[SERVER-26734] indexStats action is not sufficient privileges for $indexStats operator Created: 21/Oct/16 Updated: 16/Oct/21 Resolved: 27/Dec/16 |
|
| Status: | Closed |
| Project: | Core Server |
| Component/s: | Querying, Security |
| Affects Version/s: | None |
| Fix Version/s: | 3.2.13, 3.4.2, 3.5.2 |
| Type: | Bug | Priority: | Major - P3 |
| Reporter: | Adam Harrison | Assignee: | James Wahlin |
| Resolution: | Done | Votes: | 2 |
| Labels: | None | ||
| Remaining Estimate: | Not Specified | ||
| Time Spent: | Not Specified | ||
| Original Estimate: | Not Specified | ||
| Issue Links: |
|
||||||||||||
| Backwards Compatibility: | Fully Compatible | ||||||||||||
| Operating System: | ALL | ||||||||||||
| Backport Requested: |
v3.4, v3.2
|
||||||||||||
| Steps To Reproduce: | 1) Create user "test" with "dbOwner" role on a database |
||||||||||||
| Sprint: | Query 2017-01-23 | ||||||||||||
| Participants: | |||||||||||||
| Description |
|
Per the $indexStats documentation (https://docs.mongodb.com/manual/reference/operator/aggregation/indexStats/) : "If running with access control, the user must have privileges that include indexStats action." A database user with "dbOwner" database privileges is able to grant themselves privileges which include the "indexStats" action in their respective database. These privileges do not allow the user to use the $indexStats aggregation operator.
However, a database user with the built-in "clusterMonitor" role is able to use the operator, as it has the "indexStats" action (https://docs.mongodb.com/v3.2/reference/built-in-roles/#clusterMonitor). Can the "indexStats" action be assigned by itself, or must it be coupled with other actions? Ideally, I would like to be able to assign this privilege without offering all the permissions provided in the clusterMonitor role. |
| Comments |
| Comment by Githook User [ 13/Feb/17 ] |
|
Author: {u'username': u'ksuarz', u'name': u'Kyle Suarez', u'email': u'ksuarz@gmail.com'}Message: |
| Comment by Githook User [ 18/Jan/17 ] |
|
Author: {u'username': u'jameswahlin', u'name': u'James Wahlin', u'email': u'james.wahlin@10gen.com'}Message: (cherry picked from commit 67257272a057635640318842ea05b28e8499f71a) |
| Comment by Githook User [ 27/Dec/16 ] |
|
Author: {u'username': u'jameswahlin', u'name': u'James Wahlin', u'email': u'james.wahlin@10gen.com'}Message: |
| Comment by Kyle Suarez [ 21/Dec/16 ] |
|
It appears that this was deliberately done as a part of |
| Comment by Kelsey Schubert [ 16/Dec/16 ] |
|
Hi aharrison, Sorry for the delay getting back to you. We're able to reproduce this bug and will update this ticket as we work towards a fix. The issue is that currently the privilege check to execute $indexStats requires global privilege to execute this command on any database. As you correctly identify, you currently would need to use the built-in role "clusterMonitor" to execute $indexStats. Kind regards, |
| Comment by Adam Harrison [ 14/Nov/16 ] |
|
Hi Ramon, I just wanted to follow-up to see if you had any updates on this issue. Thanks! Adam |
| Comment by Ramon Fernandez Marina [ 24/Oct/16 ] |
|
Thanks for your report Adam, we're investigating. |