[SERVER-35301] Cannot insert into system.js collections with bypassDocumentValidation:true Created: 31/May/18  Updated: 27/Oct/23  Resolved: 08/Jun/18

Status: Closed
Project: Core Server
Component/s: Security
Affects Version/s: None
Fix Version/s: None

Type: Bug Priority: Major - P3
Reporter: Shane Harvey Assignee: Asya Kamsky
Resolution: Works as Designed Votes: 0
Labels: None
Remaining Estimate: Not Specified
Time Spent: Not Specified
Original Estimate: Not Specified

Issue Links:
Related
related to SERVER-38545 Inconsistency between different roles... Closed
related to SERVER-5972 Cannot drop system.js collection Closed
is related to TOOLS-2030 mongodump does not dump system.js col... Closed
Operating System: ALL
Participants:

 Description   

$ mogno 'mongodb://user:password@localhost:27017/?authSource=admin'
MongoDB shell version v3.6.3
connecting to: mongodb://localhost:27017/?authSource=admin
MongoDB server version: 3.6.3
MongoDB Enterprise 9be5809a-ea19-4dfd-b276-de020c05d333:PRIMARY> use test
switched to db test
MongoDB Enterprise 9be5809a-ea19-4dfd-b276-de020c05d333:PRIMARY> db.runCommand({connectionStatus: 1, showPrivileges: false})
{
	"authInfo" : {
		"authenticatedUsers" : [
			{
				"user" : "user",
				"db" : "admin"
			}
		],
		"authenticatedUserRoles" : [
			{
				"role" : "readWriteAnyDatabase",
				"db" : "admin"
			},
			{
				"role" : "dbAdminAnyDatabase",
				"db" : "admin"
			},
			{
				"role" : "clusterAdmin",
				"db" : "admin"
			},
			{
				"role" : "userAdminAnyDatabase",
				"db" : "admin"
			}
		]
	},
	"ok" : 1,
	"operationTime" : Timestamp(1527724978, 1),
	"$clusterTime" : {
		"clusterTime" : Timestamp(1527724978, 1),
		"signature" : {
			"hash" : BinData(0,"bS8d9oGZjPnm4m82HzJu4fj9YjA="),
			"keyId" : NumberLong("6561523985954111489")
		}
	}
}
MongoDB Enterprise 9be5809a-ea19-4dfd-b276-de020c05d333:PRIMARY> db.runCommand({insert:"system.js", documents:[{_id:"func", value:function(k){return k;}}], bypassDocumentValidation: false})
{
	"n" : 1,
	"opTime" : {
		"ts" : Timestamp(1527724994, 1),
		"t" : NumberLong(2)
	},
	"electionId" : ObjectId("7fffffff0000000000000002"),
	"ok" : 1,
	"operationTime" : Timestamp(1527724994, 1),
	"$clusterTime" : {
		"clusterTime" : Timestamp(1527724994, 1),
		"signature" : {
			"hash" : BinData(0,"or3MniluGCizPnkeVRkbQg/31Bo="),
			"keyId" : NumberLong("6561523985954111489")
		}
	}
}
MongoDB Enterprise 9be5809a-ea19-4dfd-b276-de020c05d333:PRIMARY> db.runCommand({insert:"system.js", documents:[{_id:"func2", value:function(k){return k;}}], bypassDocumentValidation: true})
{
	"operationTime" : Timestamp(1527724994, 1),
	"ok" : 0,
	"errmsg" : "not authorized on test to execute command { insert: \"system.js\", bypassDocumentValidation: true, $clusterTime: { clusterTime: Timestamp(1527724994, 1), signature: { hash: BinData(0, A2BDCC9E296E1828B33E791E55191B420FF7D41A), keyId: 6561523985954111489 } }, $db: \"test\" }",
	"code" : 13,
	"codeName" : "Unauthorized",
	"$clusterTime" : {
		"clusterTime" : Timestamp(1527724994, 1),
		"signature" : {
			"hash" : BinData(0,"or3MniluGCizPnkeVRkbQg/31Bo="),
			"keyId" : NumberLong("6561523985954111489")
		}
	}
}

I'd expect this to work since the user has the bypassDocumentValidation privilege (provided by dbAdminAnyDatabase).



 Comments   
Comment by Ted Tuckman [ 19/Dec/18 ]

I filed SERVER-38545 and after discussion with jbreams it seems like it is working as intended, even though the errors are unintuitive. 

Comment by Ted Tuckman [ 11/Dec/18 ]

I was looking at this as part of another ticket, and I found that I was able to write to system.js with the "restore" role but not with readWriteAnyDatabase (both with bypassDocumentValidation=true). Even though you can't specify a validator, this inconsistency seems like a bug. 

Comment by Asya Kamsky [ 08/Jun/18 ]

Also make note of SERVER-25446 which I believe we should close as won't fix.

Comment by Asya Kamsky [ 08/Jun/18 ]

You are not allowed to specify validator on system collections:

db.runCommand({ collMod:"system.js", validator:{_id:{$exists:true}}})
{
	"ok" : 0,
	"errmsg" : "Document validators not allowed on system collection test.system.js with UUID 909f0ff5-cc5b-42eb-84b8-9437813bd0af",
	"code" : 72,
	"codeName" : "InvalidOptions"
}

So it does not make sense for it to support bypassing validation.

Comment by Gregory McKeon (Inactive) [ 04/Jun/18 ]

Sending to query to triage, since we believe they own bypassDocumentValidation:true

Comment by Kyle Suarez [ 01/Jun/18 ]

shane.harvey:

This user also gets an auth error when attempting to drop the "system.js" collection:

That's not an authentication error; it's a different known issue. See SERVER-5972

Comment by Shane Harvey [ 31/May/18 ]

This user also gets an auth error when attempting to drop the "system.js" collection:

MongoDB Enterprise> db.system.js.drop()
2018-05-31T16:02:25.561-0700 E QUERY    [thread1] Error: drop failed: {
	"operationTime" : Timestamp(1527807736, 1),
	"ok" : 0,
	"errmsg" : "can't drop system collection test.system.js",
	"code" : 20,
	"codeName" : "IllegalOperation",
	"$clusterTime" : {
		"clusterTime" : Timestamp(1527807736, 1),
		"signature" : {
			"hash" : BinData(0,"3vBQHuGJso3O1nNN2qPCgjvCxPQ="),
			"keyId" : NumberLong("6561884071717240833")
		}
	}
} :
_getErrorWithCode@src/mongo/shell/utils.js:25:13
DBCollection.prototype.drop@src/mongo/shell/collection.js:695:1
@(shell):1:1

But this user can drop the entire database:

MongoDB Enterprise > db.dropDatabase()
{
	"dropped" : "test",
	"ok" : 1,
	"operationTime" : Timestamp(1527807950, 2),
	"$clusterTime" : {
		"clusterTime" : Timestamp(1527807950, 2),
		"signature" : {
			"hash" : BinData(0,"u8ggvjAZYWU7tK4hWswErKVowsQ="),
			"keyId" : NumberLong("6561884071717240833")
		}
	}
}

Generated at Thu Feb 08 04:39:26 UTC 2024 using Jira 9.7.1#970001-sha1:2222b88b221c4928ef0de3161136cc90c8356a66.