[SERVER-22979] Collection creation should require "createCollection" role, and not be implicit from "insert" Created: 07/Mar/16  Updated: 22/Jan/24

Status: Backlog
Project: Core Server
Component/s: Security
Affects Version/s: None
Fix Version/s: None

Type: Improvement Priority: Major - P3
Reporter: Ali Asghar Assignee: Backlog - Security Team
Resolution: Unresolved Votes: 15
Labels: None
Remaining Estimate: Not Specified
Time Spent: Not Specified
Original Estimate: Not Specified

Issue Links:
Depends
Related
Assigned Teams:
Server Security
Participants:
Case:

 Description   

I am trying to create a user for my application which will inherit from "read" role and will allow write operations except for being able to create/drop collections and create/drop indexes.

Bug can be reproduced as follows.

Step1 – Create a database and a collection using admin privileges.

db name:  intacct-db1
collection name: col1 (insert some dummy data)

Step2 – Create a role: (This role inherits from read role and than adds writes operations excluding add/drop collections and indexes)

db.createRole(
 
	{
	role: "Role-Intacct-App-ReadWrite-intacct-db1",
	privileges: [
		{resource:{db: "intacct-db1" , collection: "" } , actions: ["collStats","convertToCapped","dbHash","dbStats","find","insert","killCursors","listIndexes","listCollections","remove","update" ] }
			],
	roles: ["read"]
}
)

Step3 – Create a user with this role.

db.createUser({
user:"intacct-app",
pwd:"somepassword",
roles:[ 
	{role:"Role-Intacct-App-ReadWrite-intacct-db1",   db:"intacct-db1"},
	{role: "clusterMonitor",  db:"admin"} 
		]
	})

Step 4 — Disconnect and reconnect using the user above.

Step 5 — use intacct-db1 database and create a new collection.

                 use intacct-db1
                  db.createCollection("col-name") 
                 db.showCollections(). 

This seems to be a bug. I specifically excluded Create Collection privilege from the role !



 Comments   
Comment by Zhang Youdong [ 27/Mar/17 ]

Andy Schwerin

Prohibiting implicit collection creation is very useful, eg

I created a sharded cluster, and want get every collection sharded, if I can forbid the createCollection permission, this will be very simple for me.

Comment by Andy Schwerin [ 15/Mar/16 ]

This works as designed. The "createCollection" privilege enables users to run the createCollection command. In mongodb, collection creation is implicit on insert. When we implemented user-defined roles and created the privileges, we made this choice because access control checking occurs before we know whether or not the collection exists, and because it was no weaker a behavior than was previously available.

I suggest that we convert this into a feature request ticket for allowing user defined roles to prohibit this implicit collection creation by requiring even implicit collection creations to demonstrate the createCollection privilege. The change will not be easy to implement, but may enable some access control disciplines that users would find helpful.

Comment by Ali Asghar [ 15/Mar/16 ]

Any update ?

Regards
Ali Asghar

Generated at Thu Feb 08 04:01:59 UTC 2024 using Jira 9.7.1#970001-sha1:2222b88b221c4928ef0de3161136cc90c8356a66.