[SERVER-11310] auth errors for mapReduce and group commands with user-defined roles Created: 22/Oct/13  Updated: 11/Jul/16  Resolved: 23/Oct/13

Status: Closed
Project: Core Server
Component/s: Security
Affects Version/s: None
Fix Version/s: 2.5.4

Type: Bug Priority: Major - P3
Reporter: David Storch Assignee: Spencer Brody (Inactive)
Resolution: Done Votes: 0
Labels: 26qa
Remaining Estimate: Not Specified
Time Spent: Not Specified
Original Estimate: Not Specified

Issue Links:
Gantt Dependency
Operating System: ALL
Steps To Reproduce:

> db.x.insert({groupby: 1, n: 5})
> db.x.insert({groupby: 1, n: 6})
> db.runCommand({
... createRole: "testRole",
... privileges: [ {resource: {db: "test", collection: "x"}, actions: ["find"] } ],
... roles: [ ]
... })
{ "ok" : 1 }
> db.runCommand({
... createUser: "testUser",
... pwd: "password",
... roles: ["testRole"]
... })
{ "ok" : 1 }
> db.auth("testUser", "password")
1
> db.runCommand({
... mapreduce: "x",
... map: function () { emit(this.groupby, this.n) },
... reduce: function (id,emits) { return Array.sum(emits); },
... out: {inline: 1}
... })
{
	"errmsg" : "exception: nextSafe(): { $err: \"not authorized for query on test.system.js\", code: 13 }",
	"code" : 13106,
	"ok" : 0
}

Participants:

 Description   

Expected

A user privileged to perform the "find" action on a collection should be able to run the "group" command on that collection. Similarly, a user with "find" on a collection should be able to run mapReduce on that collection, so long as inline output is specified.

Actual

The user is unauthorized, with the command returning an error such as the following:

{
	"errmsg" : "exception: nextSafe(): { $err: \"not authorized for query on roles_commands_1.system.js\", code: 13 }",
	"code" : 13106,
	"ok" : 0
}



 Comments   
Comment by auto [ 23/Oct/13 ]

Author:

{u'username': u'stbrody', u'name': u'Spencer T Brody', u'email': u'spencer@10gen.com'}

Message: SERVER-11310 Fix resource extraction for access control check in group command
Branch: master
https://github.com/mongodb/mongo/commit/ba067e496f04fa15ea7740d4e1d29200409e0296

Comment by Andy Schwerin [ 23/Oct/13 ]

david.storch, can you please re-test at master?

Comment by auto [ 23/Oct/13 ]

Author:

{u'username': u'andy10gen', u'name': u'Andy Schwerin', u'email': u'schwerin@10gen.com'}

Message: SERVER-11302 Do not do auth checks when operating on behalf of a DBDirectClient.

When the server delegates work on behalf of a user to DBDirectClient, the server
should already have validated the user's privileges to take whatever logical
action the server is performing. DBDirectClient itself inherently represents
actions taken by the server, and so it doesn't make sense to do access-control
checks there.

This change eliminates a deadlock risk in access control checks inside
DBDirectClient, and resolves UDR bugs stemming from a DBDirectClient performing
an unexpected access-control check, such as SERVER-11310.
Branch: master
https://github.com/mongodb/mongo/commit/2b16aca77cbd4486d780e21636b7043733e12765

Comment by David Storch [ 22/Oct/13 ]

For group, the .system.js error happens when the resource is specified as

{resource: {db: "test", collection: ""}, actions: ["find"]}

When the collection is specified instead of using the "" resource pattern, the error is different:

> db.x.insert({groupby: 1, n: 5})
> db.x.insert({groupby: 1, n: 6})
> db.runCommand({
... createRole: "testRole",
... privileges: [ {resource: {db: "test", collection: "x"}, actions: ["find"] } ],
... roles: [ ]
... })
{ "ok" : 1 }
> db.runCommand({
... createUser: "testUser",
... pwd: "password",
... roles: ["testRole"]
... })
{ "ok" : 1 }
> db.auth("testUser", "password")
1
> db.runCommand({ group: {
... ns: "x",
... key: {groupby: 1},
... initial: {total: 0},
... $reduce: function (curr, result) { result.total += curr.n; }
... }})
{
	"ok" : 0,
	"errmsg" : "not authorized on test to execute command { group: { ns: \"x\", key: { groupby: 1.0 }, initial: { total: 0.0 }, $reduce: function (curr, result) { result.total += curr.n; } } }",
	"code" : 13
}

Generated at Thu Feb 08 03:25:26 UTC 2024 using Jira 9.7.1#970001-sha1:2222b88b221c4928ef0de3161136cc90c8356a66.