[DOCS-1469] Clarify that although userAdmin is "effectively" a super-user, it can still be unauthorized Created: 01/May/13  Updated: 30/Oct/23  Resolved: 10/May/13

Status: Closed
Project: Documentation
Component/s: manual
Affects Version/s: mongodb-2.4
Fix Version/s: Server_Docs_20231030

Type: Improvement Priority: Major - P3
Reporter: Spencer Brody (Inactive) Assignee: Sam Kleinman (Inactive)
Resolution: Done Votes: 0
Labels: None
Remaining Estimate: Not Specified
Time Spent: Not Specified
Original Estimate: Not Specified

Issue Links:
Related
Participants:
Days since reply: 10 years, 40 weeks, 5 days ago

 Description   

userAdmin/userAdminAnyDatabase are like super-users because they can be used to grant yourself any privilege. But if you only have userAdmin, but haven't granted yourself readWrite (for example), you still won't be able to read or write data.



 Comments   
Comment by Spencer Brody (Inactive) [ 10/May/13 ]

That looks much better - thanks samk! I do however still think we use userAdmin and userAdminAnyDatabase quite interchangeably and we should be clearer about the distinction. "userAdmin" on the admin database is effectively the same as userAdminAnyDatabase, b/c that user could grant themselves userAdminAnyDatabase. "userAdmin" on a non-admin db, however, is different as it can only be used to grant db-level privileges.

Comment by auto [ 10/May/13 ]

Author:

{u'date': u'2013-05-10T20:28:19Z', u'name': u'Sam Kleinman', u'email': u'samk@10gen.com'}

Message: DOCS-1469: clean up superuser language on auth tutuorial
Branch: master
https://github.com/mongodb/docs/commit/8cc63d2445004ab7ab3d650cc9c0bce6209c2ec7

Comment by auto [ 09/May/13 ]

Author:

{u'date': u'2013-05-09T22:37:56Z', u'name': u'Sam Kleinman', u'email': u'samk@10gen.com'}

Message: DOCS-1469: clarification about userAdmin role
Branch: master
https://github.com/mongodb/docs/commit/6bef4e33790212cb9fec2b366bbb06e5c57ae192

Comment by auto [ 09/May/13 ]

Author:

{u'date': u'2013-05-09T16:52:38Z', u'name': u'Sam Kleinman', u'email': u'samk@10gen.com'}

Message: DOCS-1469: adding note about authentication to mongostat
Branch: master
https://github.com/mongodb/docs/commit/80311292b3cc96dd4e9a2096441aa647fe5fd988

Comment by Spencer Brody (Inactive) [ 06/May/13 ]

Just to be clear, those roles can only be granted to user documents in the admin database, but that doesn't mean you have to be authenticating to the admin database. You could have a user named "user" defined in database "test" be granted one of those roles via a user document in the "admin" database with username "user" and userSource "test". To authenticate as that user, you'd need to authenticate to the "test" database.

Comment by David Hows [ 06/May/13 ]

We should also clarify which databases which privileges will work with which DB's and how those mechanisms work.

As it stands in 2.4 the readAnyDatabase/readWriteAnyDatabase/userAdminAnyDatabase/dbAdminAnyDatabase/clusterAdmin roles are only accessible when you authenticate to admin.

There is a matrix of permissions of sorts within the code here to help show which users can authenticate to admin only.

Comment by Spencer Brody (Inactive) [ 03/May/13 ]

I just saw the http://docs.mongodb.org/manual/tutorial/add-user-administrator/ page for the first time. I think this whole page needs to be reworked to stop referring to userAdmin as a superuser. Even with a note saying that that doesn't mean the userAdmin can actually run anything, the language on this page is very misleading as the word "superuser" is used all over and even clarifying what we mean when we say superuser won't change the pre-conceived idea of what "superuser" means to most people. We should use language like "user manager, user manipulator, role grantor, etc" rather than saying "superuser" at all. We could then that this makes this role "effectively" a super user because it can be used to grant any permission to yourself, but that it cannot actually do anything other than manage users without having the other roles as well.

Also, we should be careful whenever talking about "userAdmin" (as opposed to "userAdminAnyDatabase") to be clear that it is only the user manager for the database it is declared on. "userAdmin" on the "test" database is in no way a superuser for the whole system.

Generated at Thu Feb 08 07:41:05 UTC 2024 using Jira 9.7.1#970001-sha1:2222b88b221c4928ef0de3161136cc90c8356a66.