[SERVER-14701] The "backup" auth role should allow running the "collstats" command for all resources Created: 27/Jul/14  Updated: 11/Jul/16  Resolved: 29/Jul/14

Status: Closed
Project: Core Server
Component/s: Security
Affects Version/s: None
Fix Version/s: 2.6.4, 2.7.5

Type: Bug Priority: Major - P3
Reporter: Cailin Nelson Assignee: Amalia Hawkins
Resolution: Done Votes: 0
Labels: None
Remaining Estimate: Not Specified
Time Spent: Not Specified
Original Estimate: Not Specified

Issue Links:
Depends
Related
is related to SERVER-13727 The "backup" auth role should allow r... Closed
Tested
Backwards Compatibility: Fully Compatible
Operating System: ALL
Backport Completed:
Participants:

 Description   

This is an extension of SERVER-13727. Unfortunately, that ticket did not specify that this privilege is necessary for all collections, including the system collections

Here's what my user looks like:

backup_test:PRIMARY> db.system.users.find({user:'mms-backup-agent'}).pretty()
{
	"_id" : "admin.mms-backup-agent",
	"user" : "mms-backup-agent",
	"db" : "admin",
	"credentials" : {
		"MONGODB-CR" : "6187ca3816a65edef454cc6de1e05fb7"
	},
	"roles" : [
		{
			"role" : "backup",
			"db" : "admin"
		}
	]
}

and here's what happens when I try to perform collstats on system.users:

backup_test:PRIMARY> db.auth('mms-backup-agent','10gen')
1
backup_test:PRIMARY>  db.runCommand({ collstats: "system.users" });
{
	"ok" : 0,
	"errmsg" : "not authorized on admin to execute command { collstats: \"system.users\" }",
	"code" : 13
}
backup_test:PRIMARY> 
backup_test:PRIMARY> use food
switched to db food
backup_test:PRIMARY> db.runCommand({ collstats: "desert" });
{
	"ns" : "food.desert",
	"count" : 1,
	"size" : 48,
	"avgObjSize" : 48,
	"storageSize" : 8192,
	"numExtents" : 1,
	"nindexes" : 1,
	"lastExtentSize" : 8192,
	"paddingFactor" : 1,
	"systemFlags" : 1,
	"userFlags" : 1,
	"totalIndexSize" : 8176,
	"indexSizes" : {
		"_id_" : 8176
	},
	"ok" : 1
}

Notice that I can perform collstats on a regular collection like food.desert.

I think the problem is here. I'm guessing that system.users is not a "normal resource".



 Comments   
Comment by Githook User [ 29/Jul/14 ]

Author:

{u'username': u'hawka', u'name': u'Amalia Hawkins', u'email': u'amalia.hawkins@10gen.com'}

Message: SERVER-14701 backup auth role should allow running the collstats command for all resources
(cherry picked from commit 5e515de16fe1eac1f7079a2a95aa9e4f716ee3ec)
Branch: v2.6
https://github.com/mongodb/mongo/commit/b0a65d1f8756bdb933e91a79fd0639a6e42ea52e

Comment by Githook User [ 28/Jul/14 ]

Author:

{u'username': u'hawka', u'name': u'Amalia Hawkins', u'email': u'amalia.hawkins@10gen.com'}

Message: SERVER-14701 backup auth role should allow running the collstats command for all resources
Branch: master
https://github.com/mongodb/mongo/commit/5e515de16fe1eac1f7079a2a95aa9e4f716ee3ec

Generated at Thu Feb 08 03:35:42 UTC 2024 using Jira 9.7.1#970001-sha1:2222b88b221c4928ef0de3161136cc90c8356a66.