[SERVER-8491] Users with role "userAdminAnyDatabase" cannot create a database's first user Created: 08/Feb/13  Updated: 11/Jul/16  Resolved: 11/Feb/13

Status: Closed
Project: Core Server
Component/s: Security
Affects Version/s: 2.4.0-rc0
Fix Version/s: 2.4.0-rc1

Type: Bug Priority: Major - P3
Reporter: J Rassi Assignee: Spencer Brody (Inactive)
Resolution: Done Votes: 1
Labels: None
Remaining Estimate: Not Specified
Time Spent: Not Specified
Original Estimate: Not Specified

Issue Links:
Related
Operating System: ALL
Participants:

 Description   

Reproduce with the following:

adminDb = db.getSiblingDB("admin")
testDb = db.getSiblingDB("testdb")
adminDb.addUser({user:'admin',pwd:'password',roles:['userAdminAnyDatabase']})
adminDb.auth('admin','password')
testDb.addUser({user:'readUser',pwd:'password',roles:['read']})

When run against mongod --auth, version 2.4.0-rc0:

Fri Feb  8 17:23:28.298 [conn1] insert testdb.system.users keyUpdates:0 exception: not authorized to create index on testdb.system.users code:16548 locks(micros) w:578348 578ms

The above failure occurs because user admin does not have readWrite on testdb, and the insert into testdb.system.users fails during the index creation step.



 Comments   
Comment by Spencer Brody (Inactive) [ 11/Feb/13 ]

Was able to repro on 2.4.0-rc0 (I was building off master previously). I believe this was fixed by https://github.com/mongodb/mongo/commit/c81afde28a94d7b4588c04b88797c9a67a4640ef.

Comment by Spencer Brody (Inactive) [ 11/Feb/13 ]

I have been unable to reproduce this behavior. One thing I have noticed, however, is that if you are completely unauthenticated and try to add a user, you get this error message about being unable to create the index, rather then a better error message saying that you need userAdmin permission. rassi@10gen.com, are you sure that's not what you were seeing?

Generated at Thu Feb 08 03:17:35 UTC 2024 using Jira 9.7.1#970001-sha1:2222b88b221c4928ef0de3161136cc90c8356a66.