[SERVER-22979] Collection creation should require "createCollection" role, and not be implicit from "insert" Created: 07/Mar/16 Updated: 22/Jan/24 |
|
| Status: | Backlog |
| Project: | Core Server |
| Component/s: | Security |
| Affects Version/s: | None |
| Fix Version/s: | None |
| Type: | Improvement | Priority: | Major - P3 |
| Reporter: | Ali Asghar | Assignee: | Backlog - Security Team |
| Resolution: | Unresolved | Votes: | 15 |
| Labels: | None | ||
| Remaining Estimate: | Not Specified | ||
| Time Spent: | Not Specified | ||
| Original Estimate: | Not Specified | ||
| Issue Links: |
|
||||||||
| Assigned Teams: |
Server Security
|
||||||||
| Participants: | |||||||||
| Case: | (copied to CRM) | ||||||||
| Description |
|
I am trying to create a user for my application which will inherit from "read" role and will allow write operations except for being able to create/drop collections and create/drop indexes. Bug can be reproduced as follows. Step1 – Create a database and a collection using admin privileges.
Step2 – Create a role: (This role inherits from read role and than adds writes operations excluding add/drop collections and indexes)
Step3 – Create a user with this role.
Step 4 — Disconnect and reconnect using the user above. Step 5 — use intacct-db1 database and create a new collection.
This seems to be a bug. I specifically excluded Create Collection privilege from the role ! |
| Comments |
| Comment by Zhang Youdong [ 27/Mar/17 ] |
|
Prohibiting implicit collection creation is very useful, eg I created a sharded cluster, and want get every collection sharded, if I can forbid the createCollection permission, this will be very simple for me. |
| Comment by Andy Schwerin [ 15/Mar/16 ] |
|
This works as designed. The "createCollection" privilege enables users to run the createCollection command. In mongodb, collection creation is implicit on insert. When we implemented user-defined roles and created the privileges, we made this choice because access control checking occurs before we know whether or not the collection exists, and because it was no weaker a behavior than was previously available. I suggest that we convert this into a feature request ticket for allowing user defined roles to prohibit this implicit collection creation by requiring even implicit collection creations to demonstrate the createCollection privilege. The change will not be easy to implement, but may enable some access control disciplines that users would find helpful. |
| Comment by Ali Asghar [ 15/Mar/16 ] |
|
Any update ? Regards |