[SERVER-66238] Unable to view system.views on mongos Created: 05/May/22  Updated: 17/May/22

Status: Investigating
Project: Core Server
Component/s: None
Affects Version/s: None
Fix Version/s: None

Type: Bug Priority: Major - P3
Reporter: Julia Ruddy (Inactive) Assignee: Julia Ruddy (Inactive)
Resolution: Unresolved Votes: 0
Labels: None
Remaining Estimate: Not Specified
Time Spent: Not Specified
Original Estimate: Not Specified

Issue Links:
Problem/Incident
Operating System: ALL
Steps To Reproduce:
  1. Create a sharded cluster with auth
  2. Create a user with the roles listed above 
  3. Connect to the mongos 
  4. Create a view on any collection 
  5. Try to run any command (i.e. db.system.views.find() and see the  authentication error
  6. Repeat the above steps on a replica set and see that there is no error when running commands on system.views 
Sprint: Security 2022-05-30
Participants:

 Description   

For a sharded cluster with auth enabled, running any operation on system.views results in an authentication error despite being connected as a user with the following roles: 

{         "role" : "backup",         "db" : "admin"       }

,
     

{         "role" : "clusterMonitor",         "db" : "admin"       }

,
     

{         "role" : "dbAdminAnyDatabase",         "db" : "admin"       }

,
     

{         "role" : "enableSharding",         "db" : "admin"       }

,
     

{         "role" : "readWriteAnyDatabase",         "db" : "admin"       }

 

Additionally, when I run show collections on a database with views, the system.views collection is not shown. This behavior differs from that of a replica set. When I create a replica set with auth and authenticate as a user with the same roles as above, I see the system.views collection and am able to run operations on the collection accordingly.

Is this difference in behavior between mongos and mongod intentional?



 Comments   
Comment by Sara Golemon [ 17/May/22 ]

julia.ruddy@mongodb.com I'm not seeing the behavior you describe in my attempts to reproduce based on the information you provided: https://github.com/10gen/mongo/commit/5c022b45fc2e492d14305b3b6305994d6ae7fa9d

I'm getting the expected "Unauthorized to run find on test.system.views" exception for standalone, replset, and sharding. Could you take a look at my test case and advice where I'm diverging from yours? Or perhaps provide your own repro script?

Comment by Chris Kelly [ 10/May/22 ]

Issue appears to be related to authentication on mongos. In SERVER-27554, built-in roles generally do not provide permission to run .find() and usually require custom roles it seems. A normal workaround appears to be in FREE-189645 (or this stackoverflow link), which shows creating a custom role to get this query to work. Not sure if that may be of any help in this case since we are only seeing this behavior in mongos.

 

Generated at Thu Feb 08 06:04:51 UTC 2024 using Jira 9.7.1#970001-sha1:2222b88b221c4928ef0de3161136cc90c8356a66.