[SERVER-16425] Remove action type for emptycapped command Created: 05/Dec/14  Updated: 06/Dec/22

Status: Backlog
Project: Core Server
Component/s: Security
Affects Version/s: 2.6.4
Fix Version/s: None

Type: Task Priority: Major - P3
Reporter: Dharmaraj Narayan Assignee: Backlog - Security Team
Resolution: Unresolved Votes: 0
Labels: platforms-re-triaged
Remaining Estimate: Not Specified
Time Spent: Not Specified
Original Estimate: Not Specified

Issue Links:
Gantt Dependency
has to be done after SERVER-29050 Create upgrade/downgrade mechanism fo... Backlog
Assigned Teams:
Server Security
Participants:

 Description   

mongo started as non-root user with C/R mechanism enabled .

mongod -f /opt/users/mongodbx/configs/f0ata.conf --setParameter enableTestCommands=1

$ cat /opt/users/mongodbx/configs/f0ata.conf  (snippet below)
net:
     bindIp: 1:2:3:4
     port: 29000
     ssl:
        mode:       requireSSL                    
        PEMKeyFile: /opt/users/mongodbx/ssl/mongodb.pem 
        CAFile:     /opt/users/mongodbx/ssl/ca.pem
        weakCertificateValidation: true           
        clusterFile: /opt/users/mongodbx/ssl/mongodb.pem
security:
       authorization: enabled                    
       clusterAuthMode: x509 

user mongodbx connects using shell without providing user name and password i.e. not authenticated.

mongo --host az2-labs-esx2-app3:29000 --ssl admin
MongoDB shell version: 2.6.4
connecting to: az2-labs-esx2-app3:29000/admin
rs_fata:PRIMARY> use anytoany
switched to db anytoany
rs_fata:PRIMARY> show collections
2014-12-02T14:19:02.317-0700 error: {
        "$err" : "not authorized for query on anytoany.system.namespaces",                
        "code" : 13                                  
} at src/mongo/shell/query.js:131                             <= as expected.
rs_fata:PRIMARY> db.runCommand( { emptycapped: "event"} ) 
{ "ok" : 1 }  <= Notice not authenticated !!                                                               
rs_fata:PRIMARY> show collections
2014-12-02T14:19:50.035-0700 error: {
        "$err" : "not authorized for query on anytoany.system.namespaces",
        "code" : 13
} at src/mongo/shell/query.js:131  <= expected though.
 
rs_fata:PRIMARY> use admin
switched to db admin
rs_fata:PRIMARY> db.auth("mongodba","********")
1
rs_fata:PRIMARY> use anytotany
switched to db anytotany
rs_fata:PRIMARY> db.event.count()
0                      <= works as expected since user is authenticated.

Is this a bug or expected behaviour ?



 Comments   
Comment by Spencer Jackson [ 03/May/17 ]

I did some investigation into how straightforward it is to remove an ActionType. It looks like any privileges containing the unrecognized ActionType will not be deserialized from role documents. This means custom roles with privileges granting 'emptycapped' with other ActionTypes would stop working. I filed SERVER-29050 to track the work which would be needed to implement the prerequisite upgrade downgrade. I'm moving this ticket onto the backlog, at least until SERVER-29050 is resolved.

Comment by Andreas Nilsson [ 10/Dec/14 ]

Yes, the action type will be removed and functionality retained. Unfortunately it's not as trivial as it sounds since we need to make sure new versions are backwards compatible with user-defined and built-in roles containing this privilege. That is, ignores it in an appropriate fashion.

Comment by Andreas Nilsson [ 09/Dec/14 ]

DN the reason emptycapped is a test command is that we haven't identified any strong client need to use it in a production environment. Dropping a collection and recreating it should have the same desired outcome.

I converted this ticket to removing the action type for emptycapped.

Thank you,
Andreas

Comment by Andreas Nilsson [ 05/Dec/14 ]

I agree that there should be no assignable privilege for a test command, that is an oversight and should be fixed.

As for making emptycapped a non-test command I will circle back with my colleagues and investigate the original rationale of making if for testing only. (cc spencer)

Thank you,
Andreas

Comment by Dharmaraj Narayan [ 05/Dec/14 ]

Andreas,
Since emptycapped is also a privilege that can be granted ("User can perform the emptycapped command. Apply this action to database or collection resources.") it's confusing that a non-privileged (even a non-authenticated id ) would be permitted to empty a capped collection .

Also there seems no other way to empty a capped collection other than with "--setParameter enableTestCommands=1" on the command line. Seems like if the feature was made to work with the privilege in place and a programmatic runtime setting, it would better fulfill a need .

Thank You.
Dharmaraj Narayan
Database Analyst
Enterprise Data Management

Ocotillo Center | 2600 S.Price Rd., 4th floor | Chandler AZ -85286-7806
MAC S3929-047
Tel: 480-724-6856 |Cell: 480-215-5032

Email: narayand@wellsfargo.com

Comment by Andreas Nilsson [ 05/Dec/14 ]

Hi,

Thanks for reporting this, it does look odd at a first sight. However emptycapped is a test command and thus does not require authentication. It is enabled with the mongod flag "enableTestCommands=1".

Generated at Thu Feb 08 03:41:00 UTC 2024 using Jira 9.7.1#970001-sha1:2222b88b221c4928ef0de3161136cc90c8356a66.