[SERVER-17529] Can't list collections when mongos is running 3.0 and config servers are running 2.6 and auth is on Created: 10/Mar/15  Updated: 18/Sep/15  Resolved: 31/Mar/15

Status: Closed
Project: Core Server
Component/s: Security, Sharding
Affects Version/s: 3.0.0
Fix Version/s: 3.0.2, 3.1.1

Type: Bug Priority: Major - P3
Reporter: Spencer Brody (Inactive) Assignee: Andreas Nilsson
Resolution: Done Votes: 0
Labels: MTC
Remaining Estimate: Not Specified
Time Spent: Not Specified
Original Estimate: Not Specified

Issue Links:
Related
related to SERVER-20460 listIndexes on 3.0 mongos with 2.6 mo... Closed
is related to SERVER-17830 consolidate checkAuthForXXXCommand fu... Closed
Backwards Compatibility: Fully Compatible
Operating System: ALL
Backport Completed:
Sprint: Security 1 04/03/15
Participants:

 Description   

In 3.0 we introduced the listCollections command and an associated privilege to run it, replacing the old way of listing collections of querying system.namespaces directly. The problem is that mongoses load what privileges a user should have from the config servers, so if the config servers are still running 2.6, they will not provide the listCollections privilege. This means that future listCollections requests to a 3.0 mongos will fail with an "unauthorized" error.



 Comments   
Comment by Andreas Nilsson [ 31/Mar/15 ]

I would like to see this independently tested with a 2.6 config server and 3.0 mongos. cc crystal.horn@10gen.com

Comment by Githook User [ 30/Mar/15 ]

Author:

{u'username': u'agralius', u'name': u'Andreas Nilsson', u'email': u'andreas.nilsson@10gen.com'}

Message: SERVER-17529 Let find on system.namespaces imply listCollections
Branch: v3.0
https://github.com/mongodb/mongo/commit/908ed3ec73a3c30830dbf083a5affc9734771f17

Comment by Githook User [ 27/Mar/15 ]

Author:

{u'username': u'agralius', u'name': u'Andreas Nilsson', u'email': u'andreas.nilsson@10gen.com'}

Message: SERVER-17529 Let find on system.namespaces imply listCollections
Branch: master
https://github.com/mongodb/mongo/commit/1fc9d37170bcf29068f02cc2898436281fe16d6a

Comment by Spencer Brody (Inactive) [ 10/Mar/15 ]

Potential fix is to change the access control check for the listCollections command to accept find on system.namespaces as sufficient privilege to run the command. This was what the privilege was in 2.6, introducing the listCollections action type effectively amounts to renaming the privilege. We should support both synonyms for this privilege in 3.0.

Generated at Thu Feb 08 03:44:48 UTC 2024 using Jira 9.7.1#970001-sha1:2222b88b221c4928ef0de3161136cc90c8356a66.