[SERVER-19131] clusterManager role does not have permission for adding tag ranges Created: 25/Jun/15  Updated: 13/Oct/15  Resolved: 14/Aug/15

Status: Closed
Project: Core Server
Component/s: Security
Affects Version/s: 2.6.5
Fix Version/s: 3.0.7, 3.1.7

Type: Bug Priority: Critical - P2
Reporter: Anil Kumar Assignee: Merry Mou
Resolution: Done Votes: 0
Labels: authorization
Remaining Estimate: Not Specified
Time Spent: Not Specified
Original Estimate: Not Specified
Environment:

2.6.x


Issue Links:
Related
related to SERVER-6357 Add tag based sharding commands Closed
Backwards Compatibility: Fully Compatible
Operating System: ALL
Backport Completed:
Steps To Reproduce:
  • Launch an auth enabled cluster
  • Add user with [userAdminAnyDatabase, clusterManager] role at cluster level
  • Add a tag range enabled sharded cluster

    sh.enableSharding("test")
    sh.shardCollection("test.test", {_id: 1})
    sh.addTagRange("test.test", {_id: 1}, {_id: 10}, "S1")
    # The above statement should fail with authorization error.
    

Sprint: Security 7 08/10/15, Security 8 08/28/15
Participants:

 Description   

The clusterManager role provides the necessary authorizations for managing cluster. Although most of the commands and the explicit updates on the collections like config.settings are authorized, some of lesser used operations like sh.addTagRange that performs an operation directly on the underlying collection config.tag are not authorized and needs an additional readWrite permission to be granted on the config database.



 Comments   
Comment by Githook User [ 31/Aug/15 ]

Author:

{u'name': u'Merry Mou', u'email': u'merry.mou@mongodb.com'}

Message: SERVER-19131 Give clusterManager role privileges to config.tags
Branch: v3.0
https://github.com/mongodb/mongo/commit/30ec554085a583ffa70a1f5e532496c50255d1d9

Comment by Githook User [ 14/Aug/15 ]

Author:

{u'name': u'Merry Mou', u'email': u'merry.mou@mongodb.com'}

Message: SERVER-19131 Give clusterManager role privileges to config.tags
Branch: master
https://github.com/mongodb/mongo/commit/8fbd2f5bf969c1a06e85a5edd77d767d2c587193

Comment by Spencer Brody (Inactive) [ 16/Jul/15 ]

Yep, this is a real bug. The clusterManager role should be granted insert, update, and remove privileges on the config.tags collection

Generated at Thu Feb 08 03:49:56 UTC 2024 using Jira 9.7.1#970001-sha1:2222b88b221c4928ef0de3161136cc90c8356a66.