[SERVER-11522] grantRolesToRole says it's granting read@admin when not requested to Created: 01/Nov/13  Updated: 11/Jul/16  Resolved: 01/Nov/13

Status: Closed
Project: Core Server
Component/s: None
Affects Version/s: None
Fix Version/s: 2.5.4

Type: Bug Priority: Major - P3
Reporter: bard.bloom@10gen.com Assignee: Spencer Brody (Inactive)
Resolution: Done Votes: 0
Labels: 26qa
Remaining Estimate: Not Specified
Time Spent: Not Specified
Original Estimate: Not Specified

Issue Links:
Related
Operating System: ALL
Participants:

 Description   

I'm trying to add one role to role75אω, and that one role is
role76ऊ@roledb72א. But when I look at the audit log, I see that it also has
evidently been granted read@admin.

Here's some of my code:

        self.roles = [ {"role": self.other_role, "db": n['db2']}]
        utili.printf(u"Now I wish to grantRolesToRole, giving {0.role} the roles {0.roles}", self)
        database.command("grantRolesToRole", value=self.role, grantedRoles = self.roles)
        self.keys = ["role", "db", "roles"]
        rolling = u", ".join([u"{0}@{1}".format(x['role'], x['db']) for x in self.roles])
        utili.printf(u"rolling = {0}", rolling)

And here's the related output:

Now I wish to grantRolesToRole, giving role75אω the roles [{'db': u'roledb72\u05d0', 'role': u'role76\u090a'}]
rolling = role76ऊ@roledb72א

And here's the audit log:

2013-11-01T11:25:15.220-0400 admin@admin 127.0.0.1:44074/127.0.0.1:27017 Created role role75אω@roledb72א with the roles: read@admin and the privileges, { resource: { db: "roledb72א", collection: "thrip" }, actions: [ "createUser", "dropUser" ] }.
2013-11-01T11:25:15.222-0400 admin@admin 127.0.0.1:44074/127.0.0.1:27017 Created role role76ऊ@roledb72א with the roles and the privileges.
2013-11-01T11:25:15.224-0400 admin@admin 127.0.0.1:44074/127.0.0.1:27017 Granted to role role75אω@roledb72א the roles: read@admin, role76ऊ@roledb72א.



 Comments   
Comment by auto [ 01/Nov/13 ]

Author:

{u'username': u'stbrody', u'name': u'Spencer T Brody', u'email': u'spencer@10gen.com'}

Message: SERVER-11522 SERVER-11524 Pass the right roles to the auditing code in grantRolesToRoles and revokeRolesFromRole
Branch: master
https://github.com/mongodb/mongo/commit/471bc7a3de80fae0551f164a4a0d51e2325cae30

Comment by Eric Milkie [ 01/Nov/13 ]

spencer can you check on the behavior of this? I believe auditing is just reporting the information given at the site of the hook for role granting.

Generated at Thu Feb 08 03:26:00 UTC 2024 using Jira 9.7.1#970001-sha1:2222b88b221c4928ef0de3161136cc90c8356a66.