[SERVER-13917] User with userAdmin roles in a specific database cannot dump/restore users in that database in 2.6 Created: 13/May/14  Updated: 03/Jan/18  Resolved: 13/May/14

Status: Closed
Project: Core Server
Component/s: Security
Affects Version/s: 2.6.1
Fix Version/s: None

Type: Bug Priority: Major - P3
Reporter: Linda Qin Assignee: Unassigned
Resolution: Done Votes: 0
Labels: None
Remaining Estimate: Not Specified
Time Spent: Not Specified
Original Estimate: Not Specified

Operating System: ALL
Participants:
Case:

 Description   

In MongoDB 2.6, a user with userAdmin role in a specific database can create/delete users in that database. However, this user doesn't have enough privileges to dump/restore users for this database.



 Comments   
Comment by Andy Schwerin [ 13/May/14 ]

The "userAdmin" role does not have permission to read or write to the collections that store user and role data. It only has permission to execute commands that manipulate and read that data in constrained ways. Mongodump and restore, however, require arbitrary read and write privileges on those collections. This is incompatible with enforcing the user management rules (userAdmin on DB "A" cannot grant roles from DB "B" to a user just because that user is in DB "A", e.g.).

The general problem of partially updating user data via a partial (vs whole system) mongorestore is actually quite complicated, because users may have privileges on several distinct databases. Even specifying desired behavior for a general-purpose version of the tool is challenging.

Generated at Thu Feb 08 03:33:17 UTC 2024 using Jira 9.7.1#970001-sha1:2222b88b221c4928ef0de3161136cc90c8356a66.