Loading...

XML

Word

Printable

JSON

Type: Bug
Resolution: Duplicate
Priority: Major - P3
Fix Version/s: None
Affects Version/s: 3.0.5
Component/s: Security
Labels:
None

Operating System:
ALL
Sprint:
Security A 10/09/15

It seems that there is a permission issue on db.system.users.getIndexes() in 3.0. In 2.6, this seems to be working fine. Following are the steps that I used to replicate this issue:

Install MongoDB 2.4 (Since users were stored in <database>.system.users collection in 2.4).

Create user with readWrite and dbOwner role.

db.addUser( { user: "user", pwd: "user", roles: ["readWrite","dbOwner"] } )
ankit(mongod-2.4.14) test> db.system.users.find()
{
  "_id": ObjectId("55fb9dc4ab757ec03e77562d"),
  "user": "user",
  "pwd": "fa26a506aa0f786a447bbd6d1caaa8b5",
  "roles": [
    "readWrite",
    "dbOwner"
  ]
}

Start MongoDB and execute following queries:

ankit:log-11213 ankit$ mongo
MongoDB shell version: 2.4.14
connecting to: test
Mongo-Hacker 0.0.8
> db.auth("user","user")
1
> show collections
system.indexes → 0.000MB / 0.004MB
system.users   →   NaNMB /   NaNMB
> db.system.users.getIndexes()
[
  {
    "v": 1,
    "name": "_id_",
    "key": {
      "_id": 1
    },
    "ns": "test.system.users"
  },
  {
    "v": 1,
    "name": "user_1_userSource_1",
    "key": {
      "user": 1,
      "userSource": 1
    },
    "unique": true,
    "ns": "test.system.users"
  }
]

Upgrade to 2.6 (Note that it requires authorization schema upgrade). Users will be copied to admin.system.users collection. But <database.system.users> collection still remains in the database in question.

Connect via mongo client and execute following query:

connecting to: test
Mongo-Hacker 0.0.8
> db.auth("user","user")
1
> show collections
system.indexes → 0.000MB / 0.004MB
system.users   →   NaNMB /   NaNMB
> db.system.users.getIndexes()
[
  {
    "v": 1,
    "name": "_id_",
    "key": {
      "_id": 1
    },
    "ns": "test.system.users"
  },
  {
    "v": 1,
    "name": "user_1_userSource_1",
    "key": {
      "user": 1,
      "userSource": 1
    },
    "unique": true,
    "ns": "test.system.users"
  }
]

Upgrade to 3.0.5, connect via mongo and execute following command:

ankit:log-11213 ankit$ mongo
MongoDB shell version: 3.0.5
connecting to: test
> db.auth("user","user")
1
> db.system.users.getIndexes()
2015-09-18T11:01:15.116+0530 E QUERY    Error: listIndexes failed: {
  "ok": 0,
  "errmsg": "not authorized on test to execute command { listIndexes: \"system.users\" }",
  "code": 13
}
    at Error (<anonymous>)
    at DBCollection._getIndexesCommand (src/mongo/shell/collection.js:1019:15)
    at DBCollection.getIndexes (src/mongo/shell/collection.js:1026:20)
    at (shell):1:17 at src/mongo/shell/collection.js:1019

Notice the permission issue coming in 3.0.5 while it was working fine in 2.6.

duplicates

SERVER-20460 listIndexes on 3.0 mongos with 2.6 mongods returns erroneous "not authorized"

Closed

is related to

SERVER-20460 listIndexes on 3.0 mongos with 2.6 mongods returns erroneous "not authorized"

Closed

Assignee:: Andreas Nilsson

Reporter:: Ankit Kakkar

Participants:: Andreas Nilsson, Ankit Kakkar

Votes:: 0 Vote for this issue

Watchers:: 7 Start watching this issue

Created:: Sep 18 2015 07:38:40 AM UTC

Updated:: Sep 30 2015 09:42:31 PM UTC

Resolved:: Sep 30 2015 09:42:31 PM UTC

Details

Description

Attachments

Issue Links

Activity

People

Dates