[SERVER-6246] Manipulate user objects exclusively via commands Created: 28/Jun/12  Updated: 02/Aug/18  Resolved: 11/Oct/13

Status: Closed
Project: Core Server
Component/s: Security
Affects Version/s: None
Fix Version/s: 2.5.3

Type: Task Priority: Major - P3
Reporter: Spencer Brody (Inactive) Assignee: Spencer Brody (Inactive)
Resolution: Done Votes: 0
Labels: None
Remaining Estimate: Not Specified
Time Spent: Not Specified
Original Estimate: Not Specified

Issue Links:
Depends
depends on SERVER-9980 Add write concern to user management ... Closed
is depended on by SERVER-4225 Adding first admin user to database v... Closed
is depended on by CSHARP-793 Manipulate user objects exclusively v... Closed
is depended on by DRIVERS-103 Manipulate user objects exclusively v... Closed
is depended on by JAVA-830 update addUser to accomodate roles ba... Closed
is depended on by JAVA-909 Update user manipulation helpers to u... Closed
is depended on by DOCS-1936 Document: Manipulate user objects exc... Closed
is depended on by SERVER-10151 re-enable the "Test change role" sect... Closed
is depended on by SERVER-10249 Re-enable update portion of jstests/v... Closed
is depended on by SERVER-10493 Update tools to support backing up an... Closed
Duplicate
is duplicated by SERVER-9662 API for managing user roles Closed
Related
related to SERVER-19759 add a configure check for std::timed_... Closed
is related to SERVER-9446 No sanity check of role existence whe... Closed
is related to SERVER-9939 createUser and updateUser commands ar... Closed
is related to SERVER-10794 For compatibility with old versions o... Closed
is related to SERVER-10320 Write jstest for adding/updating user... Closed
is related to SERVER-7727 Provide at least two extra free forma... Closed
Backwards Compatibility: Major Change
Participants:

 Description   

Rather than using CRUD operations on db.system.users collections, user objects will be manipulated via commands:

db.runCommand({
  createUser: 1,
  user: "spencer",
  password: "clear password",  // Unless "db" is "$external"
  extraData: <optional opaque Object>
  roles: [ { name: "roleName", db: "roleDB", canDelegate: <Boolean> }, ... ]
});
 
db.runCommand({
  updateUser: 1,
  user: "spencer",
  password: "new password clear",  // Optional
  extraData: <Object>, // Optional
});
 
db.runCommand({  deleteUser: 1, user: "spencer" });
 
db.runCommand({
  grantRolesToUser: 1,
  user: "spencer",
  db: "somedb",  // Should this default to the db this command is targeted at?
  roles: [ { name: "roleName", db: "roleDB", canDelegate: <Boolean> }, ...]
});
 
db.runCommand({
  revokeRolesForUser: 1,  // Who can do this?
  user: "spencer",
  db: "somedb",  // Should this default to the db this command is targeted at?
  roles: [ { name: "roleName", db: "roleDB", canDelegate: <Boolean> }, ...]
});
 
db.runCommand({ usersInfo: 1, [userName: "spencer"] })



 Comments   
Comment by auto [ 25/Oct/13 ]

Author:

{u'username': u'stbrody', u'name': u'Spencer T Brody', u'email': u'spencer@10gen.com'}

Message: SERVER-11352 SERVER-6246 When acquiring lock to update user data block for 5 seconds before giving up
Branch: master
https://github.com/mongodb/mongo/commit/1143e17d3425e78a727df56b1c214824cc8c44fd

Comment by auto [ 15/Oct/13 ]

Author:

{u'username': u'stbrody', u'name': u'Spencer T Brody', u'email': u'spencer@10gen.com'}

Message: SERVER-6246 Basic test of updateUser command
Branch: master
https://github.com/mongodb/mongo/commit/6ee3ed887a44c850faadc8c5debcff4a135b8c5f

Comment by auto [ 11/Oct/13 ]

Author:

