[SERVER-19131] clusterManager role does not have permission for adding tag ranges Created: 25/Jun/15 Updated: 13/Oct/15 Resolved: 14/Aug/15 |
|
| Status: | Closed |
| Project: | Core Server |
| Component/s: | Security |
| Affects Version/s: | 2.6.5 |
| Fix Version/s: | 3.0.7, 3.1.7 |
| Type: | Bug | Priority: | Critical - P2 |
| Reporter: | Anil Kumar | Assignee: | Merry Mou |
| Resolution: | Done | Votes: | 0 |
| Labels: | authorization | ||
| Remaining Estimate: | Not Specified | ||
| Time Spent: | Not Specified | ||
| Original Estimate: | Not Specified | ||
| Environment: |
2.6.x |
||
| Issue Links: |
|
||||||||
| Backwards Compatibility: | Fully Compatible | ||||||||
| Operating System: | ALL | ||||||||
| Backport Completed: | |||||||||
| Steps To Reproduce: |
|
||||||||
| Sprint: | Security 7 08/10/15, Security 8 08/28/15 | ||||||||
| Participants: | |||||||||
| Description |
|
The clusterManager role provides the necessary authorizations for managing cluster. Although most of the commands and the explicit updates on the collections like config.settings are authorized, some of lesser used operations like sh.addTagRange that performs an operation directly on the underlying collection config.tag are not authorized and needs an additional readWrite permission to be granted on the config database. |
| Comments |
| Comment by Githook User [ 31/Aug/15 ] |
|
Author: {u'name': u'Merry Mou', u'email': u'merry.mou@mongodb.com'}Message: |
| Comment by Githook User [ 14/Aug/15 ] |
|
Author: {u'name': u'Merry Mou', u'email': u'merry.mou@mongodb.com'}Message: |
| Comment by Spencer Brody (Inactive) [ 16/Jul/15 ] |
|
Yep, this is a real bug. The clusterManager role should be granted insert, update, and remove privileges on the config.tags collection |