[SERVER-34822] RoleGraph update should ignore index creation on non-role collections Created: 03/May/18 Updated: 29/Oct/23 Resolved: 30/May/18 |
|
| Status: | Closed |
| Project: | Core Server |
| Component/s: | Security |
| Affects Version/s: | None |
| Fix Version/s: | 3.6.6, 4.0.0-rc5, 4.1.1 |
| Type: | Bug | Priority: | Critical - P2 |
| Reporter: | Spencer Jackson | Assignee: | Spencer Jackson |
| Resolution: | Fixed | Votes: | 0 |
| Labels: | bkp | ||
| Remaining Estimate: | Not Specified | ||
| Time Spent: | Not Specified | ||
| Original Estimate: | Not Specified | ||
| Issue Links: |
|
||||||||
| Backwards Compatibility: | Fully Compatible | ||||||||
| Operating System: | ALL | ||||||||
| Backport Requested: |
v4.0, v3.6
|
||||||||
| Sprint: | Platforms 2018-06-04 | ||||||||
| Participants: | |||||||||
| Case: | (copied to CRM) | ||||||||
| Description |
|
Create a replicaset. Create a collection on the admin database. Create a role which inherits from other roles. Grant the role to a user. Create an index on the collection using the createIndex command. Connect to a secondary, and authenticate as the user. The user will have no privileges granted from transitively inherited roles. The secondary will include the following statement in its logs:
The RoleGraph update procedure observes a command affecting the admin database which it doesn't understand. As a result, it disables role transitivity. It should be taught that createIndex on a collection other than system.roles is safe. |
| Comments |
| Comment by Githook User [ 18/Jun/18 ] |
|
Author: {'username': 'spencerjackson', 'name': 'Spencer Jackson', 'email': 'spencer.jackson@mongodb.com'}Message: (cherry picked from commit f0227671de94cd54a3d8e1653400aa1ee9d8b2fa) |
| Comment by Githook User [ 07/Jun/18 ] |
|
Author: {'username': 'spencerjackson', 'name': 'Spencer Jackson', 'email': 'spencer.jackson@mongodb.com'}Message: (cherry picked from commit f0227671de94cd54a3d8e1653400aa1ee9d8b2fa) |
| Comment by Githook User [ 30/May/18 ] |
|
Author: {'username': 'spencerjackson', 'name': 'Spencer Jackson', 'email': 'spencer.jackson@mongodb.com'}Message: |