[SERVER-12062] "userAdmin" and "userAdminAnyDatabase" are not enough to create users in "any database" Created: 12/Dec/13  Updated: 09/Jul/16  Resolved: 12/Dec/13

Status: Closed
Project: Core Server
Component/s: Security
Affects Version/s: 2.4.6
Fix Version/s: None

Type: Bug Priority: Major - P3
Reporter: Gabriel Petrovay Assignee: Unassigned
Resolution: Done Votes: 0
Labels: None
Remaining Estimate: Not Specified
Time Spent: Not Specified
Original Estimate: Not Specified
Environment:

Mac OSX 10.9


Operating System: OS X
Steps To Reproduce:

$ mongo mono -u admin_all -p 1234
MongoDB shell version: 2.4.6
connecting to: mono
> db.system.users.find()

{ "_id" : ObjectId("52a9831de41eb640bb0f5f64"), "user" : "admin_all", "pwd" : "a6316ed4886c10663cce46bc216ea375", "roles" : [ "userAdmin", "userAdminAnyDatabase" ] } { "_id" : ObjectId("52a98404ef1f9bc934b62e11"), "user" : "admin_one", "pwd" : "884f516cf308a4c6a75bbc5a0a00807b", "roles" : [ "userAdmin" ] } { "_id" : ObjectId("52a98415ef1f9bc934b62e12"), "user" : "admin_any", "pwd" : "1616611df9b47c58b607054d384cab99", "roles" : [ "userAdminAnyDatabase" ] }

> use another
switched to db another
> db.addUser(

{ user: "user", pwd: "1234", roles: ["read"] }

)
{
"user" : "user",
"pwd" : "461d4f349d8d4ec3d22a4c945010c330",
"roles" : [
"read"
],
"_id" : ObjectId("52a985372fcdbfd033003a7e")
}
Thu Dec 12 10:43:19.091 couldn't add user: not authorized for insert on another.system.users at src/mongo/shell/db.js:128
>

Participants:

 Description   

Having a db superuser with "userAdmin" and "userAdminAnyDatabase" is not enough to create users in other databases.

In the steps to reproduce you have my example.



 Comments   
Comment by Gabriel Petrovay [ 12/Dec/13 ]

Yes, you can close this. I did not read carefully about the admin database and the first note in this section:

http://docs.mongodb.org/manual/reference/user-privileges/#any-database-roles

Generated at Thu Feb 08 03:27:30 UTC 2024 using Jira 9.7.1#970001-sha1:2222b88b221c4928ef0de3161136cc90c8356a66.