[SERVER-21724] Backup role can't read system.profile Created: 02/Dec/15 Updated: 16/Nov/16 Resolved: 16/Dec/15 |
|
| Status: | Closed |
| Project: | Core Server |
| Component/s: | Security |
| Affects Version/s: | None |
| Fix Version/s: | 3.0.9, 3.2.1, 3.3.0 |
| Type: | Bug | Priority: | Major - P3 |
| Reporter: | Spencer Brody (Inactive) | Assignee: | Spencer Jackson |
| Resolution: | Done | Votes: | 0 |
| Labels: | code-and-test | ||
| Remaining Estimate: | Not Specified | ||
| Time Spent: | Not Specified | ||
| Original Estimate: | Not Specified | ||
| Issue Links: |
|
||||||||
| Backwards Compatibility: | Fully Compatible | ||||||||
| Operating System: | ALL | ||||||||
| Backport Completed: | |||||||||
| Sprint: | Security E (01/01/16) | ||||||||
| Participants: | |||||||||
| Description |
|
If you have a database with a system.profile collection and try to back it up with mongodump authenticated as a user with the backup role you get
Either we should give the backup role the ability to back up system.profile collections, or we should modify mongodump to not attempt to back up those collections. |
| Comments |
| Comment by Githook User [ 07/Jan/16 ] |
|
Author: {u'username': u'spencerjackson', u'name': u'Spencer Jackson', u'email': u'spencer.jackson@mongodb.com'}Message: (cherry picked from commit 21bcf6b127c1bb24e74845327e8d20df26e560bc) |
| Comment by Githook User [ 15/Dec/15 ] |
|
Author: {u'username': u'spencerjackson', u'name': u'Spencer Jackson', u'email': u'spencer.jackson@mongodb.com'}Message: (cherry picked from commit 21bcf6b127c1bb24e74845327e8d20df26e560bc) |
| Comment by Githook User [ 15/Dec/15 ] |
|
Author: {u'username': u'spencerjackson', u'name': u'Spencer Jackson', u'email': u'spencer.jackson@mongodb.com'}Message: |
| Comment by Spencer Brody (Inactive) [ 03/Dec/15 ] |
|
We should confirm the behavior of mongorestore in the presence of system.profile collections in the dump. If it tries to insert directly into system.profile it will get an error. |
| Comment by Andreas Nilsson [ 02/Dec/15 ] |
|
I' surprised the backup role doesn't already have it. That's an oversight. Let's fix it on master and backport. |
| Comment by Spencer Brody (Inactive) [ 02/Dec/15 ] |
|
Adding new privileges to built-in roles is very easy. Should be no problem to grant these privileges to the backup role if that's what we want to do. |
| Comment by Daniel Pasette (Inactive) [ 02/Dec/15 ] |
|
I feel like excluding those collections from mongodump will be confusing in the case that users actually do want them. I don't want to create a special flag to include/exclude them. How hard is it to grant privs to backup user? Given new features in MMS depend on profiling, this may come up more frequently than previously. |