Uploaded image for project: 'Core Server'
  1. Core Server
  2. SERVER-13833

userAdminAnyDatabase role should be able to create indexes on admin.system.users and admin.system.roles

    • Fully Compatible
    • ALL

      Issue Status as of Jul 31, 2014

      ISSUE SUMMARY
      The built-in role userAdminAnyDatabase does not have permissions to create and drop indexes on the collections admin.system.users and admin.system.roles.

      USER IMPACT
      Database administrators may wish to create indexes on the users or roles collection if they contain many users or roles, in order to make queries on the collections more efficient. Similarly, once these indexes have been created, the administrators should be able to drop said indexes. Currently they are unable to do so.

      WORKAROUNDS
      Create a new user-defined role that grants the necessary permissions and add that role to the desired admin user. In this case, the role creation would look like:

      db.runCommand( { 
          createRole: "workaroundRole", 
          roles: ["userAdminAnyDatabase"], 
          privileges: [ 
              { resource: { db: "admin", collection: "system.users" }, actions: ["createIndex", "dropIndex"] }, 
              { resource: { db: "admin", collection: "system.roles" }, actions: ["createIndex", "dropIndex"] }
          ]
      } );
      

      AFFECTED VERSIONS
      All production release versions from 2.6.0 to 2.6.3 are affected by this issue.

      FIX VERSION
      The fix is included in the 2.6.4 production release.

      RESOLUTION DETAILS
      The privileges to dropIndex and createIndex on the admin.system.users and admin.system.roles collections were added to the userAdminAnyDatabase role.

      Original description

      userAdminAnyDatabase cannot create indexes on system.users or system.roles collections.

            Assignee:
            amalia.hawkins@10gen.com Amalia Hawkins
            Reporter:
            spencer@mongodb.com Spencer Brody (Inactive)
            Votes:
            0 Vote for this issue
            Watchers:
            5 Start watching this issue

              Created:
              Updated:
              Resolved: