[SERVER-3199] Restrict user creation to admin only Created: 05/Jun/11  Updated: 15/Feb/13  Resolved: 21/Dec/12

Status: Closed
Project: Core Server
Component/s: Security
Affects Version/s: 1.8.1
Fix Version/s: None

Type: New Feature Priority: Major - P3
Reporter: Alvin Richards (Inactive) Assignee: Spencer Brody (Inactive)
Resolution: Duplicate Votes: 2
Labels: None
Remaining Estimate: Not Specified
Time Spent: Not Specified
Original Estimate: Not Specified

Issue Links:
Depends
depends on SERVER-3198 Ability to restrict operations by role Closed
depends on SERVER-7122 Assign commands to system roles Closed
depends on SERVER-7126 new authPrinciples and acquiredCapabi... Closed
Related
Participants:

 Description   

Feature:
Restrict the creation of users to the admin only.

Use Case:

/* User can be added to DB test*/
> use test
switched to db test
> db.addUser("thetest","xxx");
{
"_id" : ObjectId("4dd0a3aa7f39df02fe90fba7"),
"user" : "thetest",
"readOnly" : false,
"pwd" : "6acce88bf52666bb832d0d51d5b4e94a"
}

/* User can be auth'ed and create data */
> db.auth("thetest","xxx");
1
> db.foobar.save(

{1:2}

);
> db.foobar.find();

{ "_id" : ObjectId("4debd8a54f5c3a55b982b97c"), "1" : 2 }

/* This new user can now add another user in the test database - this should be prevented since they are not auth'ed to the admin database */
> db.addUser("thetest2","boohoo");
{
"user" : "thetest2",
"readOnly" : false,
"pwd" : "0d2b4b28061638251db69fb85b32ee79"
}



 Comments   
Comment by Andy Schwerin [ 03/Oct/12 ]

More granular roles in Mongo 2.4 should cover this case. Linked to relevant tickets, SERVER-7122 and SERVER-7126. Some of the details are still up in the air, but this use case ought to be covered.

Generated at Thu Feb 08 03:02:22 UTC 2024 using Jira 9.7.1#970001-sha1:2222b88b221c4928ef0de3161136cc90c8356a66.