[SERVER-33096] getRoles command does not return authenticationRestrictions Created: 02/Feb/18  Updated: 27/Oct/23  Resolved: 05/Feb/18

Status: Closed
Project: Core Server
Component/s: Security
Affects Version/s: 3.6.2
Fix Version/s: None

Type: Task Priority: Major - P3
Reporter: Ravind Kumar (Inactive) Assignee: Sara Golemon
Resolution: Works as Designed Votes: 0
Labels: None
Remaining Estimate: Not Specified
Time Spent: Not Specified
Original Estimate: Not Specified
Environment:

MongoDB 3.6.2, possibly 3.6.0+


Issue Links:
Documented
is documented by DOCS-11283 db.getRoles() should mention showAuth... Closed
Participants:

 Description   

the getRoles command (and db.getRoles()) does not return any authenticationRestrictions associated to configured roles.

Steps to reproduce:

1. Create new user, specifying authenticationRestrictions document with both clientSource and serverAddress
2. Run db.getRoles - output does not include authentication restrictions associated to the role.

Originally reported by user in the community slack channel.

As far as I can tell there doesn't seem to be a way to check the configured authenticationRestrictions (if any) for a given role.

Example:

db.createRole(
...    {
...      role: "myClusterwideAdmin",
...      privileges: [
...        { resource: { cluster: true }, actions: [ "addShard" ] },
...        { resource: { db: "config", collection: "" }, actions: [ "find", "update", "insert", "remove" ] },
...        { resource: { db: "users", collection: "usersCollection" }, actions: [ "update", "insert", "remove" ] },
...        { resource: { db: "", collection: "" }, actions: [ "find" ] }
...      ],
...      roles: [
...        { role: "read", db: "admin" }
...      ],
...      authenticationRestrictions : [ {
...        clientSource : ["192.168.0.100"],
...        serverAddress : ["192.168.1.100"] 
...      }]
...    })
{

b.getRoles()
[
	{
		"role" : "myClusterwideAdmin",
		"db" : "admin",
		"isBuiltin" : false,
		"roles" : [
			{
				"role" : "read",
				"db" : "admin"
			}
		],
		"inheritedRoles" : [
			{
				"role" : "read",
				"db" : "admin"
			}
		]
	}
]



 Comments   
Comment by Spencer Brown [ 09/Jan/20 ]

looks like it needs to be

showAuthenticationRestrictions: true

 
MongoDB Enterprise > adb.getRoles({showAuthenticationRestrictions: 1});
2020-01-08T21:47:44.907-0600 E QUERY    [js] Error: "showAuthenticationRestrictions" had the wrong type. Expected bool, found double :
_getErrorWithCode@src/mongo/shell/utils.js:25:13
DB.prototype.getRoles@src/mongo/shell/db.js:1895:1
@(shell):1:1
MongoDB Enterprise > adb.getRoles( {showAuthenticationRestrictions: true} );
[
        {
                "role" : "example",
                "db" : "admin",
                "isBuiltin" : false,
                "roles" : [
                        {
                                "role" : "root",
                                "db" : "admin"
                        }
                ],
                "inheritedRoles" : [
                        {
                                "role" : "root",
                                "db" : "admin"
                        }
                ],
                "authenticationRestrictions" : [
                        [
                                {
                                        "clientSource" : [
                                                "0.0.0.0/0"
                                        ]
                                }
                        ]
                ],
                "inheritedAuthenticationRestrictions" : [
                        [
                                {
                                        "clientSource" : [
                                                "0.0.0.0/0"
                                        ]
                                }
                        ]
                ]
        }
]

Comment by Sara Golemon [ 05/Feb/18 ]

"authenticationRestrictions" are available via getRoles(), but only if the (currently undocumented) parameter

{showAuthenticationRestrictions: 1}

is passed to the command. This is consistent with the showPrivileges and showBuiltinRoles idioms.

I've filed a DOCS ticket to get the manual updated.

Generated at Thu Feb 08 04:32:16 UTC 2024 using Jira 9.7.1#970001-sha1:2222b88b221c4928ef0de3161136cc90c8356a66.