[SERVER-9301] Mongo 2.4 User Privilege Roles unclear Created: 09/Apr/13  Updated: 10/Dec/14  Resolved: 09/Apr/13

Status: Closed
Project: Core Server
Component/s: Admin
Affects Version/s: 2.4.1
Fix Version/s: None

Type: Bug Priority: Major - P3
Reporter: Edouard Perov Assignee: Spencer Brody (Inactive)
Resolution: Done Votes: 0
Labels: None
Remaining Estimate: Not Specified
Time Spent: Not Specified
Original Estimate: Not Specified
Environment:

Linux


Operating System: ALL
Steps To Reproduce:

Provided

Participants:

 Description   

Hi,
What role is needed to show list of databases, or this is a bug?

I granted the following roles

{
"user" : "wfm_admin",
"pwd" : "28c345aae0e0c346e7f2e4a2f77d96",
"roles" : [
"readAnyDatabase",
"userAdminAnyDatabase",
"dbAdminAnyDatabase"
],
"_id" : ObjectId("51644586994702cc60d084b2")
}

But when connect as this user get the error

> show dbs
Tue Apr 9 09:46:11.399 JavaScript execution failed: listDatabases failed:

{ "ok" : 0, "errmsg" : "unauthorized" }

at src/mongo/shell/mongo.js:L46

Thanks,
Edouard



 Comments   
Comment by Edouard Perov [ 10/Apr/13 ]

Please ignore, I found it out it is dbAdminAnyDatabase

Comment by Edouard Perov [ 10/Apr/13 ]

Hi,
What privilege is needed to see Profile in another database.
I am using the user originally created in "admin" database

{ "_id" : ObjectId("5164b462e325f6f8e8aeacea"), "user" : "wfm_admin", "pwd" : "28c2c203aae0e0c134e7f2e4a2f77d96", "roles" : [ "readAnyDatabase", "userAdminAnyDatabase", "clusterAdmin", "dbAdmin" ] }

but it gets an error when connects to another database
wfm:PRIMARY> use wfm

wfm:PRIMARY> show profile
Wed Apr 10 22:44:47.280 JavaScript execution failed: count failed:

{ "ok" : 0, "errmsg" : "unauthorized" }

at src/mongo/shell/query.js:L180

Thanks,
Edouard

Comment by Spencer Brody (Inactive) [ 09/Apr/13 ]

You're right, that message is a bit misleading. I have filed this pull request against our documentation to clarify the function of the clusterAdmin roles: https://github.com/mongodb/docs/pull/833. Hopefully that clears things up, thank you for the suggestion!

Comment by Edouard Perov [ 09/Apr/13 ]

Thanks you very much, it works.
Would you please clarify this somehow and list commands that require specific roles.
For example, the clusterAdmin role description does not say it anywhere,
the documentation says:
"clusterAdmin grants access to several administration options replica set and sharded cluster administrative functions."
But, I tried this on a single instance server - No Replica, No Shards, so did not even think that the role might required.
I spent a couple of hours granting many combinations of roles, but except the one is needed.
Thanks,
Edouard

Comment by Spencer Brody (Inactive) [ 09/Apr/13 ]

The listDatabases command requires the "clusterAdmin" role. You can see a full list of the roles supported in 2.4, as well as all the operations that are granted to each role, here: http://docs.mongodb.org/manual/reference/user-privileges/

Generated at Thu Feb 08 03:20:00 UTC 2024 using Jira 9.7.1#970001-sha1:2222b88b221c4928ef0de3161136cc90c8356a66.