[SERVER-32067] Able to rename drop-pending collection namespaces using applyOps command Created: 22/Nov/17  Updated: 06/Dec/22  Resolved: 30/Nov/17

Status: Closed
Project: Core Server
Component/s: Replication
Affects Version/s: None
Fix Version/s: None

Type: Bug Priority: Major - P3
Reporter: William Schultz (Inactive) Assignee: Backlog - Replication Team
Resolution: Duplicate Votes: 0
Labels: None
Remaining Estimate: Not Specified
Time Spent: Not Specified
Original Estimate: Not Specified

Attachments: File apply_ops_rename_auth.js    
Issue Links:
Depends
Duplicate
duplicates SERVER-32098 Disallow operations on drop-pending c... Closed
Assigned Teams:
Replication
Operating System: ALL
Steps To Reproduce:

 
load("jstests/libs/check_log.js");  // For 'checkLog'.
function pauseOplogApplication(node) {
    assert.commandWorked(node.adminCommand(
        {configureFailPoint: "rsSyncApplyStop", mode: "alwaysOn"}));
    checkLog.contains(node, "rsSyncApplyStop fail point enabled");
}
 
function resumeOplogApplication(node) {
    assert.commandWorked(
        node.adminCommand({configureFailPoint: "rsSyncApplyStop", mode: "off"}));
}
 
function listAllCollections(adb){
    let res = assert.commandWorked(adb.runCommand("listCollections", {includePendingDrops: true}));
    return tojson(res.cursor.firstBatch);
}
 
let replTest = new ReplSetTest({name: "applyOpsTest", nodes: 2});
 
replTest.startSet();
replTest.initiate();
replTest.awaitReplication();
 
// Pause oplog application so collection drop doesn't commit.
pauseOplogApplication(replTest.getSecondary());
 
// Get connections and collection.
let primary = replTest.getPrimary();
let pdb = primary.getDB("test");
let collName = "coll";
 
// Create collection.
pdb[collName].insert({x:1});
 
let uuid = pdb.getCollectionInfos()[0].info.uuid;
 
// Drop collection.
jsTestLog("Doing collection drop.");
assert.commandWorked(pdb.runCommand({drop: collName, writeConcern: {w: 1}}));
 
// Print collections after drop.
jsTestLog(listAllCollections(pdb));
 
let renameOp = [{
    "op": "c",
    "ns": "test.$cmd",
    "ui": uuid,
    "o": {"renameCollection": "", "to": "test.not_drop_pending"}
}];
 
jsTestLog("Doing 'applyOps' command.");
assert.commandWorked(pdb.adminCommand({applyOps: renameOp}));
 
// Print collections after renameCollection.
jsTestLog(listAllCollections(pdb));

Participants:
Linked BF Score: 0

 Description   

By executing a renameCollection operation via the applyOps command, and specifying a specific collection UUID for a drop-pending collection, it is possible to rename a drop-pending collection namespace to an arbitrary value. See repro script. I expect this may cause us to never clean up such a drop-pending collection, if it was renamed away from its proper namespace format.



 Comments   
Comment by William Schultz (Inactive) [ 27/Nov/17 ]

Seems that a user with the root role can trigger this: apply_ops_rename_auth.js

Comment by William Schultz (Inactive) [ 27/Nov/17 ]

With a normal renameCollection command, we should have no way to target a UUID explicitly, so I expect this is not an issue.

Comment by Spencer Brody (Inactive) [ 27/Nov/17 ]

william.schultz, what happens if you try to do the same thing with direct renameCollection command?
Also, what's the behavior if access control is enabled? Does the access control system prevent this?

Generated at Thu Feb 08 04:29:05 UTC 2024 using Jira 9.7.1#970001-sha1:2222b88b221c4928ef0de3161136cc90c8356a66.