Uploaded image for project: 'Core Server'
  1. Core Server
  2. SERVER-15181

Granting a user "insert", but not "createCollection" does not prevent them from creating collections

XMLWordPrintableJSON

    • Type: Icon: Bug Bug
    • Resolution: Done
    • Priority: Icon: Major - P3 Major - P3
    • None
    • Affects Version/s: 2.6.3
    • Component/s: Security
    • None
    • ALL
    • Hide 
      > use test
switched to db test
> db.createRole({ role: "insertonly", privileges: [ {resource: {db: "test", collection: ""}, actions: [ "insert"]}], roles: []})
{
        "role" : "insertonly",
        "privileges" : [
                {
                        "resource" : {
                                "db" : "test",
                                "collection" : ""
                        },
                        "actions" : [
                                "insert"
                        ]
                }
        ],
        "roles" : [ ]
}
> db.createUser({"user": "foo", "pwd": "password", "roles": [ {role: "insertonly", db: "test"}]})
Successfully added user: {
        "user" : "foo",
        "roles" : [
                {
                        "role" : "insertonly",
                        "db" : "test"
                }
        ]
}

      victorhooi@oswin-rmbp ~> mongo -u foo -p password test
MongoDB shell version: 2.6.3
connecting to: test
> use test
switched to db test
> db.thisisanewcollection.insert({name: "ernie", type: "cat"})
WriteResult({ "nInserted" : 1 })
> db.createCollection("secondnewcollection")
{ "ok" : 1 }

      > show collections
secondnewcollection
system.indexes
thisisanewcollection
      Show
      > use test switched to db test > db.createRole({ role: "insertonly" , privileges: [ {resource: {db: "test" , collection: ""}, actions: [ " insert"]}], roles: []}) { "role" : "insertonly" , "privileges" : [ { "resource" : { "db" : "test" , "collection" : "" }, "actions" : [ "insert" ] } ], "roles" : [ ] } > db.createUser({ "user" : "foo" , "pwd" : "password" , "roles" : [ {role: "insertonly" , db: "test" }]}) Successfully added user: { "user" : "foo" , "roles" : [ { "role" : "insertonly" , "db" : "test" } ] } victorhooi@oswin-rmbp ~> mongo -u foo -p password test MongoDB shell version: 2.6.3 connecting to: test > use test switched to db test > db.thisisanewcollection.insert({name: "ernie" , type: "cat" }) WriteResult({ "nInserted" : 1 }) > db.createCollection( "secondnewcollection" ) { "ok" : 1 } > show collections secondnewcollection system.indexes thisisanewcollection

      I created a new user role that only had the "insert" privilege.

      > use test
switched to db test
> db.createRole({ role: "insertonly", privileges: [ {resource: {db: "test", collection: ""}, actions: [ "insert"]}], roles: []})
{
        "role" : "insertonly",
        "privileges" : [
                {
                        "resource" : {
                                "db" : "test",
                                "collection" : ""
                        },
                        "actions" : [
                                "insert"
                        ]
                }
        ],
        "roles" : [ ]
}

      I then added a new user that only had this role:

      > db.createUser({"user": "foo", "pwd": "password", "roles": [ {role: "insertonly", db: "test"}]})
Successfully added user: {
        "user" : "foo",
        "roles" : [
                {
                        "role" : "insertonly",
                        "db" : "test"
                }
        ]
}

      I then list the collections in test:

      > show collections

      I then authenticate as this user in a new mongo shell. I am able to create a new collection implicitly, by adding to an empty collection:

      > use test
switched to db test
> db.thisisanewcollection.insert({name: "ernie", type: "cat"})
WriteResult({ "nInserted" : 1 })

      I am also able to create a new collection explicitly, by calling db.createCollection():

      > db.createCollection("secondnewcollection")
{ "ok" : 1 }

      I can verify both of these collection are there by running show collections (as the admin user):

      > show collections
secondnewcollection
system.indexes
thisisanewcollection

      So there are two issues here - a user possessing only the "insert" privilege is able to:

      1. Create collections implicitly by adding to a non-existent collection
      2. Create collections explicitly by calling db.createCollection().

      I believe 2. is a definite buggy behaviour.

      For 1., this may or may not be against intentions (based on the comment at https://github.com/mongodb/mongo/blob/266b75ca868a95fd2a4e30e3cf4898de1e13698d/src/mongo/db/dbcommands.cpp#L525). However, if it is intended, it it not made clear in the documentation, and also, we should raise a new SERVER ticket to add this functionality in - that is, it is certainly desirable to be have a way of preventing users from creating new collections at will.

            Assignee:
            ramon.fernandez@mongodb.com Ramon Fernandez Marina
            Reporter:
            victor.hooi Victor Hooi
            Votes:
            0 Vote for this issue
            Watchers:
            9 Start watching this issue

              Created:
              Updated:
              Resolved: