Uploaded image for project: 'Core Server'
  1. Core Server
  2. SERVER-27554

Authorization error when using the find() method on the system.views collection

XMLWordPrintableJSON

    • Type: Icon: Bug Bug
    • Resolution: Works as Designed
    • Priority: Icon: Minor - P4 Minor - P4
    • None
    • Affects Version/s: 3.4.1
    • Component/s: Security
    • Query
    • ALL
    • Hide
      1. Unzip the attached dump.zip file and run mongorestore on a mongod process with no access control enabled to restore the deviceInfo database, its collections, and view.
      2. Switch to the deviceInfo database.
      3. Execute db.system.views.find() to see the view metadata.
      4. Enable authentication/authorization (SCRAM-SHA-1) with username/password and assign the user to { role: "root", db: "admin" }
      5. Restart the mongod process with access controls enabled and provide username/password.
      6. Switch to the deviceInfo database.
      7. Execute db.system.views.find() to receive the error message detailed in the description above.
      Show
      Unzip the attached dump.zip file and run mongorestore on a mongod process with no access control enabled to restore the deviceInfo database, its collections, and view. Switch to the deviceInfo database. Execute db.system.views.find() to see the view metadata. Enable authentication/authorization (SCRAM-SHA-1) with username/password and assign the user to { role: "root", db: "admin" } Restart the mongod process with access controls enabled and provide username/password. Switch to the deviceInfo database. Execute db.system.views.find() to receive the error message detailed in the description above.

      When access control is not enabled, I am able to execute a db.system.views.find() command and get back the metadata about any view(s) that has been created for that database.

      db.system.views.findOne()
{
	"_id" : "deviceInfo.userDevices",
	"viewOn" : "users",
	"pipeline" : [
		{
			"$lookup" : {
				"from" : "devices",
				"localField" : "userID",
				"foreignField" : "userID",
				"as" : "devices"
			}
		},
		{
			"$project" : {
				"_id" : 0,
				"userID" : 1,
				"userName" : 1,
				"devices.deviceID" : 1,
				"devices.deviceName" : 1
			}
		}
	]
}

      When access control has been enabled using SCRAM-SHA1 username/password and a role of root, I get an auth error when issuing the same db.system.views.find() command.

      db.system.views.find()
Error: error: {
	"ok" : 0,
	"errmsg" : "not authorized on deviceInfo to execute command { find: \"system.views\", filter: {} }",
	"code" : 13,
	"codeName" : "Unauthorized"
}

      My understanding is that the root role provides full privileges on all resources, so I would assume that I should be able to execute a find() against the system.views collection in the same way I did when security was not enabled.

        1. dump.zip
          3 kB

            Assignee:
            backlog-server-query Backlog - Query Team (Inactive)
            Reporter:
            jason.swartzbaugh Jason Swartzbaugh
            Votes:
            0 Vote for this issue
            Watchers:
            6 Start watching this issue

              Created:
              Updated:
              Resolved: