[SERVER-61589] Disallow users from creating collections with 'system.buckets' prefix Created: 18/Nov/21 Updated: 27/Oct/23 Resolved: 24/Oct/22 |
|
| Status: | Closed |
| Project: | Core Server |
| Component/s: | None |
| Affects Version/s: | None |
| Fix Version/s: | None |
| Type: | Bug | Priority: | Major - P3 |
| Reporter: | Arun Banala | Assignee: | Gregory Noma |
| Resolution: | Works as Designed | Votes: | 0 |
| Labels: | None | ||
| Remaining Estimate: | Not Specified | ||
| Time Spent: | Not Specified | ||
| Original Estimate: | Not Specified | ||
| Issue Links: |
|
||||||||||||||||||||||||
| Operating System: | ALL | ||||||||||||||||||||||||
| Steps To Reproduce: | > db.createCollection("system.new") { "ok" : 0, "errmsg" : "Invalid system namespace: test.system.new", "code" : 73, "codeName" : "InvalidNamespace" }> db.createCollection("system.buckets.new") { "ok" : 1 }> db.new.insert({}) ) |
||||||||||||||||||||||||
| Sprint: | Execution Team 2022-10-17, Execution Team 2022-10-31 | ||||||||||||||||||||||||
| Participants: | |||||||||||||||||||||||||
| Linked BF Score: | 105 | ||||||||||||||||||||||||
| Description |
|
There are a few places in the code which assume that a collection name with 'system.buckets' prefix implies that, the collection is a time-series collection. But we do allow users to create a regular collection with 'system.buckets' prefix. This might lead to some inconsistent behaviour. We generally don't allow users to create a collection with 'system.' prefix, so we should not treat 'system.buckets' prefix differently. |
| Comments |
| Comment by Gregory Noma [ 24/Oct/22 ] |
|
For the reasons mentioned above, I don't think we can do this ticket as described. I am closing it out and I have filed |
| Comment by Gregory Noma [ 19/Oct/22 ] |
|
We can't totally ban creating a collections beginning with system.buckets because mongorestore needs to be able to create those collections. An alternative idea was to restrict this to only users with the restore role and remove it from all other built-in roles. However, the issue here is that users could always just create custom roles which give this ability, and we don't currently have a way to restrict custom roles in this way. |
| Comment by Jordi Serra Torrens [ 11/Oct/22 ] |
|
I filed |
| Comment by Gregory Noma [ 07/Oct/22 ] |
This actually isn't really the case; we allow users to create a system collection as long as it is a valid system collection. For instance, users can create system.views or system.resharding.a but they cannot create system.foo. So following this pattern would imply that we should not make this change. |
| Comment by Henrik Edin [ 23/Nov/21 ] |
|
We need to check so this doesn't break mongorestore. |