{u'username': u'stbrody', u'name': u'Spencer T Brody', u'email': u'spencer@10gen.com'}

Message: SERVER-6246 Validate that user passwords can't be empty
Branch: master
https://github.com/mongodb/mongo/commit/8952535c3dc337957f68e11b9b48c8709771a0e7

Comment by auto [ 11/Oct/13 ]

Author:

{u'username': u'stbrody', u'name': u'Spencer T Brody', u'email': u'spencer@10gen.com'}

Message: SERVER-9517 SERVER-6246 Make 'hasRole' and 'canDelegate' fields in roles array optional
Branch: master
https://github.com/mongodb/mongo/commit/0397775a52a814135225e6e8407455ba86dc117d

Comment by auto [ 10/Oct/13 ]

Author:

{u'username': u'stbrody', u'name': u'Spencer T Brody', u'email': u'spencer@10gen.com'}

Message: SERVER-9515 SERVER-6246 SERVER-9517 Instead of "name", in user objects use "user" and in role objects use "role"
Branch: master
https://github.com/mongodb/mongo/commit/8093bb525d453cf880a3525c78f87178b493128c

Comment by auto [ 10/Oct/13 ]

Author:

{u'username': u'stbrody', u'name': u'Spencer T Brody', u'email': u'spencer@10gen.com'}

Message: SERVER-6246 SERVER-9515 In every place we grant roles need to make sure the roles exist
Branch: master
https://github.com/mongodb/mongo/commit/3f3bf961cb9676235f5d24989bbf8b30fb125563

Comment by auto [ 10/Oct/13 ]

Author:

{u'username': u'stbrody', u'name': u'Spencer T Brody', u'email': u'spencer@10gen.com'}

Message: SERVER-6246 SERVER-9515 Implement proper authz checks for user and role management commands
Branch: master
https://github.com/mongodb/mongo/commit/586c2dea5a72bfc2917af91d0751fcd399c0209b

Comment by auto [ 09/Oct/13 ]

Author:

{u'username': u'stbrody', u'name': u'Spencer T Brody', u'email': u'spencer@10gen.com'}

Message: SERVER-6246 Remove grantDelegateRoleToUser and revokeDelegateRoleFromUser commands
Branch: master
https://github.com/mongodb/mongo/commit/1cf9e0b71ee1b9108c57a626d40582d843e47026

Comment by auto [ 06/Oct/13 ]

Author:

{u'username': u'stbrody', u'name': u'Spencer T Brody', u'email': u'spencer@10gen.com'}

Message: SERVER-6246 SERVER-9515 Update usersInfo and rolesInfo commands to new API
Branch: master
https://github.com/mongodb/mongo/commit/ee7ea7ea7f8eb423cd2ee8ec928f2b50e014ac52

Comment by auto [ 06/Oct/13 ]

Author:

{u'username': u'stbrody', u'name': u'Spencer T Brody', u'email': u'spencer@10gen.com'}

Message: SERVER-6246 SERVER-9515 Rename removeUser and removeRole commands to dropUser/dropRole
Branch: master
https://github.com/mongodb/mongo/commit/1fde4728583e1ca5f6432b2ba517a90e7b1d8e17

Comment by auto [ 04/Oct/13 ]

Author:

{u'username': u'stbrody', u'name': u'Spencer T Brody', u'email': u'spencer@10gen.com'}

Message: SERVER-6246 SERVER-9515 Clean up parsing of some existing user and role management commands.
Branch: master
https://github.com/mongodb/mongo/commit/e0f70cdb67a36c831a23b452e7b9fba41f512ae0

Comment by auto [ 26/Sep/13 ]

Author:

{u'username': u'stbrody', u'name': u'Spencer T Brody', u'email': u'spencer@10gen.com'}

Message: SERVER-6246 Allow usersInfo command to run on secondaries
Branch: master
https://github.com/mongodb/mongo/commit/25d5d2ae7c22267d942532de72109d3d7bf67a8c

