[SERVER-3345] Read only user - able to create and update collection using map reduce Created: 28/Jun/11 Updated: 12/Jul/16 Resolved: 25/Oct/11 |
|
| Status: | Closed |
| Project: | Core Server |
| Component/s: | MapReduce |
| Affects Version/s: | 1.8.1 |
| Fix Version/s: | 2.1.0 |
| Type: | Bug | Priority: | Major - P3 |
| Reporter: | ganesan pandurangan | Assignee: | Tony Hannan |
| Resolution: | Done | Votes: | 0 |
| Labels: | None | ||
| Remaining Estimate: | Not Specified | ||
| Time Spent: | Not Specified | ||
| Original Estimate: | Not Specified | ||
| Environment: |
mac os x |
||
| Issue Links: |
|
||||
| Operating System: | ALL | ||||
| Participants: | |||||
| Description |
|
Hi- I am able to update a collection created by a read write user using a read only user by invoking map reduce. Following is the test scenario. Wed Jun 29 00:36:08 [initandlisten] git version: a429cd4f535b2499cc4130b06ff7c26f41c00f04 ===read write user created an out collection in m/r === MongoDB shell version: 1.8.1 } ); ); ... return {count:total}; ... } function (key, values) { var total = 0; for (var i = 0; i < values.length; i++) { total += values[i].count; } return {count:total}; } > res=db.mytest.mapReduce(m,r,{out:{reduce:"myColl"}}); { "result" : "myColl", "timeMillis" : 43, "counts" : { "input" : 1, "emit" : 1, "output" : 1 }, "ok" : 1, } ======= Read only user able to update the collection using map reduce. MongoDB shell version: 1.8.1 connecting to: test > use gp switched to db gp > db.auth("gpr","gpr"); 1 > m=function () { ... emit(this.x, {count:1}); ... } function () { emit(this.x, {count:1}); } > function (key, values) { ... var total = 0; ... for (var i = 0; i < values.length; i++) {... total += values[i].count;... } ... return {count:total}; return {count:total}; } > res=db.mytest.mapReduce(m,r,{out:{reduce:"myColl"}}); Wed Jun 29 02:18:21 ReferenceError: r is not defined (shell):1 > r=function (key, values) { ... var total = 0; ... for (var i = 0; i < values.length; i++) { ... total += values[i].count; ... } ... return {count:total}; ... } function (key, values) { var total = 0; for (var i = 0; i < values.length; i++) { total += values[i].count; } return {count:total}; , } , } > db.system.users.find(); { "_id" : ObjectId("4e0a2530e1c6ac893f943018"), "user" : "gpr", "readOnly" : true, "pwd" : "6653a4201479409166809ecdd8abaadf" } { "_id" : ObjectId("4e0a2560e1c6ac893f943019"), "user" : "gp", "readOnly" : false, "pwd" : "2e42611f30c3155c7f8de180b0e855ee" }> |
| Comments |
| Comment by auto [ 25/Oct/11 ] |
|
Author: {u'login': u'TonyGen', u'name': u'Tony Hannan', u'email': u'tony@10gen.com'}Message: |
| Comment by auto [ 25/Oct/11 ] |
|
Author: {u'login': u'TonyGen', u'name': u'Tony Hannan', u'email': u'tony@10gen.com'}Message: |
| Comment by auto [ 25/Oct/11 ] |
|
Author: {u'login': u'TonyGen', u'name': u'Tony Hannan', u'email': u'tony@10gen.com'}Message: |
| Comment by auto [ 29/Sep/11 ] |
|
Author: {u'login': u'TonyGen', u'name': u'Tony Hannan', u'email': u'tony@10gen.com'}Message: |
| Comment by Tony Hannan [ 27/Sep/11 ] |
|
Bug still exists in 2.0. Read-only user can specify any collection in M/R out parameter, including one that already exists, and overwrite it. |
| Comment by Eliot Horowitz (Inactive) [ 27/Sep/11 ] |
|
believe this was fixed in 2.0 - will verify |
| Comment by ganesan pandurangan [ 27/Sep/11 ] |
|
Hi Any updates on this ? |