|
Author:
{u'username': u'andy10gen', u'name': u'Andy Schwerin', u'email': u'schwerin@10gen.com'}
Message: SERVER-11302 Do not do auth checks when operating on behalf of a DBDirectClient.
When the server delegates work on behalf of a user to DBDirectClient, the server
should already have validated the user's privileges to take whatever logical
action the server is performing. DBDirectClient itself inherently represents
actions taken by the server, and so it doesn't make sense to do access-control
checks there.
This change eliminates a deadlock risk in access control checks inside
DBDirectClient, and resolves UDR bugs stemming from a DBDirectClient performing
an unexpected access-control check, such as SERVER-11310.
Branch: master
https://github.com/mongodb/mongo/commit/2b16aca77cbd4486d780e21636b7043733e12765
|
|
For group, the .system.js error happens when the resource is specified as
{resource: {db: "test", collection: ""}, actions: ["find"]}
|
When the collection is specified instead of using the "" resource pattern, the error is different:
> db.x.insert({groupby: 1, n: 5})
|
> db.x.insert({groupby: 1, n: 6})
|
> db.runCommand({
|
... createRole: "testRole",
|
... privileges: [ {resource: {db: "test", collection: "x"}, actions: ["find"] } ],
|
... roles: [ ]
|
... })
|
{ "ok" : 1 }
|
> db.runCommand({
|
... createUser: "testUser",
|
... pwd: "password",
|
... roles: ["testRole"]
|
... })
|
{ "ok" : 1 }
|
> db.auth("testUser", "password")
|
1
|
> db.runCommand({ group: {
|
... ns: "x",
|
... key: {groupby: 1},
|
... initial: {total: 0},
|
... $reduce: function (curr, result) { result.total += curr.n; }
|
... }})
|
{
|
"ok" : 0,
|
"errmsg" : "not authorized on test to execute command { group: { ns: \"x\", key: { groupby: 1.0 }, initial: { total: 0.0 }, $reduce: function (curr, result) { result.total += curr.n; } } }",
|
"code" : 13
|
}
|
|