[SERVER-25655] mongodb permission issues Created: 17/Aug/16  Updated: 11/Sep/16  Resolved: 09/Sep/16

Status: Closed
Project: Core Server
Component/s: Admin
Affects Version/s: 3.0.12
Fix Version/s: None

Type: Bug Priority: Major - P3
Reporter: asdf01 Assignee: Unassigned
Resolution: Duplicate Votes: 0
Labels: None
Remaining Estimate: Not Specified
Time Spent: Not Specified
Original Estimate: Not Specified

Issue Links:
Duplicate
duplicates SERVER-25804 The listCollections command does not ... Closed
Operating System: ALL
Participants:

 Description   

Hey Guys

I have been observing some strange permissions related behaviour in mongodb.

  1. use db01
  2. create user01 with dbOwner role on db01
  3. login as user01
  4. db.testData.insert({"state": 1})
  5. use db02
  6. create user02 with dbOwner role on db02
  7. login as user02
  8. use db01
  9. show collections

What you should see:

  • error you do not have permissions to access db01

What you actually see:

  • user02 seems to be able to list the tables / collections on db01 without any issues


 Comments   
Comment by asdf01 [ 11/Sep/16 ]

Hi @thomas.schubert

Thanks for your diligence on this issue.

You might be right, the cause of these 2 issues might be the same.

> This can be achieved easily using user-defined roles,
Although the description in the other ticket makes the issue sound slightly more edge case. Whereas in my scenario, I had the symptom with one of the built in roles, dbOwner. Thanks.

Comment by Kelsey Schubert [ 09/Sep/16 ]

Hi michael.qiu@wdtl.com,

Thank you for your feedback. I understand that it takes time to construct clear reproduction steps and appreciate the time you took to open this ticket. I have taken another look, and believe that the issue you describe is a duplicate of SERVER-25804.

Sorry for the confusion,
Thomas

Comment by asdf01 [ 06/Sep/16 ]

Hi @thomas.schubert. Thanks for following up on this issue. Please feel free to close this issue. I am not prepared to spend any more time with mongodb support. Most of my interactions with mongodb support have been unproductive and painful. I can't be any clearer with the reproduction steps without feeling the need to prepare bibs and an airplane shaped spoon. All the best with everything else.

Comment by Kelsey Schubert [ 06/Sep/16 ]

Hi michael.qiu@wdtl.com,

So we can continue to investigate, would you please clarify the steps to reproduce this issue as Ramon requested?

Additionally, please provide the privileges of each user.

Thank you,
Thomas

Comment by Ramon Fernandez Marina [ 18/Aug/16 ]

michael.qiu@wdtl.com, I've reopened this ticket, but in order for us to investigate, can you please elaborate on the problem?

In particular, in the original description it is not clear what operations you're launching from a shell (or from which shell), and which are new shell processes.

It would also be useful for you to copy here the privileges of each user as reported by db.getUser().

Thanks,
Ramón.

Comment by asdf01 [ 18/Aug/16 ]

Hi @thomas.schubert

Thanks for looking into this issue. Sorry I described the problem badly. I was trying to be succinct, but the terms I used gave you the impression I was trying to describe a different mongodb WTF.

What I meant by "login as user02" is logging in via the mongo shell:

mongo --port 27000 --username user02 --password user02Pw db02

and not

db.auth("user02", "user02Pw")

in an existing mongo shell session where I'm already logged in as user01

Please give this a try. Thanks.

Comment by Kelsey Schubert [ 17/Aug/16 ]

Hi michael.qiu@wdtl.com,

This is the expected behavior. You can be logged in on different databases with several users concurrently in the shell. In this case, you will have the collective permissions of all authenticated users. If you do not want to be authenticated on a particular database you can execute db.logout() on the same database.

I have opened DOCS-8620 to clarify this behavior in our documentation.

Kind regards,
Thomas

Comment by asdf01 [ 17/Aug/16 ]

Sorry, it should read:

What you should see:

  • error you do not have permissions to access db01

But it seems I don't have permissions to edit tickets.

Generated at Thu Feb 08 04:09:48 UTC 2024 using Jira 9.7.1#970001-sha1:2222b88b221c4928ef0de3161136cc90c8356a66.