-
Type:
Task
-
Resolution: Works as Designed
-
Priority:
Major - P3
-
None
-
Affects Version/s: 3.6.2
-
Component/s: Security
-
None
-
Environment:MongoDB 3.6.2, possibly 3.6.0+
the getRoles command (and db.getRoles()) does not return any authenticationRestrictions associated to configured roles.
Steps to reproduce:
1. Create new user, specifying authenticationRestrictions document with both clientSource and serverAddress
2. Run db.getRoles - output does not include authentication restrictions associated to the role.
Originally reported by user in the community slack channel.
As far as I can tell there doesn't seem to be a way to check the configured authenticationRestrictions (if any) for a given role.
Example:
db.createRole(
... {
... role: "myClusterwideAdmin",
... privileges: [
... { resource: { cluster: true }, actions: [ "addShard" ] },
... { resource: { db: "config", collection: "" }, actions: [ "find", "update", "insert", "remove" ] },
... { resource: { db: "users", collection: "usersCollection" }, actions: [ "update", "insert", "remove" ] },
... { resource: { db: "", collection: "" }, actions: [ "find" ] }
... ],
... roles: [
... { role: "read", db: "admin" }
... ],
... authenticationRestrictions : [ {
... clientSource : ["192.168.0.100"],
... serverAddress : ["192.168.1.100"]
... }]
... })
{
b.getRoles()
[
{
"role" : "myClusterwideAdmin",
"db" : "admin",
"isBuiltin" : false,
"roles" : [
{
"role" : "read",
"db" : "admin"
}
],
"inheritedRoles" : [
{
"role" : "read",
"db" : "admin"
}
]
}
]