[SERVER-20482] Change of behaviour in db.system.users.getIndexes() b/w 2.6 and 3.0 Created: 18/Sep/15  Updated: 30/Sep/15  Resolved: 30/Sep/15

Status: Closed
Project: Core Server
Component/s: Security
Affects Version/s: 3.0.5
Fix Version/s: None

Type: Bug Priority: Major - P3
Reporter: Ankit Kakkar Assignee: Andreas Nilsson
Resolution: Duplicate Votes: 0
Labels: None
Remaining Estimate: Not Specified
Time Spent: Not Specified
Original Estimate: Not Specified

Issue Links:
Duplicate
duplicates SERVER-20460 listIndexes on 3.0 mongos with 2.6 mo... Closed
Related
is related to SERVER-20460 listIndexes on 3.0 mongos with 2.6 mo... Closed
Operating System: ALL
Sprint: Security A 10/09/15
Participants:

 Description   

It seems that there is a permission issue on db.system.users.getIndexes() in 3.0. In 2.6, this seems to be working fine. Following are the steps that I used to replicate this issue:

  1. Install MongoDB 2.4 (Since users were stored in <database>.system.users collection in 2.4).
  2. Create user with readWrite and dbOwner role.

    db.addUser( { user: "user", pwd: "user", roles: ["readWrite","dbOwner"] } )
    ankit(mongod-2.4.14) test> db.system.users.find()
    {
      "_id": ObjectId("55fb9dc4ab757ec03e77562d"),
      "user": "user",
      "pwd": "fa26a506aa0f786a447bbd6d1caaa8b5",
      "roles": [
        "readWrite",
        "dbOwner"
      ]
    }
    

  3. Start MongoDB and execute following queries:

    ankit:log-11213 ankit$ mongo
    MongoDB shell version: 2.4.14
    connecting to: test
    Mongo-Hacker 0.0.8
    > db.auth("user","user")
    1
    > show collections
    system.indexes → 0.000MB / 0.004MB
    system.users   →   NaNMB /   NaNMB
    > db.system.users.getIndexes()
    [
      {
        "v": 1,
        "name": "_id_",
        "key": {
          "_id": 1
        },
        "ns": "test.system.users"
      },
      {
        "v": 1,
        "name": "user_1_userSource_1",
        "key": {
          "user": 1,
          "userSource": 1
        },
        "unique": true,
        "ns": "test.system.users"
      }
    ]
    

  4. Upgrade to 2.6 (Note that it requires authorization schema upgrade). Users will be copied to admin.system.users collection. But <database.system.users> collection still remains in the database in question.
  5. Connect via mongo client and execute following query:

    connecting to: test
    Mongo-Hacker 0.0.8
    > db.auth("user","user")
    1
    > show collections
    system.indexes → 0.000MB / 0.004MB
    system.users   →   NaNMB /   NaNMB
    > db.system.users.getIndexes()
    [
      {
        "v": 1,
        "name": "_id_",
        "key": {
          "_id": 1
        },
        "ns": "test.system.users"
      },
      {
        "v": 1,
        "name": "user_1_userSource_1",
        "key": {
          "user": 1,
          "userSource": 1
        },
        "unique": true,
        "ns": "test.system.users"
      }
    ]
    

  6. Upgrade to 3.0.5, connect via mongo and execute following command:

    ankit:log-11213 ankit$ mongo
    MongoDB shell version: 3.0.5
    connecting to: test
    > db.auth("user","user")
    1
    > db.system.users.getIndexes()
    2015-09-18T11:01:15.116+0530 E QUERY    Error: listIndexes failed: {
      "ok": 0,
      "errmsg": "not authorized on test to execute command { listIndexes: \"system.users\" }",
      "code": 13
    }
        at Error (<anonymous>)
        at DBCollection._getIndexesCommand (src/mongo/shell/collection.js:1019:15)
        at DBCollection.getIndexes (src/mongo/shell/collection.js:1026:20)
        at (shell):1:17 at src/mongo/shell/collection.js:1019
    

Notice the permission issue coming in 3.0.5 while it was working fine in 2.6.



 Comments   
Comment by Andreas Nilsson [ 30/Sep/15 ]

This bug is a consequence of SERVER-20460 and was fixed when resolving that ticket.

I have verified that it is no longer present in master or 3.0.7.

Generated at Thu Feb 08 03:54:21 UTC 2024 using Jira 9.7.1#970001-sha1:2222b88b221c4928ef0de3161136cc90c8356a66.