Uploaded image for project: 'Core Server'
  1. Core Server
  2. SERVER-20482

Change of behaviour in db.system.users.getIndexes() b/w 2.6 and 3.0

    • Type: Icon: Bug Bug
    • Resolution: Duplicate
    • Priority: Icon: Major - P3 Major - P3
    • None
    • Affects Version/s: 3.0.5
    • Component/s: Security
    • None
    • ALL
    • Security A 10/09/15

      It seems that there is a permission issue on db.system.users.getIndexes() in 3.0. In 2.6, this seems to be working fine. Following are the steps that I used to replicate this issue:

      1. Install MongoDB 2.4 (Since users were stored in <database>.system.users collection in 2.4).
      2. Create user with readWrite and dbOwner role.
        db.addUser( { user: "user", pwd: "user", roles: ["readWrite","dbOwner"] } )
        ankit(mongod-2.4.14) test> db.system.users.find()
        {
          "_id": ObjectId("55fb9dc4ab757ec03e77562d"),
          "user": "user",
          "pwd": "fa26a506aa0f786a447bbd6d1caaa8b5",
          "roles": [
            "readWrite",
            "dbOwner"
          ]
        }
        
      3. Start MongoDB and execute following queries:
        ankit:log-11213 ankit$ mongo
        MongoDB shell version: 2.4.14
        connecting to: test
        Mongo-Hacker 0.0.8
        > db.auth("user","user")
        1
        > show collections
        system.indexes → 0.000MB / 0.004MB
        system.users   →   NaNMB /   NaNMB
        > db.system.users.getIndexes()
        [
          {
            "v": 1,
            "name": "_id_",
            "key": {
              "_id": 1
            },
            "ns": "test.system.users"
          },
          {
            "v": 1,
            "name": "user_1_userSource_1",
            "key": {
              "user": 1,
              "userSource": 1
            },
            "unique": true,
            "ns": "test.system.users"
          }
        ]
        
      4. Upgrade to 2.6 (Note that it requires authorization schema upgrade). Users will be copied to admin.system.users collection. But <database.system.users> collection still remains in the database in question.
      5. Connect via mongo client and execute following query:
        connecting to: test
        Mongo-Hacker 0.0.8
        > db.auth("user","user")
        1
        > show collections
        system.indexes → 0.000MB / 0.004MB
        system.users   →   NaNMB /   NaNMB
        > db.system.users.getIndexes()
        [
          {
            "v": 1,
            "name": "_id_",
            "key": {
              "_id": 1
            },
            "ns": "test.system.users"
          },
          {
            "v": 1,
            "name": "user_1_userSource_1",
            "key": {
              "user": 1,
              "userSource": 1
            },
            "unique": true,
            "ns": "test.system.users"
          }
        ]
        
      6. Upgrade to 3.0.5, connect via mongo and execute following command:
        ankit:log-11213 ankit$ mongo
        MongoDB shell version: 3.0.5
        connecting to: test
        > db.auth("user","user")
        1
        > db.system.users.getIndexes()
        2015-09-18T11:01:15.116+0530 E QUERY    Error: listIndexes failed: {
          "ok": 0,
          "errmsg": "not authorized on test to execute command { listIndexes: \"system.users\" }",
          "code": 13
        }
            at Error (<anonymous>)
            at DBCollection._getIndexesCommand (src/mongo/shell/collection.js:1019:15)
            at DBCollection.getIndexes (src/mongo/shell/collection.js:1026:20)
            at (shell):1:17 at src/mongo/shell/collection.js:1019
        

      Notice the permission issue coming in 3.0.5 while it was working fine in 2.6.

            Assignee:
            andreas.nilsson Andreas Nilsson
            Reporter:
            ankit.kakkar@mongodb.com Ankit Kakkar
            Votes:
            0 Vote for this issue
            Watchers:
            7 Start watching this issue

              Created:
              Updated:
              Resolved: