-
Type: Bug
-
Resolution: Duplicate
-
Priority: Major - P3
-
None
-
Affects Version/s: 3.0.5
-
Component/s: Security
-
None
-
ALL
-
Security A 10/09/15
It seems that there is a permission issue on db.system.users.getIndexes() in 3.0. In 2.6, this seems to be working fine. Following are the steps that I used to replicate this issue:
- Install MongoDB 2.4 (Since users were stored in <database>.system.users collection in 2.4).
- Create user with readWrite and dbOwner role.
db.addUser( { user: "user", pwd: "user", roles: ["readWrite","dbOwner"] } ) ankit(mongod-2.4.14) test> db.system.users.find() { "_id": ObjectId("55fb9dc4ab757ec03e77562d"), "user": "user", "pwd": "fa26a506aa0f786a447bbd6d1caaa8b5", "roles": [ "readWrite", "dbOwner" ] }
- Start MongoDB and execute following queries:
ankit:log-11213 ankit$ mongo MongoDB shell version: 2.4.14 connecting to: test Mongo-Hacker 0.0.8 > db.auth("user","user") 1 > show collections system.indexes → 0.000MB / 0.004MB system.users → NaNMB / NaNMB > db.system.users.getIndexes() [ { "v": 1, "name": "_id_", "key": { "_id": 1 }, "ns": "test.system.users" }, { "v": 1, "name": "user_1_userSource_1", "key": { "user": 1, "userSource": 1 }, "unique": true, "ns": "test.system.users" } ]
- Upgrade to 2.6 (Note that it requires authorization schema upgrade). Users will be copied to admin.system.users collection. But <database.system.users> collection still remains in the database in question.
- Connect via mongo client and execute following query:
connecting to: test Mongo-Hacker 0.0.8 > db.auth("user","user") 1 > show collections system.indexes → 0.000MB / 0.004MB system.users → NaNMB / NaNMB > db.system.users.getIndexes() [ { "v": 1, "name": "_id_", "key": { "_id": 1 }, "ns": "test.system.users" }, { "v": 1, "name": "user_1_userSource_1", "key": { "user": 1, "userSource": 1 }, "unique": true, "ns": "test.system.users" } ]
- Upgrade to 3.0.5, connect via mongo and execute following command:
ankit:log-11213 ankit$ mongo MongoDB shell version: 3.0.5 connecting to: test > db.auth("user","user") 1 > db.system.users.getIndexes() 2015-09-18T11:01:15.116+0530 E QUERY Error: listIndexes failed: { "ok": 0, "errmsg": "not authorized on test to execute command { listIndexes: \"system.users\" }", "code": 13 } at Error (<anonymous>) at DBCollection._getIndexesCommand (src/mongo/shell/collection.js:1019:15) at DBCollection.getIndexes (src/mongo/shell/collection.js:1026:20) at (shell):1:17 at src/mongo/shell/collection.js:1019
Notice the permission issue coming in 3.0.5 while it was working fine in 2.6.
- duplicates
-
SERVER-20460 listIndexes on 3.0 mongos with 2.6 mongods returns erroneous "not authorized"
- Closed
- is related to
-
SERVER-20460 listIndexes on 3.0 mongos with 2.6 mongods returns erroneous "not authorized"
- Closed