[SERVER-51859] rolesInfo command returns a result without `inheritedPrivileges` and `isBuiltin` fields for mongo version 4.9+ Created: 28/Oct/20  Updated: 29/Oct/23  Resolved: 10/Nov/20

Status: Closed
Project: Core Server
Component/s: Security
Affects Version/s: 4.9 Required
Fix Version/s: 4.9.0

Type: Bug Priority: Blocker - P1
Reporter: Tanay Abhra Assignee: Sara Golemon
Resolution: Fixed Votes: 0
Labels: None
Remaining Estimate: Not Specified
Time Spent: Not Specified
Original Estimate: Not Specified

Attachments: File 44.json     File 49.json    
Issue Links:
Depends
Related
is related to SERVER-51651 rolesInfo command returns an empty re... Closed
Backwards Compatibility: Minor Change
Operating System: ALL
Sprint: Security 2020-11-16
Participants:

 Description   

This ticket is related to https://jira.mongodb.org/browse/SERVER-51651.

We are going to run atlas proxy with mongodb 4.9+ version in the future. While trying to run the test harness with a new mongod in dev, I found a breaking change.

We depend on the `rolesInfo` command to load the roles we are interested in. With the current command params, 4.9 doesn’t populate `inheritedPrivileges` which we use and doesn’t include the `isBuiltin` field.

Binaries we were using for testing:
Enterprise MacOS: https://mciuploads.s3.amazonaws.com/mongodb-mongo-master/enterprise-macos/d7da6ab29e45b3ab22652e12bb524d966511ebf8/binaries/mongo-mongodb_mongo_master_enterprise_macos_d7da6ab29e45b3ab22652e12bb524d966511ebf8_20_10_24_03_38_42.tgz
Enterprise RHEL 7.0: https://mciuploads.s3.amazonaws.com/mongodb-mongo-master/enterprise-rhel-70-64-bit/d7da6ab29e45b3ab22652e12bb524d966511ebf8/binaries/mongo-mongodb_mongo_master_enterprise_rhel_70_64_bit_d7da6ab29e45b3ab22652e12bb524d966511ebf8_20_10_24_03_38_42.tgz

Code to reproduce the bug:

arr = [];
arr.push({role: "backup", db: "admin"});
arr.push({role: "clusterMonitor", db: "admin"});
arr.push({role: "dbAdmin", db: "admin"});
arr.push({role: "dbAdminAnyDatabase", db: "admin"});
arr.push({role: "enableSharding", db: "admin"});
arr.push({role: "read", db: "admin"});
arr.push({role: "readAnyDatabase", db: "admin"});
arr.push({role: "readWrite", db: "admin"});
arr.push({role: "readWriteAnyDatabase", db: "admin"});
arr.push({role: "readWrite", db: "eliot1-test"});
arr.push({role: "dbAdmin", db: "eliot1-test"});
arr.push({role: "read", db: "eliot1-test2"});
arr.push({role: "dbAdmin", db: "eliot1-test2"});
arr.push({role: "readWrite", db: "eliot1-timTest"});
arr.push({role: "readWrite", db: "no-limits-test"});
arr.push({role: "dbAdmin", db: "no-limits-test"});
arr.push({role: "read", db: "no-limits-test2"});
arr.push({role: "dbAdmin", db: "no-limits-test2"});
arr.push({role: "readWrite", db: "no-limits-timTest"});
res = db.adminCommand({rolesInfo: arr, showBuiltinRoles: 1, showPrivileges: 1})
printjson(res)

The output for 4.4 and 4.9+ is attached in the comments for comparison.  

 



 Comments   
Comment by Githook User [ 10/Nov/20 ]

Author:

{'name': 'Sara Golemon', 'email': 'sara.golemon@mongodb.com', 'username': 'sgolemon'}

Message: SERVER-51859 Fix builtin privileges reporting via rolesInfo
Branch: master
https://github.com/mongodb/mongo/commit/458b245815739fa15b9f18543e343444b6129c74

Generated at Thu Feb 08 05:26:38 UTC 2024 using Jira 9.7.1#970001-sha1:2222b88b221c4928ef0de3161136cc90c8356a66.