Comment by auto [ 25/Sep/13 ]

Author:

{u'username': u'stbrody', u'name': u'Spencer T Brody', u'email': u'spencer@10gen.com'}

Message: SERVER-6246 Rename PrivilegeDocumentParser to UserDocumentParser and move user_management_commands_parser into auth directory
Branch: master
https://github.com/mongodb/mongo/commit/a938bebde04c1320aa267f0990251d83e9bd4cfc

Comment by auto [ 24/Sep/13 ]

Author:

{u'username': u'stbrody', u'name': u'Spencer T Brody', u'email': u'spencer@10gen.com'}

Message: SERVER-6246 Small improvements to user management commands parsing.

Make sure that every command gets checked that there are no extra arguments, and be consistent
about where writeConcern is parsed;
Branch: master
https://github.com/mongodb/mongo/commit/8b2e3dc176c1cbdcea5b57e080185b4fd48796c2

Comment by auto [ 24/Sep/13 ]

Author:

{u'username': u'stbrody', u'name': u'Spencer T Brody', u'email': u'spencer@10gen.com'}

Message: SERVER-6246 SERVER-9518 Invalidate users even if update returned bad Status
Branch: master
https://github.com/mongodb/mongo/commit/ff60a1debd72cda29197871d1c19f536fb434eac

Comment by auto [ 19/Sep/13 ]

Author:

{u'username': u'stbrody', u'name': u'Spencer T Brody', u'email': u'spencer@mongodb.com'}

Message: SERVER-6246 Lock authz documents update guard in user management commands
Branch: master
https://github.com/mongodb/mongo/commit/4be4d5b25da64dccb1d9c41abeea43c9b5ddd997

Comment by auto [ 19/Sep/13 ]

Author:

{u'username': u'stbrody', u'name': u'Spencer T Brody', u'email': u'spencer@10gen.com'}

Message: SERVER-6246 Add write concern to user management shell helpers
Branch: master
https://github.com/mongodb/mongo/commit/bce3d927ca3013e54f111161f3b3cc9b752066e3

Comment by auto [ 19/Sep/13 ]

Author:

{u'username': u'stbrody', u'name': u'Spencer T Brody', u'email': u'spencer@10gen.com'}

Message: SERVER-6246 Add shell helpers and jstest for user management commands
Branch: master
https://github.com/mongodb/mongo/commit/49dca97bd8bd83b27fe9448da857d86e18921f61

Comment by auto [ 17/Sep/13 ]

Author:

{u'username': u'stbrody', u'name': u'Spencer T Brody', u'email': u'spencer@10gen.com'}

Message: SERVER-6246 Add usersInfo command
Branch: master
https://github.com/mongodb/mongo/commit/ae422036c9693096c9a3732a2ec76567d48112e3

Comment by auto [ 17/Sep/13 ]

Author:

{u'username': u'stbrody', u'name': u'Spencer T Brody', u'email': u'spencer@10gen.com'}

Message: Revert "SERVER-6246 Add usersInfo command"

This reverts commit 88b88bd49c2ecdc4a3f0be050360099401310566.
Branch: master
https://github.com/mongodb/mongo/commit/aea2b5a090662837c0f1b51fa34bbd6bb727f429

Comment by auto [ 16/Sep/13 ]

Author:

{u'username': u'stbrody', u'name': u'Spencer T Brody', u'email': u'spencer@10gen.com'}

Message: SERVER-6246 Add usersInfo command
Branch: master
https://github.com/mongodb/mongo/commit/88b88bd49c2ecdc4a3f0be050360099401310566

Comment by Andy Schwerin [ 16/Sep/13 ]

SERVER-10794 tracks providing backwards compatibility for one release cycle for the behavior of new shells.

