[SERVER-11063] users with roles readAnyDatabase or readWriteAnyDatabase should not be authorized to run the listDatabases command Created: 07/Oct/13  Updated: 09/Jul/16  Resolved: 07/Oct/13

Status: Closed
Project: Core Server
Component/s: None
Affects Version/s: None
Fix Version/s: None

Type: Bug Priority: Minor - P4
Reporter: David Storch Assignee: Unassigned
Resolution: Done Votes: 0
Labels: 26qa
Remaining Estimate: Not Specified
Time Spent: Not Specified
Original Estimate: Not Specified

Backwards Compatibility: Minor Change
Operating System: ALL
Steps To Reproduce:
  1. db.auth as a user with readAnyDatabase or readWriteAnyDatabase roles
  2. db.runCommand({listDatabases: 1})

Expected result: command fails with "unauthorized"
Actual result: command works

Participants:

 Description   

In v2.4.6, only users with the role clusterAdmin are permitted to run the listDatabases command. In recent builds (I am running against githash 19cd20cbceccfb21fd4338a2a8d5e3ad1738581d), users without the clusterAdmin role can run listDatabases if they have either the readAnyDatabase or readWriteAnyDatabase roles.

The desired behavior is that from v2.4.6--readAnyDatabase or readWriteAnyDatabase should NOT provide listDatabases permission.



 Comments   
Comment by Andy Schwerin [ 07/Oct/13 ]

This was an intentional change.

Generated at Thu Feb 08 03:24:47 UTC 2024 using Jira 9.7.1#970001-sha1:2222b88b221c4928ef0de3161136cc90c8356a66.