[SERVER-13804] The built-in roles "restore" doesn't have insert privileges on system.roles collection Created: 01/May/14  Updated: 11/Jul/16  Resolved: 14/May/14

Status: Closed
Project: Core Server
Component/s: Security
Affects Version/s: 2.6.0, 2.6.1
Fix Version/s: 2.6.2, 2.7.1

Type: Bug Priority: Major - P3
Reporter: Linda Qin Assignee: Amalia Hawkins
Resolution: Done Votes: 0
Labels: None
Remaining Estimate: Not Specified
Time Spent: Not Specified
Original Estimate: Not Specified

Issue Links:
Depends
is depended on by SERVER-13869 Update jstests/tool/dumprestore_auth2... Closed
Duplicate
is duplicated by SERVER-13869 Update jstests/tool/dumprestore_auth2... Closed
Related
Backwards Compatibility: Fully Compatible
Operating System: ALL
Backport Completed:
Participants:

 Description   
Issue Status as of May 16, 2014

ISSUE SUMMARY
The built-in role restore, added for 2.6, provides privileges to run mongorestore to restore data to a MongoDB instance running with authentication, but this role does not contain the privilege to update the system.roles collection (via insert).

USER IMPACT
mongorestore fails when run using a user with restore role if the dump being restored contains admin.system.roles entries (i.e. user-defined roles), resulting in a partial import only.

WORKAROUNDS
Create a new role with with the right permissions, and then create a new user that has this new role (replace USER, PASSWORD with appropriate credentials):

use admin;
db.createRole({role:"fullrestore",
  privileges:[{resource:{db:"admin",collection:"system.roles"},
  actions:["insert","collMod","createCollection","createIndex","dropCollection","find","remove","update"]}],
  roles:["restore"]})
 
db.createUser({user:"USER",pwd:"PASSWORD",roles:["fullrestore"]})

Use this new user with mongorestore.

AFFECTED VERSIONS
MongoDB production versions 2.6.0 and 2.6.1 are affected by this issue.

FIX VERSION
The fix is included in the 2.6.2 production release.

RESOLUTION DETAILS
The built-in role restore now has the appropriate privileges, so a user with this role can run mongorestore to restore data including user-defined roles to a MongoDB instance.

Original description.

mongorestore will fail if we run it using a user with restore roles.

> show users
......
{
	"_id" : "admin.restore",
	"user" : "restore",
	"db" : "admin",
	"roles" : [
		{
			"role" : "restore",
			"db" : "admin"
		}
	]
}
 
bash-3.2$ mongorestore --port 33333 -u restore -p restore -d test --authenticationDatabase admin --restoreDbUsersAndRoles dump/test/
connected to: 127.0.0.1:33333
2014-05-01T14:32:14.520+1000 Restoring users for the test database to admin.system.users
2014-05-01T14:32:14.520+1000 	going into namespace [admin.system.users]
Restoring to admin.system.users without dropping. Restored data will be inserted without raising errors; check your server log
file dump/test/$admin.system.users.bson empty, skipping
2014-05-01T14:32:14.530+1000 	Creating index: { key: { _id: 1 }, name: "_id_", ns: "admin.system.users" }
2014-05-01T14:32:14.530+1000 	Creating index: { unique: true, key: { user: 1, db: 1 }, name: "user_1_db_1", ns: "admin.system.users" }
2014-05-01T14:32:14.530+1000 Restoring roles for the test database to admin.system.roles
2014-05-01T14:32:14.530+1000 	going into namespace [admin.system.roles]
Restoring to admin.system.roles without dropping. Restored data will be inserted without raising errors; check your server log
file dump/test/$admin.system.roles.bson empty, skipping
2014-05-01T14:32:14.534+1000 	Creating index: { key: { _id: 1 }, name: "_id_", ns: "admin.system.roles" }
Error creating index admin.system.roles: 13 err: "not authorized to create index on admin.system.roles"
Abort trap: 6

=== TODOs for this ticket ===

  • Add required permissions to the restore role
  • Complement jstests/tool/dumprestore_auth2.js to test mongorestore properly with user with role "restore"


 Comments   
Comment by Githook User [ 15/May/14 ]

Author:

{u'username': u'hawka', u'name': u'Amalia Hawkins', u'email': u'amalia.hawkins@10gen.com'}

Message: SERVER-13804 add necessary privilege to the built-in restore role
(cherry picked from commit b1e42ae09dbcf45e5b35b787743bb183930b20a9)
Branch: v2.6
https://github.com/mongodb/mongo/commit/9436cd6cc5850f5afa70b98671425db0574f1243

Comment by Githook User [ 14/May/14 ]

Author:

{u'username': u'hawka', u'name': u'Amalia Hawkins', u'email': u'amalia.hawkins@10gen.com'}

Message: SERVER-13804 add necessary privilege to the built-in restore role
Branch: master
https://github.com/mongodb/mongo/commit/b1e42ae09dbcf45e5b35b787743bb183930b20a9

Generated at Thu Feb 08 03:32:57 UTC 2024 using Jira 9.7.1#970001-sha1:2222b88b221c4928ef0de3161136cc90c8356a66.