[SERVER-16944] dbAdminAnyDatabase should have full parity with dbAdmin for a given database Created: 20/Jan/15  Updated: 25/Jan/17  Resolved: 04/Mar/15

Status: Closed
Project: Core Server
Component/s: Admin, Security
Affects Version/s: None
Fix Version/s: 3.0.1, 3.1.0

Type: Bug Priority: Major - P3
Reporter: Ramon Fernandez Marina Assignee: Spencer Brody (Inactive)
Resolution: Done Votes: 1
Labels: None
Remaining Estimate: Not Specified
Time Spent: Not Specified
Original Estimate: Not Specified

Issue Links:
Related
related to DOCS-4702 root role does have access to system.... Closed
related to SERVER-14355 Allow dbAdmin role to manually create... Closed
Backwards Compatibility: Minor Change
Operating System: ALL
Backport Completed:
Participants:

 Description   
Original reported in SERVER-14355:

This is not fixed in MongoDB 2.6.6 – using a user with root and restore privileges was not sufficient to create the system.profile collection:

myReplicaSet:PRIMARY> db.system.users.find({user:"myAdminUser"}).pretty()
{
    "_id" : "admin.myAdminUser",
    "user" : "myAdminUser",
    "db" : "admin",
    "credentials" : {
        "MONGODB-CR" : "XXXXXXXXXXXXXXXXXXXXXX"
    },
    "roles" : [
        {
            "role" : "restore",
            "db" : "admin"
        },
        {
            "role" : "root",
            "db" : "admin"
        }
    ]
}
myReplicaSet:PRIMARY> use myDb
switched to db myDb
myReplicaSet:PRIMARY> db.createCollection("system.profile", {capped: true, size: 262144000})
{
    "ok" : 0,
    "errmsg" : "not authorized on myDb to execute command { create: \"system.profile\", capped: true, size: 262144000.0 }",
    "code" : 13
}
myReplicaSet:PRIMARY> use admin
switched to db admin
myReplicaSet:PRIMARY> db.grantRolesToUser("myAdminUser",[{role:"dbAdmin",db:"myDb"}])
myReplicaSet:PRIMARY> use myDb
switched to db myDb
myReplicaSet:PRIMARY> db.createCollection("system.profile", {capped: true, size: 262144000})
{ "ok" : 1 }
myReplicaSet:PRIMARY> db.setProfilingLevel(2)
{ "was" : 0, "slowms" : 100, "ok" : 1 }
myReplicaSet:PRIMARY> 

http://docs.mongodb.org/manual/reference/built-in-roles/#root says that root includes dbAdminAnyDatabase which http://docs.mongodb.org/manual/reference/built-in-roles/#dbAdminAnyDatabase describes as "Provides the same access to database administration operations as dbAdmin, except it applies to all databases in the cluster." Yet I had to manually add dbAdmin for myDb in order to create the system.profiles collection.

If we instead follow the later note in http://docs.mongodb.org/manual/reference/built-in-roles/#root that the restore role is needed to write or restore system.* collections, then again, this is not working as described, as restore was not sufficient either to create the system.profile collection.



 Comments   
Comment by Githook User [ 04/Mar/15 ]

Author:

{u'username': u'stbrody', u'name': u'Spencer T Brody', u'email': u'spencer@mongodb.com'}

Message: SERVER-16944 dbAdminAnyDatabase should be able to do anything dbAdmin can

(cherry picked from commit 95dc9c1cc55f83d33f9db1a61edf5e1d81f76916)
Branch: v3.0
https://github.com/mongodb/mongo/commit/da80f73c9d210b04ac0161758fa6e85f1e0613d5

Comment by Spencer Brody (Inactive) [ 04/Mar/15 ]

Typo'd the ticket number in the commit message.
https://github.com/mongodb/mongo/commit/95dc9c1cc55f83d33f9db1a61edf5e1d81f76916

Generated at Thu Feb 08 03:42:47 UTC 2024 using Jira 9.7.1#970001-sha1:2222b88b221c4928ef0de3161136cc90c8356a66.