[SERVER-28449] "Root" role does not have permissions to recreate oplog Created: 23/Mar/17  Updated: 27/Oct/23  Resolved: 11/Apr/17

Status: Closed
Project: Core Server
Component/s: Security
Affects Version/s: None
Fix Version/s: None

Type: Bug Priority: Major - P3
Reporter: Dharshan Rangegowda Assignee: Mark Agarunov
Resolution: Works as Designed Votes: 0
Labels: None
Remaining Estimate: Not Specified
Time Spent: Not Specified
Original Estimate: Not Specified

Issue Links:
Related
related to SERVER-26839 Improve readWriteDatabase role coverage Closed
related to PHPC-1261 User for replica set auth test enviro... Closed
Operating System: ALL
Participants:

 Description   

I am running into an issue with the 3.2.12 server

I have a user with 'root' role that is not able to recreate the oplog ( in order to scale up the size of the oplog)

> db.runCommand({ create: "oplog.rs", capped: true, size: 1503238553.0 })
{
	"ok" : 0,
	"errmsg" : "not authorized on local to execute command { create: \"oplog.rs\", capped: true, size: 1503238553.0 }",
	"code" : 13
}

If the user is granted readWrite on the local DB then it starts to work

 db.grantRolesToUser("admin", [{role: "readWrite", db: "local"}])

Is this expected? I would expect the 'root' role to be a superset of all the permissions.



 Comments   
Comment by Mark Agarunov [ 11/Apr/17 ]

Hello dharshanr@scalegrid.net,

Thank you for the report. As you noted, with a permission of readWrite on the local database this will work. This intentional and is due to a separation of privileges. The root role is a super-set of permissions affecting user data specifically, not system data, therefore the permissions must be explicitly granted to perform operations on local.

Please note that SERVER project is for reporting bugs or feature suggestions for the MongoDB server. For MongoDB-related support discussion please post on the mongodb-user group or Stack Overflow with the mongodb tag. A question like this involving more discussion would be best posted on the mongodb-user group.

Thanks,
Mark

Generated at Thu Feb 08 04:18:10 UTC 2024 using Jira 9.7.1#970001-sha1:2222b88b221c4928ef0de3161136cc90c8356a66.