", db: "admin"}]})db.createUser({user: "pj", pwd: "pj", roles: [{role: "readWriteAnyDatabase", db: "admin"}]})Successfully added user: {
              "user" : "dave",
              "roles" : [
                      {
                              "role" : "restore",
                              "db" : "admin"
                      }
              ]
      }
      > 
      dbdb.createUser({user: "pj", pwd: "pj", roles: [{role: "readWriteAnyDatabase", db: "admin"}]})
      Successfully added user: {
              "user" : "pj",
              "roles" : [
                      {
                              "role" : "readWriteAnyDatabase",
                              "db" : "admin"
                      }
              ]
      }
      > db.auth("dave","dave")
      1
      > use test
      switched to db test
      > db.runCommand({insert:"system.js", documents:[{_id:"func2", value:function(k){return k;}}], bypassDocumentValidation: true})
      { "n" : 1, "ok" : 1 }
      > use admin
      switched to db admin
      > db.auth("pj","pj")
      1
      > use test
      switched to db test
      > db.runCommand({insert:"system.js", documents:[{_id:"func3", value:function(k){return k;}}], bypassDocumentValidation: true})
      {
              "ok" : 0,
              "errmsg" : "not authorized on test to execute command { insert: \"system.js\", bypassDocumentValidation: true, lsid: { id: UUID(\"993eb0b0-3859-4113-9829-03cdbd30db3d\") }, $db: \"test\" }",
              "code" : 13,
              "codeName" : "Unauthorized"
      }
      
      
      Show
      Create two users: one with role restore, one with role readWriteAnyDatabase. Attempt to run an insert on system.js with bypassDocumentValidation=true on each user If auth is enabled, one should succeed, and the other will fail. > db.createUser({user: "ted" , pwd: "ted" , roles: [{role: "root" , db: "admin" }]}) Successfully added user: { "user" : "ted" , "roles" : [ { "role" : "root" , "db" : "admin" } ] } > db.auth( "ted" , "ted" ) 1 > db.createUser({user: "dave" , pwd: "dave" , roles: [{role: "restore" , db: "admin" }]})db.createUser({user: "pj" , pwd: "pj" , roles: [{role: "readWriteAnyDatabase" , db: "admin" }]})Successfully added user: { "user" : "dave" , "roles" : [ { "role" : "restore" , "db" : "admin" } ] } > dbdb.createUser({user: "pj" , pwd: "pj" , roles: [{role: "readWriteAnyDatabase" , db: "admin" }]}) Successfully added user: { "user" : "pj" , "roles" : [ { "role" : "readWriteAnyDatabase" , "db" : "admin" } ] } > db.auth( "dave" , "dave" ) 1 > use test switched to db test > db.runCommand({insert: "system.js" , documents:[{_id: "func2" , value:function(k){ return k;}}], bypassDocumentValidation: true }) { "n" : 1, "ok" : 1 } > use admin switched to db admin > db.auth( "pj" , "pj" ) 1 > use test switched to db test > db.runCommand({insert: "system.js" , documents:[{_id: "func3" , value:function(k){ return k;}}], bypassDocumentValidation: true }) { "ok" : 0, "errmsg" : "not authorized on test to execute command { insert: \" system.js\ ", bypassDocumentValidation: true , lsid: { id: UUID(\" 993eb0b0-3859-4113-9829-03cdbd30db3d\ ") }, $db: \" test\ " }" , "code" : 13, "codeName" : "Unauthorized" }
    • Security 2018-12-31

      With different roles it is possible to either insert to system.js with bypassDocumentValidation=true or get an auth error. If a user with restore inserts it is fine, but readWrite fails. The reason for closing the linked ticket (original report and description of this bug) does not address the inconsistency.

            Assignee:
            jonathan.reams@mongodb.com Jonathan Reams
            Reporter:
            ted.tuckman@mongodb.com Ted Tuckman
            Votes:
            0 Vote for this issue
            Watchers:
            3 Start watching this issue

              Created:
              Updated:
              Resolved: