[SERVER-11022] Better error message when do db.system.users.insert( {...}) Created: 03/Oct/13  Updated: 29/Oct/15  Resolved: 29/Oct/15

Status: Closed
Project: Core Server
Component/s: Security
Affects Version/s: None
Fix Version/s: None

Type: Improvement Priority: Minor - P4
Reporter: Matt Kalan Assignee: Andreas Nilsson
Resolution: Done Votes: 0
Labels: None
Remaining Estimate: Not Specified
Time Spent: Not Specified
Original Estimate: Not Specified

Participants:

 Description   

In 2.5.2, it looks like someone with a userAdmin role can no longer directly manipulate documents in the system.users collection as I'm told we added helper functions for user management. However, the error given to a user manipulating the collection directly should be clearer.

I authenticated myself with role userAdmin and I do:

> db.system.users.insert({user: "test", pwd: "test"})
not authorized for insert on admin.system.users

It should say something like: "Cannot manipulate the system.users collection directly - use helper method"



 Comments   
Comment by Matt Kalan [ 29/Oct/15 ]

Yeah that is interesting that it can be done. At this point, the helpers have been the main way of managing users for a few releases so yeah seems OK, as it was more important during the transition

Comment by Andreas Nilsson [ 29/Oct/15 ]

This behavior is semantically correct so I will close this ticket.

matt.kalan do you want us to add any type of documentation around this or has that ship sailed?

Comment by Andy Schwerin [ 04/Oct/13 ]

Caveat: one can grant write access to system.users collections beginning in 2.5.3, but it is not advised except for restoring from backups, and emergency manual maintenance.

Can this be resolved with documentation?

Generated at Thu Feb 08 03:24:40 UTC 2024 using Jira 9.7.1#970001-sha1:2222b88b221c4928ef0de3161136cc90c8356a66.