|
Noticed the following inconsistency while testing 2.6 user-defined roles.
When logged in as a user with userAdminAnyDatabase, it's not possible to create a role in a non-admin database that has privileges outside of that database (good). However, it is possible to create a user in a non-admin database that has privileges outside of that database (see below). This struck me as a little inconsistent. Is there a reason for this? Should it be fixed?
> use admin
|
switched to db admin
|
> db.auth("jon","password")
|
1
|
>
|
> use foo
|
switched to db foo
|
>
|
>
|
> db.createRole({role:"readinany", privileges:[{resource:{db:"", collection:""}, actions:["find"]}], roles:[]})
|
2013-12-03T17:56:48.579+0000 Error: Roles on the 'foo' database cannot be granted privileges that target other databases
|
or the cluster at src/mongo/shell/db.js:1294
|
>
|
>
|
> db.createUser({user:"bob",pwd:"password",roles:[{role:"readWrite", db:"bar"}]})
|
Successfully added user: {
|
"user" : "bob",
|
"roles" : [
|
{
|
"role" : "readWrite",
|
"db" : "bar"
|
}
|
]
|
}
|
>
|
|