[SERVER-11300] Possible to Create Circular Roles Created: 22/Oct/13  Updated: 11/Jul/16  Resolved: 23/Oct/13

Status: Closed
Project: Core Server
Component/s: Security
Affects Version/s: 2.5.3
Fix Version/s: 2.5.4

Type: Bug Priority: Major - P3
Reporter: Samantha Ritter (Inactive) Assignee: Spencer Brody (Inactive)
Resolution: Done Votes: 0
Labels: 26qa
Remaining Estimate: Not Specified
Time Spent: Not Specified
Original Estimate: Not Specified

Issue Links:
Related
Operating System: ALL
Participants:

 Description   

Using updateRole, it is possible to create a role that contains a reference to itself:

> db.runCommand(

{ updateRole: "king", roles: [ "king" ] }

)

Running this command gives the following error:

ERROR: Inconsistent role graph during authorization manager intialization. Only direct privileges available. Cycle in dependency graph: king@test -> king@test after applying oplog entry u

Querying for the role afterwards with rolesInfo yields the following result:
{"roles":[
{"role":"king",
"db":"test",
"roles":[

{"role":"king","db":"test"}

],
"indirectRoles":[],
"privileges":[],
"warnings":["Role graph state inconsistent; only direct privileges available."]}],
"ok":1}

afterwards, subsequent role-related commands (like createRole, dropRole) throw the same error that the updateRole command generated.

It seems that grantRolesToRole also allows for this:

> db.runCommand(

{ createRole: "princess", privileges: [], roles: [] }

);
> db.runCommand(

{ grantRolesToRole: "princess", grantedRoles: [ "princess" ] }

);

ERROR: Inconsistent role graph during authorization manager intialization. Only direct privileges available. Cycle in dependency graph: princess@testAuth -> princess@testAuth after applying oplog entry u

{"roles":[
{"role":"princess",
"db":"testAuth",
"roles":[

{"role":"princess","db":"testAuth"}

],
"indirectRoles":[],
"privileges":[],
"warnings":["Role graph state inconsistent; only direct privileges available."]}],
"ok":1}



 Comments   
Comment by auto [ 23/Oct/13 ]

Author:

{u'username': u'stbrody', u'name': u'Spencer T Brody', u'email': u'spencer@10gen.com'}

Message: SERVER-11300 Fix cycle detection in role management commands
Branch: master
https://github.com/mongodb/mongo/commit/6ccab4d17b0732d630cdaed7f5c4f3f94bb20e6e

Generated at Thu Feb 08 03:25:25 UTC 2024 using Jira 9.7.1#970001-sha1:2222b88b221c4928ef0de3161136cc90c8356a66.