[SERVER-10794] For compatibility with old versions of the shell, db.addUser("user", "password") should create a super-user. Created: 16/Sep/13  Updated: 30/Oct/15  Resolved: 11/Oct/13

Status: Closed
Project: Core Server
Component/s: Security, Shell
Affects Version/s: 2.5.2
Fix Version/s: 2.5.3

Type: Bug Priority: Major - P3
Reporter: Andy Schwerin Assignee: Spencer Brody (Inactive)
Resolution: Done Votes: 1
Labels: None
Remaining Estimate: Not Specified
Time Spent: Not Specified
Original Estimate: Not Specified

Issue Links:
Depends
is depended on by DRIVERS-103 Manipulate user objects exclusively v... Closed
Duplicate
is duplicated by SERVER-10593 Expose built-in roles that can be use... Closed
Related
related to SERVER-6246 Manipulate user objects exclusively v... Closed
Backwards Compatibility: Minor Change
Operating System: ALL
Participants:

 Description   

On databases other than "admin", db.addUser("user", "password") will be equivalent to

db.addUser({user: "user", pwd: "password", roles: ["dbOwner"]})

. The dbOwner builtin database role will be the union of the "dbAdmin", "readWrite" and "userAdmin" roles.

On databases other than "admin", db.addUser("user", "password", true) will be equivalent to

db.addUser({user: "user", pwd: "password", roles: ["read"]})

. The read builtin database role will be the same as existed in MongoDB 2.4 and prior.

On the "admin" database, db.addUser("user", "password") will be equivalent to

db.addUser({user: "user", pwd: "password", roles: ["root"]})

. The root builtin admin role will have extensive access, as in MongoDB 2.4.

On the "admin" database, db.addUser("user", "password", true) will be equivalent to

db.addUser({user: "user", pwd: "password", roles: ["readAnyDatabase"]})

. The readAnyDatabase role will have read access to any database. This is a reduction in privilege compared to MongoDB 2.4, which may be remediated through the use of user-defined roles.

Any use of these 2- and 3-argument forms of db.addUser() will cause the shell to display a warning message to the user, and may cause the server to write a warning message to the startupWarnings log and perhaps the diagnostic log, indicating that this form is deprecated, and will be removed in a future release of MongoDB.

There will be no db.addUser("user", "password", [roles]) form of the addUser command in 2.6.



 Comments   
Comment by auto [ 12/Oct/13 ]

Author:

{u'username': u'stbrody', u'name': u'Spencer T Brody', u'email': u'spencer@mongodb.com'}

Message: SERVER-10794 Fix how initial user is added for auth passthrough tests
Branch: master
https://github.com/mongodb/mongo/commit/7d1097b8468e1ff753bb6dc3169fd1f09e1d3f61

Comment by auto [ 11/Oct/13 ]

Author:

{u'username': u'stbrody', u'name': u'Spencer T Brody', u'email': u'spencer@10gen.com'}

Message: SERVER-10794 Maintain backwards-compatible form of addUser for one more release
Branch: master
https://github.com/mongodb/mongo/commit/f0c6cebd73410c711ff2fc1167f7bded692dad1e

Comment by Andy Schwerin [ 09/Oct/13 ]

Role names in this ticket are now finalized.

Comment by Andy Schwerin [ 16/Sep/13 ]

Role names in this ticket will be finalized in time for the 2.5.3 release.

Generated at Thu Feb 08 03:24:05 UTC 2024 using Jira 9.7.1#970001-sha1:2222b88b221c4928ef0de3161136cc90c8356a66.