[SERVER-13833] userAdminAnyDatabase role should be able to create indexes on admin.system.users and admin.system.roles Created: 05/May/14  Updated: 27/Oct/15  Resolved: 28/Jul/14

Status: Closed
Project: Core Server
Component/s: Security, Usability
Affects Version/s: 2.6.1
Fix Version/s: 2.6.4, 2.7.5

Type: Bug Priority: Major - P3
Reporter: Spencer Brody (Inactive) Assignee: Amalia Hawkins
Resolution: Done Votes: 0
Labels: cap-ticket-needed
Remaining Estimate: Not Specified
Time Spent: Not Specified
Original Estimate: Not Specified

Issue Links:
Depends
Related
is related to DOCS-4343 Document that the built-in userAdminA... Closed
Tested
Backwards Compatibility: Fully Compatible
Operating System: ALL
Backport Completed:
Participants:

 Description   
Issue Status as of Jul 31, 2014

ISSUE SUMMARY
The built-in role userAdminAnyDatabase does not have permissions to create and drop indexes on the collections admin.system.users and admin.system.roles.

USER IMPACT
Database administrators may wish to create indexes on the users or roles collection if they contain many users or roles, in order to make queries on the collections more efficient. Similarly, once these indexes have been created, the administrators should be able to drop said indexes. Currently they are unable to do so.

WORKAROUNDS
Create a new user-defined role that grants the necessary permissions and add that role to the desired admin user. In this case, the role creation would look like:

db.runCommand( { 
    createRole: "workaroundRole", 
    roles: ["userAdminAnyDatabase"], 
    privileges: [ 
        { resource: { db: "admin", collection: "system.users" }, actions: ["createIndex", "dropIndex"] }, 
        { resource: { db: "admin", collection: "system.roles" }, actions: ["createIndex", "dropIndex"] }
    ]
} );

AFFECTED VERSIONS
All production release versions from 2.6.0 to 2.6.3 are affected by this issue.

FIX VERSION
The fix is included in the 2.6.4 production release.

RESOLUTION DETAILS
The privileges to dropIndex and createIndex on the admin.system.users and admin.system.roles collections were added to the userAdminAnyDatabase role.

Original description

userAdminAnyDatabase cannot create indexes on system.users or system.roles collections.



 Comments   
Comment by Githook User [ 28/Jul/14 ]

Author:

{u'username': u'hawka', u'name': u'Amalia Hawkins', u'email': u'amalia.hawkins@10gen.com'}

Message: SERVER-13833 userAdminAnyDatabase role should be able to create and drop indexes on admin.system.users and admin.system.roles
(cherry picked from commit 9b93692f665a506dcc00ed989eb1f31741dea53c)
Branch: v2.6
https://github.com/mongodb/mongo/commit/4048b0a710cc1fa7fd542e860b1782c3ed4cc27b

Comment by Githook User [ 28/Jul/14 ]

Author:

{u'username': u'hawka', u'name': u'Amalia Hawkins', u'email': u'amalia.hawkins@10gen.com'}

Message: SERVER-13833 userAdminAnyDatabase role should be able to create and drop indexes on admin.system.users and admin.system.roles
Branch: master
https://github.com/mongodb/mongo/commit/9b93692f665a506dcc00ed989eb1f31741dea53c

Comment by Spencer Brody (Inactive) [ 24/Jul/14 ]

Yes, it should probably be able to do that too

Comment by Amalia Hawkins [ 24/Jul/14 ]

What about dropping indexes?

Comment by Spencer Brody (Inactive) [ 06/May/14 ]

Updating this ticket's description to reflect that userAdminAnyDatabase cannot be used with mongorestore to restore user data, as it does not have the permission to do direct inserts into admin.system.users - this is by design and adding the ability to create indexes on it won't change this.

It is still probably a good idea to let userAdminAnyDatabase build indexes on admin.system.users, just to make querying the users collection easier if you have a lot of users, but it means this ticket is lower priority than originally thought.

Generated at Thu Feb 08 03:33:02 UTC 2024 using Jira 9.7.1#970001-sha1:2222b88b221c4928ef0de3161136cc90c8356a66.