| Steps To Reproduce: |
A specific test case by hand. First start a mongod like this
#!/bin/bash
|
echo 'db.addUser({user:"uu", pwd:"pp", roles:["userAdminAnyDatabase", "clusterAdmin", "readWriteAnyDatabase", "dbAdminAnyDatabase"]})'
|
|
rm -r /tmp/mongoda
|
mkdir /tmp/mongoda
|
|
mongod --port 27017 --logpath /tmp/mongoda/mongo.log --logappend --auditLog textfile --auth --auditPath /tmp/mongoda/audit.log --dbpath /tmp/mongoda --smallfiles --nopreallocj
|
|
And then revoke user privileges like this:
admindb = db.getMongo().getDB('admin')
|
|
admindb.addUser({user:"uu", pwd:"pp", roles:["userAdminAnyDatabase", "clusterAdmin", "readWriteAnyDatabase", "dbAdminAnyDatabase"]})
|
|
admindb.auth("uu","pp")
|
|
oinkdb = db.getMongo().getDB('oink')
|
|
oinkdb.addUser({user:"oo", pwd:"pp", roles:["userAdmin", "readWrite", "dbAdmin"]})
|
|
oinkdb.runCommand({revokeRolesFromUser: "oo", roles: ["userAdmin", "readWrite", "dbAdmin"]})
|
|
admindb = db.getMongo().getDB('admin')
|
|
print("Here comes output")
|
|
admindb.system.users.find().forEach(printjson)
|
And look at the tail of the audit log file, where you can see the user oo
getting created, but not the authority getting revoked.
2013-10-30T11:42:39.951-0400 127.0.0.1:60861/127.0.0.1:27017 Created index user_1_db_1 on admin.system.users as { v: 1, unique: true, key: { user: 1, db: 1 }, name: "user_1_db_1", ns: "admin.system.users" }.
|
2013-10-30T11:42:39.953-0400 127.0.0.1:60861/127.0.0.1:27017 Created database admin.
|
2013-10-30T11:42:39.954-0400 127.0.0.1:60861/127.0.0.1:27017 Created index _id_ on admin.system.users as { v: 1, key: { _id: 1 }, name: "_id_", ns: "admin.system.users" }.
|
2013-10-30T11:42:39.962-0400 uu@admin 127.0.0.1:60861/127.0.0.1:27017 Authentication succeeded for uu@admin using mechanism MONGODB-CR.
|
2013-10-30T11:42:39.962-0400 uu@admin 127.0.0.1:60861/127.0.0.1:27017 Created user oo@oink with password, without customData, with the following roles: userAdmin@oink, readWrite@oink, dbAdmin@oink.
|
And to confirm that it happened, the last part of the shell output shows no
roles for 'oo':
{
|
"_id" : "oink.oo",
|
"user" : "oo",
|
"db" : "oink",
|
"credentials" : {
|
"MONGODB-CR" : "6363103a8f514a6452b1394ec1ee613d"
|
},
|
"roles" : [ ]
|
}
|
|