Comment by auto [ 16/Sep/13 ]

Author:

{u'username': u'stbrody', u'name': u'Spencer T Brody', u'email': u'spencer@10gen.com'}

Message: SERVER-6246 Implement remaining commands for controlling what roles a user has and can delegate
Branch: master
https://github.com/mongodb/mongo/commit/3a87320cb548be3ffddbf943da0af2833f433875

Comment by Derick Rethans [ 16/Sep/13 ]

Poor practise or not, it's how it worked and you're breaking BC with this change—not only for us, but also for everybody else who uses db.addUser in a script!

Comment by Spencer Brody (Inactive) [ 16/Sep/13 ]

That's because the db.addUser(<username>, <password>) shell helper takes just a username and a password has been removed. This is because the default behavior of that helper is to create a super user, which is poor security practice. The new way to create users is db.addUser(<username>, <password>, <roles array>) - this way we guarantee that clients are explicitly thinking about what roles newly-created users should start with.

Comment by Derick Rethans [ 16/Sep/13 ]

So what's the deal with the Mongo shell not working anymore? Right now with the current nightly our Jenkins tests won't start because of ``addUser`` not working correctly (see bottom of https://jenkins.10gen.com/job/mongo-php-driver/239/mongodb_configuration=single_server,mongodb_server=unstable-release,os_arch=linux64,php_language_version=5.3/console):

```
/mnt/jenkins/languages/php/r5.3.8/bin/php tests/utils/make-servers.php
Making STANDALONE.. DONE (11.20 secs): 127.0.0.1:30000
Making STANDALONE_AUTH.. Authenticated Standalone server not initialized
```

This is because of:

```
2013-09-13T14:50:55.866+0100 Error: Invalid arguments to
addUser. addUser must either be run with a full user object or
with a username, password, and roles array at
src/mongo/shell/db.js:220
```

Comment by auto [ 13/Sep/13 ]

Author:

{u'username': u'stbrody', u'name': u'Spencer T Brody', u'email': u'spencer@10gen.com'}

Message: SERVER-6246 Implement grantRolesToUser command
Branch: master
https://github.com/mongodb/mongo/commit/92eaaca216f439df7e4e990dd23a7b74cc6a13cd

Comment by auto [ 06/Sep/13 ]

Author:

{u'username': u'stbrody', u'name': u'Spencer T Brody', u'email': u'spencer@10gen.com'}

Message: SERVER-9517 SERVER-6246 Update shell helpers for user management
Branch: master
https://github.com/mongodb/mongo/commit/1a2d5ede29501a063f66da108fbb3d9a57eb1289

Comment by auto [ 06/Sep/13 ]

Author:

{u'username': u'stbrody', u'name': u'Spencer T Brody', u'email': u'spencer@10gen.com'}

Message: SERVER-6246 Change user management commands to use the new v2 style user documents
Branch: master
https://github.com/mongodb/mongo/commit/25785ee485220aa468fbc3eedfec1f05b36d502a

Comment by Bernie Hackett [ 20/Aug/13 ]

Request from the drivers team...

Our current "addUser" helpers also fill the "updateUser" role. We can continue to do that in a non-backward breaking way by calling the new usersInfo command in the existing addUser helper. If usersInfo returns information for the given user we call updateUser, otherwise we call createUser. It would be nice if usersInfo returned an empty list if the given user doesn't exist, instead of raising an error.

Comment by auto [ 06/Aug/13 ]

Author:

{u'username': u'stbrody', u'name': u'Spencer T Brody', u'email': u'spencer@10gen.com'}

Message: SERVER-6246 Fix unused variable error in non-debug builds
Branch: master
https://github.com/mongodb/mongo/commit/54c65b6e324781f7b8c97ceeeecd28145cb4c013

Comment by auto [ 06/Aug/13 ]

Author:

{u'username': u'stbrody', u'name': u'Spencer T Brody', u'email': u'spencer@10gen.com'}

Message: SERVER-6246 In smoke.py, use command to create user, rather than direct insert to system.users
Branch: master
https://github.com/mongodb/mongo/commit/7f2c86d8938fe0e02f7c2deb7c630e5f2c7e1076

