[SERVER-11331] auth error with createRole command Created: 23/Oct/13  Updated: 11/Jul/16  Resolved: 23/Oct/13

Status: Closed
Project: Core Server
Component/s: Security
Affects Version/s: 2.5.3
Fix Version/s: 2.5.4

Type: Bug Priority: Major - P3
Reporter: Samantha Ritter (Inactive) Assignee: Spencer Brody (Inactive)
Resolution: Done Votes: 0
Labels: 26qa
Remaining Estimate: Not Specified
Time Spent: Not Specified
Original Estimate: Not Specified
Environment:

mac


Issue Links:
Related
Operating System: ALL
Participants:

 Description   

createRole (for empty user-defined roles) can be run by any user, and can also be run when not logged in at all.

> db.runCommand(

{ createRole: "sam", privileges: [], roles: [] }

)

{ "ok" : 1 }

When the role we are trying to create contains any linked roles or privileges, the command fails with an auth error:

> db.runCommand(

{ createRole: "dave", privileges: [], roles: [ "sam" ] }

)
{
"ok" : 0,
"errmsg" : "not authorized on test to execute command

{ createRole: \"dave\", privileges: [], roles: [ \"sam\" ] }

",
"code" : 13
}

> db.runCommand(

{ createRole: "amalia", privileges: [], roles: [ "read" ] }

)
{
"ok" : 0,
"errmsg" : "not authorized on test to execute command

{ createRole: \"amalia\", privileges: [], roles: [ \"read\" ] }

",
"code" : 13
}

> var priv = { resource:

{ db: "test", collection: "" }

, actions: [ "find" ] }
> db.runCommand(

{ createRole: "jeremy", privileges: [ priv ], roles: [] }

)
{
"ok" : 0,
"errmsg" : "not authorized on test to execute command { createRole: \"jeremy\", privileges: [ { resource:

{ db: \"test\", collection: \"\" }

, actions: [ \"find\" ] } ], roles: [] }",
"code" : 13
}



 Comments   
Comment by auto [ 23/Oct/13 ]

Author:

{u'username': u'stbrody', u'name': u'Spencer T Brody', u'email': u'spencer@10gen.com'}

Message: SERVER-11331 Fix access control check for createRole
Branch: master
https://github.com/mongodb/mongo/commit/c9b501f8776655806fe11b2649a7c1b9a14e503d

Generated at Thu Feb 08 03:25:30 UTC 2024 using Jira 9.7.1#970001-sha1:2222b88b221c4928ef0de3161136cc90c8356a66.