[SERVER-21724] Backup role can't read system.profile Created: 02/Dec/15  Updated: 16/Nov/16  Resolved: 16/Dec/15

Status: Closed
Project: Core Server
Component/s: Security
Affects Version/s: None
Fix Version/s: 3.0.9, 3.2.1, 3.3.0

Type: Bug Priority: Major - P3
Reporter: Spencer Brody (Inactive) Assignee: Spencer Jackson
Resolution: Done Votes: 0
Labels: code-and-test
Remaining Estimate: Not Specified
Time Spent: Not Specified
Original Estimate: Not Specified

Issue Links:
Documented
is documented by DOCS-6843 backup role in 3.2.1 can read system.... Closed
Backwards Compatibility: Fully Compatible
Operating System: ALL
Backport Completed:
Sprint: Security E (01/01/16)
Participants:

 Description   

If you have a database with a system.profile collection and try to back it up with mongodump authenticated as a user with the backup role you get

>mongodump -u backup -p pwd
2015-12-01T19:20:53.419-0500    Failed: error counting test.system.profile: not authorized on test to execute command { count: "system.profile", query: {} }

Either we should give the backup role the ability to back up system.profile collections, or we should modify mongodump to not attempt to back up those collections.



 Comments   
Comment by Githook User [ 07/Jan/16 ]

Author:

{u'username': u'spencerjackson', u'name': u'Spencer Jackson', u'email': u'spencer.jackson@mongodb.com'}

Message: SERVER-21724 Let backup role read system.profile

(cherry picked from commit 21bcf6b127c1bb24e74845327e8d20df26e560bc)
Branch: v3.0
https://github.com/mongodb/mongo/commit/22b6f8af8c770f51f68b81059af2541429ae880e

Comment by Githook User [ 15/Dec/15 ]

Author:

{u'username': u'spencerjackson', u'name': u'Spencer Jackson', u'email': u'spencer.jackson@mongodb.com'}

Message: SERVER-21724 Let backup role read system.profile

(cherry picked from commit 21bcf6b127c1bb24e74845327e8d20df26e560bc)
Branch: v3.2
https://github.com/mongodb/mongo/commit/f99421466679478b8aba02344fa2c9b126946350

Comment by Githook User [ 15/Dec/15 ]

Author:

{u'username': u'spencerjackson', u'name': u'Spencer Jackson', u'email': u'spencer.jackson@mongodb.com'}

Message: SERVER-21724 Let backup role read system.profile
Branch: master
https://github.com/mongodb/mongo/commit/21bcf6b127c1bb24e74845327e8d20df26e560bc

Comment by Spencer Brody (Inactive) [ 03/Dec/15 ]

We should confirm the behavior of mongorestore in the presence of system.profile collections in the dump. If it tries to insert directly into system.profile it will get an error.

Comment by Andreas Nilsson [ 02/Dec/15 ]

I' surprised the backup role doesn't already have it. That's an oversight. Let's fix it on master and backport.

Comment by Spencer Brody (Inactive) [ 02/Dec/15 ]

Adding new privileges to built-in roles is very easy. Should be no problem to grant these privileges to the backup role if that's what we want to do.

Comment by Daniel Pasette (Inactive) [ 02/Dec/15 ]

I feel like excluding those collections from mongodump will be confusing in the case that users actually do want them. I don't want to create a special flag to include/exclude them. How hard is it to grant privs to backup user? Given new features in MMS depend on profiling, this may come up more frequently than previously.

Generated at Thu Feb 08 03:58:14 UTC 2024 using Jira 9.7.1#970001-sha1:2222b88b221c4928ef0de3161136cc90c8356a66.