Comment by auto [ 01/Aug/13 ]

Author:

{u'username': u'stbrody', u'name': u'Spencer T Brody', u'email': u'spencer@10gen.com'}

Message: SERVER-6246 Restrict direct removes from system.users, add a shell helper to use the removeUser command, and update tests to use the helper
Branch: master
https://github.com/mongodb/mongo/commit/211099e4bb2709d5fbd501d0bd44b49a77c2435b

Comment by auto [ 01/Aug/13 ]

Author:

{u'username': u'stbrody', u'name': u'Spencer T Brody', u'email': u'spencer@10gen.com'}

Message: SERVER-6246 Add removeUsers command
Branch: master
https://github.com/mongodb/mongo/commit/bdad6392922a467eaeda060b69471557beb6a955

Comment by Spencer Brody (Inactive) [ 31/Jul/13 ]

All user management commands will also need to be able to take write concern. Will probably look something like:

writeConcern: {w:"majority", wtimeout:5000}}

Comment by Spencer Brody (Inactive) [ 17/Jul/13 ]

After there is a command to remove users, make sure to forbid direct remove operations on system.users collections.

Comment by auto [ 17/Jul/13 ]

Author:

{u'username': u'stbrody', u'name': u'Spencer T Brody', u'email': u'spencer@10gen.com'}

Message: SERVER-6246 Forbid direct inserts and updates to system.users collections when auth is enabled
Branch: master
https://github.com/mongodb/mongo/commit/b85f738cebd1846ca995b25e21406532e5400497

Comment by auto [ 09/Jul/13 ]

Author:

{u'username': u'stbrody', u'name': u'Spencer T Brody', u'email': u'spencer@10gen.com'}

Message: SERVER-6246 Temporarily make user management commands take global write lock.

This is to enable the temporary approach of fully rebuilding user data in memory on each update to
user document, as part of fascilitating the transistion to the new user data structures.
Branch: master
https://github.com/mongodb/mongo/commit/740239e90b7f16463ed45f363cc13efb1383fa11

Comment by auto [ 08/Jul/13 ]

Author:

{u'username': u'stbrody', u'name': u'Spencer T Brody', u'email': u'spencer@10gen.com'}

Message: SERVER-6246 Change shell helpers for [add/update]User to attempt to use new commands, and fall back to CRUD
Branch: master
https://github.com/mongodb/mongo/commit/291f7c324d7361a84951bab734e3959f83ef2ba3

Comment by auto [ 25/Jun/13 ]

Author:

{u'username': u'stbrody', u'name': u'Spencer T Brody', u'email': u'spencer@10gen.com'}

Message: SERVER-10018 SERVER-6246 Ignore "noreplset" error from GLE:majority when updating a user in master/slave
Branch: master
https://github.com/mongodb/mongo/commit/ace643f0afb1e4637587abf3faa05edd6f2fc123

Comment by auto [ 20/Jun/13 ]

Author:

{u'username': u'stbrody', u'name': u'Spencer T Brody', u'email': u'spencer@10gen.com'}

Message: SERVER-6246 Don't query for existing users in addUser shell helper
Branch: master
https://github.com/mongodb/mongo/commit/512672d0df049aa992b2f00c1f2968767a6cd2c8

Comment by auto [ 20/Jun/13 ]

Author:

{u'username': u'stbrody', u'name': u'Spencer T Brody', u'email': u'spencer@10gen.com'}

Message: SERVER-6246 Fix some tests to work with new createUser command
Branch: master
https://github.com/mongodb/mongo/commit/35ed8f8722088d4215dcea5c32dde2e52c42c099

Comment by auto [ 20/Jun/13 ]

Author:

{u'username': u'stbrody', u'name': u'Spencer T Brody', u'email': u'spencer@10gen.com'}

Message: SERVER-6246 Check for existence of "code" field before accessing it when creating a user doc
Branch: master
https://github.com/mongodb/mongo/commit/0d9540aaea8a06d9c4c9c465488261ba91ec9c84

