[SERVER-11309] checkShardingIndex auth error for user-defined role with "find" privilege Created: 22/Oct/13  Updated: 11/Jul/16  Resolved: 24/Oct/13

Status: Closed
Project: Core Server
Component/s: Security
Affects Version/s: None
Fix Version/s: 2.5.4

Type: Bug Priority: Major - P3
Reporter: David Storch Assignee: Spencer Brody (Inactive)
Resolution: Done Votes: 0
Labels: 26qa
Remaining Estimate: Not Specified
Time Spent: Not Specified
Original Estimate: Not Specified

Issue Links:
Gantt Dependency
Operating System: ALL
Steps To Reproduce:

> db.runCommand({
... createRole: "testRole",
... privileges: [ {resource: {db: "test", collection: "x"}, actions: ["find"] } ],
... roles: [ ]
... })
{ "ok" : 1 }
> db.runCommand({
... createUser: "testUser",
... pwd: "password",
... roles: ["testRole"]
... })
{ "ok" : 1 }
> db.auth("testUser", "password")
1
> db.runCommand({checkShardingIndex: "test.x", keyPattern: {_id: 1}})
{
	"ok" : 0,
	"errmsg" : "not authorized on test to execute command { checkShardingIndex: \"test.x\", keyPattern: { _id: 1.0 } }",
	"code" : 13
}

Participants:

 Description   

Expected: A user privileged to perform the "find" action on a collection should be able to run the checkShardingIndex on that collection.

Actual: An authorization error such as the one below is returned.

{
	"ok" : 0,
	"errmsg" : "not authorized on roles_commands_1 to execute command { checkShardingIndex: \"test.x\", keyPattern: { _id: 1.0 } }",
	"code" : 13
}



 Comments   
Comment by auto [ 24/Oct/13 ]

Author:

{u'username': u'stbrody', u'name': u'Spencer T Brody', u'email': u'spencer@10gen.com'}

Message: SERVER-11309 Fix namespace parsing in access control check for checkShardingIndex command
Branch: master
https://github.com/mongodb/mongo/commit/fc7d11c5d981ebc1ef1b5a851c8dfee0e3d5548d

Comment by Andy Schwerin [ 23/Oct/13 ]

The CheckShardingIndexCmd needs to override the default implementation of Command::parseNs(d, c) to return Command::parseNsFullyQualified(d, c).

Generated at Thu Feb 08 03:25:26 UTC 2024 using Jira 9.7.1#970001-sha1:2222b88b221c4928ef0de3161136cc90c8356a66.