[SERVER-44385] root no longer has privileges to run setProfilingLevel on config/local dbs Created: 02/Nov/19  Updated: 27/Oct/23  Resolved: 05/Nov/19

Status: Closed
Project: Core Server
Component/s: Logging, Security
Affects Version/s: 4.0.7
Fix Version/s: None

Type: Question Priority: Major - P3
Reporter: aa aaaaa Assignee: Eric Sedor
Resolution: Works as Designed Votes: 0
Labels: None
Remaining Estimate: Not Specified
Time Spent: Not Specified
Original Estimate: Not Specified

Issue Links:
Problem/Incident
is caused by SERVER-39056 Further refine readWriteAnyDatabase Closed
Participants:

 Description   

Hi, Dear mongo team!
 
I found a problem in enable the slow log command.
 
I use

db.setProfilingLevel(1, { slowms: 100 })

  command with root role excute in admin database and test database was ok . but when I excuted in config database , mongo expect messages:

 
 Unauthorized: not authorized on config to execute command { profile: 1, slowms: 100, $clusterTime: { clusterTime: Timestamp(1572400149, 57), signature:
 
{ hash: BinData(0, 142D40C19EDD425A695B562803E2160A1E132F4E), keyId: 6701226941241884703 }
 
}, $db: "config", $readPreference: \{ mode: "primaryPreferred" } }
 

 
The mongo version is v4.0.10
 
So I changed the version to v4.0.2 the problem go away. If this version's bug ?



 Comments   
Comment by aa aaaaa [ 06/Nov/19 ]

Get it! 

Thank you so much !

Have a good day !

Comment by Eric Sedor [ 05/Nov/19 ]

Hi again 648813099@qq.com,

This change in behavior occurred with SERVER-39056. It's an intended change and is not considered a bug. For versions including and after this fix, enableProfiler needs to be granted explicitly for the config and local databases.

The dbAdmin role includes the enableProfiler action. You can assign this role on the config db for a user if you truly need to enable profiling on the config db.

Sincerely,
Eric

Comment by Eric Sedor [ 05/Nov/19 ]

Hi 648813099@qq.com,

It looks like this behavior changed starting in 4.0.7. We have reproduced, we are investigating, and we will get back to you if any questions come up.

Note that in general, profiling on the config database should not be necessary.

Sincerely,
Eric

Generated at Thu Feb 08 05:05:50 UTC 2024 using Jira 9.7.1#970001-sha1:2222b88b221c4928ef0de3161136cc90c8356a66.