Comment by auto [ 20/Jun/13 ]

Author:

{u'username': u'stbrody', u'name': u'Spencer T Brody', u'email': u'spencer@10gen.com'}

Message: SERVER-6246 Add otherDBRoles to createUser command
Branch: master
https://github.com/mongodb/mongo/commit/a01f9fda4c522130922c1601119acb9df9ce853f

Comment by auto [ 20/Jun/13 ]

Author:

{u'username': u'stbrody', u'name': u'Spencer T Brody', u'email': u'spencer@10gen.com'}

Message: SERVER-6246 Fix indentation of updateUser command
Branch: master
https://github.com/mongodb/mongo/commit/e2254896d875d2fa7866938cbf4f33d0a3910c53

Comment by auto [ 20/Jun/13 ]

Author:

{u'username': u'stbrody', u'name': u'Spencer T Brody', u'email': u'spencer@10gen.com'}

Message: SERVER-6246 Make sure we release the write lock before calling GLE in user management commands
Branch: master
https://github.com/mongodb/mongo/commit/cf351d0ee969f6b1709ad4d4e307e17242be2434

Comment by auto [ 20/Jun/13 ]

Author:

{u'username': u'stbrody', u'name': u'Spencer T Brody', u'email': u'spencer@10gen.com'}

Message: SERVER-6246 Make createUser generate _id for user object
Branch: master
https://github.com/mongodb/mongo/commit/de9b1bba1d69e80bf403ef01c82741c8300e0427

Comment by auto [ 20/Jun/13 ]

Author:

{u'username': u'stbrody', u'name': u'Spencer T Brody', u'email': u'spencer@10gen.com'}

Message: SERVER-6246 Validate that createUser and updateUser commands don't receive any unexpected arguments
Branch: master
https://github.com/mongodb/mongo/commit/b7c325752afbf532f5a2b5b056995d15ddda36c3

Comment by auto [ 14/Jun/13 ]

Author:

{u'username': u'stbrody', u'name': u'Spencer T Brody', u'email': u'spencer@10gen.com'}

Message: SERVER-6246 Hash password in createUser command
Branch: master
https://github.com/mongodb/mongo/commit/a73206f7a11f8641b2a7737ad4ecb14202d944c8

Comment by auto [ 14/Jun/13 ]

Author:

{u'username': u'stbrody', u'name': u'Spencer T Brody', u'email': u'spencer@10gen.com'}

Message: SERVER-6246 Hash password in createUser command
Branch: hashPasswordOnServerToCommit
https://github.com/mongodb/mongo/commit/a73206f7a11f8641b2a7737ad4ecb14202d944c8

Comment by auto [ 14/Jun/13 ]

Author:

{u'username': u'stbrody', u'name': u'Spencer T Brody', u'email': u'spencer@10gen.com'}

Message: SERVER-6246 Add updateUser command and shell helper
Branch: master
https://github.com/mongodb/mongo/commit/85a5413d651d00849d63b96386584e36d5d845e3

Comment by auto [ 12/Jun/13 ]

Author:

{u'username': u'tadmarshall', u'name': u'Tad Marshall', u'email': u'tad@10gen.com'}

Message: SERVER-6246 Visual Studio – add new file
Branch: master
https://github.com/mongodb/mongo/commit/917beec5445a869da5f0315a7501d8acf1ce8d2f

Comment by auto [ 11/Jun/13 ]

Author:

{u'username': u'stbrody', u'name': u'Spencer T Brody', u'email': u'spencer@10gen.com'}

Message: SERVER-6246 Add createUser command
Branch: master
https://github.com/mongodb/mongo/commit/71a46cf6b9465204eed8707933d50a858e8d4d6b

Generated at Thu Feb 08 03:11:09 UTC 2024 using Jira 9.7.1#970001-sha1:2222b88b221c4928ef0de3161136cc90c8356a66.