[SERVER-27755] Unable to change own password of non-admin user Created: 19/Jan/17  Updated: 20/Jan/17  Resolved: 20/Jan/17

Status: Closed
Project: Core Server
Component/s: Security
Affects Version/s: None
Fix Version/s: None

Type: Bug Priority: Major - P3
Reporter: Sumanta Dutta Assignee: Mark Agarunov
Resolution: Done Votes: 0
Labels: None
Remaining Estimate: Not Specified
Time Spent: Not Specified
Original Estimate: Not Specified

Operating System: ALL
Steps To Reproduce:

1.       Create a role with changeOwnPassword privilege
 
mongos> db.getRole("changeOwnPasswordRole",{showPrivileges:true})
 
{
 
        "role" : "changeOwnPasswordRole",
 
        "db" : "admin",
 
        "isBuiltin" : false,
 
        "roles" : [ ],
 
        "inheritedRoles" : [ ],
 
        "privileges" : [
 
                {
 
                        "resource" : {
 
                                "cluster" : true
 
                        },
 
                        "actions" : [
 
                                "changeOwnPassword"
 
                        ]
 
                }
 
        ],
 
        "inheritedPrivileges" : [
 
                {
 
                        "resource" : {
 
                                "cluster" : true
 
                        },
 
                        "actions" : [
 
                                "changeOwnPassword"
 
                        ]
 
                }
 
        ]
 
}
 
mongos>
 
 
 
2.       Grante the role to non-admin read-only user
 
mongos> db.getUser("sdutta")
 
{
 
        "_id" : "admin.sdutta",
 
        "user" : "sdutta",
 
        "db" : "admin",
 
        "roles" : [
 
                {
 
                        "role" : "changeOwnPasswordRole",
 
                        "db" : "admin"
 
                },
 
                {
 
                        "role" : "readAnyDatabase",
 
                        "db" : "admin"
 
                }
 
        ]
 
}
 
 
 
3.       Try to change password after logging in as sdutta
 
mongos> db.changeUserPassword("sdutta","test2")

Thanks!

Participants:

 Description   

1. I created a role with changeOwnPassword privilege

mongos> db.getRole("changeOwnPasswordRole",{showPrivileges:true})
{
 
        "role" : "changeOwnPasswordRole",
 
        "db" : "admin",
 
        "isBuiltin" : false,
 
        "roles" : [ ],
 
        "inheritedRoles" : [ ],
 
        "privileges" : [
 
                {
 
                        "resource" : {
 
                                "cluster" : true
 
                        },
 
                        "actions" : [
 
                                "changeOwnPassword"
 
                        ]
 
                }
 
        ],
 
        "inheritedPrivileges" : [
 
                {
 
                        "resource" : {
 
                                "cluster" : true
 
                        },
 
                        "actions" : [
 
                                "changeOwnPassword"
 
                        ]
 
                }
 
        ]
 
}
 
mongos>

2. I granted the role to non-admin read-only user

mongos> db.getUser("sdutta")
{
        "_id" : "admin.sdutta",
        "user" : "sdutta",
        "db" : "admin",
        "roles" : [
                {
                        "role" : "changeOwnPasswordRole",
                        "db" : "admin"
                },
                {
                        "role" : "readAnyDatabase",
                        "db" : "admin"
                }
        ]
}

3. Tried to change password without luck. I hope it’s not expecting readWrite.

mongos> db.changeUserPassword("sdutta","test2")
 
2017-01-17T18:38:29.078-0500 E QUERY    [thread1] Error: Updating user failed: not authorized on admin to execute command { updateUser: "sdutta", pwd: "xxx", writeConcern: { w: "majority", wtimeout: 30000.0 }, digestPassword: false } :
 
_getErrorWithCode src/mongo/shell/utils.js:25:13
 
DB.prototype.updateUser src/mongo/shell/db.js:1319:15
 
DB.prototype.changeUserPassword src/mongo/shell/db.js:1323:9
 
@(shell):1:1

BTW, we are using following versions -

MongoDB shell version: 3.2.5

MongoS version 3.2.5
git version: 34e65e5383f7ea1726332cb175b73077ec4a1b02
OpenSSL version: OpenSSL 1.0.1e-fips 11 Feb 2013

Thanks!



 Comments   
Comment by Sumanta Dutta [ 20/Jan/17 ]

Hi Mark,

Thanks for responding. I posted the same on user group 2 days before filing
here as bug. There was no response.

Regarding using db and collection as "", I thought I tried that as well,
but I will try again.

Thanks,
Sumanta

Comment by Mark Agarunov [ 20/Jan/17 ]

Hello suduttaus,

Thank you for the report. Looking over the output you have provided, this looks like it may be a misconfiguration of the role permissions. I see you have the resource set to cluster:

{
  "resource" : { "cluster" : true },
  "actions" : [ "changeOwnPassword" ]
}

The cluster resource provides permissions to cluster management related resources, not to all databases in the cluster. The resource for this action type would have to be the admin database, or more permissively, leave the database empty. For example:

{
  "resource": { db: "admin",collection: "" },
  "actions" : [ "changeOwnPassword" ]
}

OR

{
  "resource": { db: "", collection: "" },
  "actions" : [ "changeOwnPassword" ]
}

Please note that SERVER project is for reporting bugs or feature suggestions for the MongoDB server. For MongoDB-related support discussion please post on the mongodb-user group or Stack Overflow with the mongodb tag. A question like this involving more discussion would be best posted on the mongodb-user group.

Thanks,
Mark

Generated at Thu Feb 08 04:16:08 UTC 2024 using Jira 9.7.1#970001-sha1:2222b88b221c4928ef0de3161136cc90c8356a66.