[SERVER-27194] Views should require both "viewOn" and "pipeline" to be specified if modifying view when auth is enabled Created: 28/Nov/16 Updated: 05/Apr/17 Resolved: 06/Dec/16 |
|
| Status: | Closed |
| Project: | Core Server |
| Component/s: | Security |
| Affects Version/s: | 3.4.0-rc5 |
| Fix Version/s: | 3.4.1, 3.5.1 |
| Type: | Bug | Priority: | Major - P3 |
| Reporter: | Kyle Suarez | Assignee: | Kyle Suarez |
| Resolution: | Done | Votes: | 0 |
| Labels: | read-only-views | ||
| Remaining Estimate: | Not Specified | ||
| Time Spent: | Not Specified | ||
| Original Estimate: | Not Specified | ||
| Issue Links: |
|
||||||||||||||||
| Backwards Compatibility: | Fully Compatible | ||||||||||||||||
| Operating System: | ALL | ||||||||||||||||
| Backport Completed: | |||||||||||||||||
| Steps To Reproduce: | Launch mongod with --auth, then do
|
||||||||||||||||
| Sprint: | Query 2016-12-12 | ||||||||||||||||
| Participants: | |||||||||||||||||
| Description |
|
When auth is enabled, we should force users to specify both "viewOn" and "pipeline". This prevents users from reading sensitive information in the original "viewOn" by only changing "pipeline", or by exposing more information via lookup in the original "pipeline" by only changing "viewOn". Original DescriptionIn AuthorizationSession::checkAuthForCreateOrModifyView(), we construct a NamespaceString on the "viewOn" field of the command object, to make sure that the user has read privileges on that namespace. However, a user can validly collMod an existing view without specifying a new "viewOn". Because the authorization code always expects "viewOn" to be a field, this scenario causes an exception to be thrown. The correct behavior would be to first check if cmdObj["viewOn"] exists; if it does not, simply skip the call to checkAuthForAggregate(). |
| Comments |
| Comment by Githook User [ 06/Dec/16 ] | ||
|
Author: {u'username': u'ksuarz', u'name': u'Kyle Suarez', u'email': u'kyle.suarez@mongodb.com'}Message: (cherry picked from commit 7ce8f181b87685fbcf6cc93749334c85ce36554e) | ||
| Comment by Githook User [ 06/Dec/16 ] | ||
|
Author: {u'username': u'ksuarz', u'name': u'Kyle Suarez', u'email': u'kyle.suarez@mongodb.com'}Message: | ||
| Comment by Kyle Suarez [ 28/Nov/16 ] | ||
|
An implication of this bug is that a user who has auth enabled cannot perform a collMod of a view that does not specify the "viewOn" field; for example, only changing the pipeline:
Users not running with auth enabled aren't affected by this bug. A workaround would be to always specify the "viewOn" field when issuing a collMod command. |