[SERVER-14355] Allow dbAdmin role to manually create system.profile collections Created: 25/Jun/14  Updated: 21/Apr/21  Resolved: 15/Jul/14

Status: Closed
Project: Core Server
Component/s: Admin
Affects Version/s: 2.6.0
Fix Version/s: 2.6.4, 2.7.4

Type: Bug Priority: Major - P3
Reporter: Dharshan Rangegowda Assignee: Spencer Brody (Inactive)
Resolution: Done Votes: 0
Labels: None
Remaining Estimate: Not Specified
Time Spent: Not Specified
Original Estimate: Not Specified

Issue Links:
Depends
Related
is related to SERVER-16944 dbAdminAnyDatabase should have full p... Closed
is related to DOCS-4345 Document new capability granted to db... Closed
Operating System: ALL
Backport Completed:
Participants:
Case:

 Description   
Issue Status as of Jul 22, 2014

ISSUE SUMMARY
The dbAdmin role has the permission to drop the system.profile collection, but does not have permissions to create it (e.g. for resizing).

USER IMPACT
Admin users may drop the system.profile collection in an attempt to resize it but are then unable to re-create the new collection manually.

WORKAROUNDS
Create a new user-defined role that grants the necessary permissions and add that role to a user, as described in this comment.

AFFECTED VERSIONS
All production releases from 2.6.0 to 2.6.3 are affected by the bug.

FIX VERSION
The fix is included in the 2.6.4 production release.

RESOLUTION DETAILS
Added the permission to create system.profile collections to the dbAdmin role.

Original description

I am trying to increase the size of my profiling collection as per the instructions. Version is 2.6.0 . I am logged in as "root" user on the admin db. It fails with error

- "not authorized on admin to execute command"

Shard-0:PRIMARY> db.system.profile.drop();
true
Shard-0:PRIMARY> db.createCollection( "system.profile", { capped: true, size:4000000 } );
{
        "ok" : 0,
        "errmsg" : "not authorized on admin to execute command { create: \"system.profile\", capped: true, size: 4000000.0 }",
        "code" : 13
}
Shard-0:PRIMARY> show users;
{
        "_id" : "admin.admin",
        "user" : "admin",
        "db" : "admin",
        "credentials" : {
                "MONGODB-CR" : "951e7b3e49c49caf2b4c8819a11e7e29"
        },
        "roles" : [
                {
                        "role" : "root",
                        "db" : "admin"
                },
                {
                        "role" : "restore",
                        "db" : "admin"
                }
        ]
}



 Comments   
Comment by Spencer Brody (Inactive) [ 06/Oct/15 ]

closeiostefan, yes, that was the bug that Jeff Tharp reported earlier in this ticket: SERVER-16944. It has been fixed in 3.0.1.

Comment by Stefan Wojcik [ 06/Oct/15 ]

Shouldn't the role "dbAdminAnyDatabase" on the admin db also work? It doesn't right now, at least on the MongoDB version I tested (2.6.11).

Comment by Ramon Fernandez Marina [ 20/Jan/15 ]

jtharpla, this ticket was about allowing dbAdmin to create system.profile collections, and that works on 2.6.6.

The issue you mention, however, it's indeed a bug so we've opened SERVER-16944 to address it – thanks for reporting this. Please tune to that ticket for updates and feel free to vote for it.

Comment by Jeff Tharp [ 19/Jan/15 ]

This is not fixed in MongoDB 2.6.6 – using a user with root and restore privileges was not sufficient to create the system.profile collection:

myReplicaSet:PRIMARY> db.system.users.find({user:"myAdminUser"}).pretty()
{
    "_id" : "admin.myAdminUser",
    "user" : "myAdminUser",
    "db" : "admin",
    "credentials" : {
        "MONGODB-CR" : "XXXXXXXXXXXXXXXXXXXXXX"
    },
    "roles" : [
        {
            "role" : "restore",
            "db" : "admin"
        },
        {
            "role" : "root",
            "db" : "admin"
        }
    ]
}
myReplicaSet:PRIMARY> use myDb
switched to db myDb
myReplicaSet:PRIMARY> db.createCollection("system.profile", {capped: true, size: 262144000})
{
    "ok" : 0,
    "errmsg" : "not authorized on myDb to execute command { create: \"system.profile\", capped: true, size: 262144000.0 }",
    "code" : 13
}
myReplicaSet:PRIMARY> use admin
switched to db admin
myReplicaSet:PRIMARY> db.grantRolesToUser("myAdminUser",[{role:"dbAdmin",db:"myDb"}])
myReplicaSet:PRIMARY> use myDb
switched to db myDb
myReplicaSet:PRIMARY> db.createCollection("system.profile", {capped: true, size: 262144000})
{ "ok" : 1 }
myReplicaSet:PRIMARY> db.setProfilingLevel(2)
{ "was" : 0, "slowms" : 100, "ok" : 1 }
myReplicaSet:PRIMARY> 

http://docs.mongodb.org/manual/reference/built-in-roles/#root says that root includes dbAdminAnyDatabase which http://docs.mongodb.org/manual/reference/built-in-roles/#dbAdminAnyDatabase describes as "Provides the same access to database administration operations as dbAdmin, except it applies to all databases in the cluster." Yet I had to manually add dbAdmin for myDb in order to create the system.profiles collection.

If we instead follow the later note in http://docs.mongodb.org/manual/reference/built-in-roles/#root that the restore role is needed to write or restore system.* collections, then again, this is not working as described, as restore was not sufficient either to create the system.profile collection.

Comment by Githook User [ 21/Jul/14 ]

Author:

{u'username': u'stbrody', u'name': u'Spencer T Brody', u'email': u'spencer@mongodb.com'}

Message: SERVER-14355 Allow dbAdmin role to create system.profile collection with custom size
(cherry picked from commit 8f071ee21b4763f0c88832a422865ec078940631)
Branch: v2.6
https://github.com/mongodb/mongo/commit/a7940a354d61f58979c8987e593e3c7139a3c0dc

Comment by Githook User [ 15/Jul/14 ]

Author:

{u'username': u'stbrody', u'name': u'Spencer T Brody', u'email': u'spencer@mongodb.com'}

Message: SERVER-14355 Allow dbAdmin role to create system.profile collection with custom size
Branch: master
https://github.com/mongodb/mongo/commit/8f071ee21b4763f0c88832a422865ec078940631

Comment by Ramon Fernandez Marina [ 03/Jul/14 ]

dharshanr@scalegrid.net, there's a workaround you can use until this issue is fixed: create a new role with at least createCollection and convertToCapped actions, and grant this role to the user. For example:

db.createRole( { role: "server-14355-workaround", privileges : [ { resource: {db: "", collection: "system.profile" }, actions: [ "createCollection", "convertToCapped" ] } ], roles: [] } )
db.grantRolesToUser( "admin", [ { role: "server-14355-workaround", db: "admin" } ] )

Hope this helps.

Comment by Ramon Fernandez Marina [ 30/Jun/14 ]

Thanks for your report dharshanr@scalegrid.net, we're able to reproduce the behavior you describe and we're investigating.

Generated at Thu Feb 08 03:34:35 UTC 2024 using Jira 9.7.1#970001-sha1:2222b88b221c4928ef0de3161136cc90c8356a66.