[SERVER-11234] mongo 2.4 USer privileges Roles to do a 'show dbs' Created: 17/Oct/13  Updated: 10/Dec/14  Resolved: 14/Nov/13

Status: Closed
Project: Core Server
Component/s: Security
Affects Version/s: 2.4.4
Fix Version/s: None

Type: Question Priority: Major - P3
Reporter: MOISAN Benoît Assignee: J Rassi
Resolution: Done Votes: 0
Labels: None
Remaining Estimate: Not Specified
Time Spent: Not Specified
Original Estimate: Not Specified
Environment:

mongo 2.4 on ubuntu 12.04 LTS


Participants:

 Description   

Hi,

as ther SERVER-9301, i've done the sames roles on my replicaset like this :

CSP:PRIMARY> db.addUser(

{ user: "csp_ro", pwd: "csp_ro", roles: [ "readWrite","clusterAdmin" ] }

)
{
"user" : "csp_ro",
"pwd" : "bdf8745d1e16d25bfc035bbb6e703a78",
"roles" : [
"readWrite",
"clusterAdmin"
],
"_id" : ObjectId("525faffaf8039187dd745e01")
}
CSP:PRIMARY>
bye
root@mongo21g:~# mongo -ucsp_ro -pcsp_ro CSP2
MongoDB shell version: 2.4.4
connecting to: CSP2
> show dbs
Thu Oct 17 11:38:15.315 JavaScript execution failed: listDatabases failed:

{ "ok" : 0, "errmsg" : "unauthorized" }

at src/mongo/shell/mongo.js:L46

But the user csp_ro doesn't have roles to do a show dbs. Is it Normal?



 Comments   
Comment by J Rassi [ 25/Oct/13 ]

Yes. The shell and drivers all perform the same authentication process, so a user's privileges on the server after logging in will be the same. Make sure you are authenticating against the correct database.

Comment by MOISAN Benoît [ 18/Oct/13 ]

your solution seems to be ok from the shell. 'show dbs works'...

But unfortunately, i've still an error from my ruby client DrowsyDromedary/ respond :

Database command 'listDatabases' failed

last question...

Is it the same role if i want to do a listDatabases from a client like ruby or php?

Comment by J Rassi [ 17/Oct/13 ]

Yes. In MongoDB 2.4, either:

  • create an additional privilege document in the admin database, with the "clusterAdmin" role and a userSource value of "CSP2", or
  • remove the user from the CSP2 database, and create the user on the admin database with an otherDBRoles value of {CSP2: ["readWrite"] }
Comment by MOISAN Benoît [ 17/Oct/13 ]

So, what is the solution to have a specific user on a database (for me user cso_ro on database CSP2) who can do a 'show dbs'?
Is it possible?

Comment by J Rassi [ 17/Oct/13 ]

You tried to create the user with the clusterAdmin role on the CSP database. The clusterAdmin role can only be granted to users on the admin database.

Generated at Thu Feb 08 03:25:16 UTC 2024 using Jira 9.7.1#970001-sha1:2222b88b221c4928ef0de3161136cc90c8356a66.