|
I created a new user role that only had the "insert" privilege.
> use test
|
switched to db test
|
> db.createRole({ role: "insertonly", privileges: [ {resource: {db: "test", collection: ""}, actions: [ "insert"]}], roles: []})
|
{
|
"role" : "insertonly",
|
"privileges" : [
|
{
|
"resource" : {
|
"db" : "test",
|
"collection" : ""
|
},
|
"actions" : [
|
"insert"
|
]
|
}
|
],
|
"roles" : [ ]
|
}
|
I then added a new user that only had this role:
> db.createUser({"user": "foo", "pwd": "password", "roles": [ {role: "insertonly", db: "test"}]})
|
Successfully added user: {
|
"user" : "foo",
|
"roles" : [
|
{
|
"role" : "insertonly",
|
"db" : "test"
|
}
|
]
|
}
|
I then list the collections in test:
I then authenticate as this user in a new mongo shell. I am able to create a new collection implicitly, by adding to an empty collection:
> use test
|
switched to db test
|
> db.thisisanewcollection.insert({name: "ernie", type: "cat"})
|
WriteResult({ "nInserted" : 1 })
|
I am also able to create a new collection explicitly, by calling db.createCollection():
> db.createCollection("secondnewcollection")
|
{ "ok" : 1 }
|
I can verify both of these collection are there by running show collections (as the admin user):
> show collections
|
secondnewcollection
|
system.indexes
|
thisisanewcollection
|
So there are two issues here - a user possessing only the "insert" privilege is able to:
- Create collections implicitly by adding to a non-existent collection
- Create collections explicitly by calling db.createCollection().
I believe 2. is a definite buggy behaviour.
For 1., this may or may not be against intentions (based on the comment at https://github.com/mongodb/mongo/blob/266b75ca868a95fd2a4e30e3cf4898de1e13698d/src/mongo/db/dbcommands.cpp#L525). However, if it is intended, it it not made clear in the documentation, and also, we should raise a new SERVER ticket to add this functionality in - that is, it is certainly desirable to be have a way of preventing users from creating new collections at will.
|