[SERVER-13917] User with userAdmin roles in a specific database cannot dump/restore users in that database in 2.6 Created: 13/May/14 Updated: 03/Jan/18 Resolved: 13/May/14 |
|
| Status: | Closed |
| Project: | Core Server |
| Component/s: | Security |
| Affects Version/s: | 2.6.1 |
| Fix Version/s: | None |
| Type: | Bug | Priority: | Major - P3 |
| Reporter: | Linda Qin | Assignee: | Unassigned |
| Resolution: | Done | Votes: | 0 |
| Labels: | None | ||
| Remaining Estimate: | Not Specified | ||
| Time Spent: | Not Specified | ||
| Original Estimate: | Not Specified | ||
| Operating System: | ALL |
| Participants: | |
| Case: | (copied to CRM) |
| Description |
|
In MongoDB 2.6, a user with userAdmin role in a specific database can create/delete users in that database. However, this user doesn't have enough privileges to dump/restore users for this database. |
| Comments |
| Comment by Andy Schwerin [ 13/May/14 ] |
|
The "userAdmin" role does not have permission to read or write to the collections that store user and role data. It only has permission to execute commands that manipulate and read that data in constrained ways. Mongodump and restore, however, require arbitrary read and write privileges on those collections. This is incompatible with enforcing the user management rules (userAdmin on DB "A" cannot grant roles from DB "B" to a user just because that user is in DB "A", e.g.). The general problem of partially updating user data via a partial (vs whole system) mongorestore is actually quite complicated, because users may have privileges on several distinct databases. Even specifying desired behavior for a general-purpose version of the tool is challenging. |