Uploaded image for project: 'Core Server'
  1. Core Server
  2. SERVER-51859

rolesInfo command returns a result without `inheritedPrivileges` and `isBuiltin` fields for mongo version 4.9+

XMLWordPrintableJSON

    • Type: Icon: Bug Bug
    • Resolution: Fixed
    • Priority: Icon: Blocker - P1 Blocker - P1
    • 4.9.0
    • Affects Version/s: 4.9 Required
    • Component/s: Security
    • None
    • Minor Change
    • ALL
    • Security 2020-11-16

      This ticket is related to https://jira.mongodb.org/browse/SERVER-51651.

      We are going to run atlas proxy with mongodb 4.9+ version in the future. While trying to run the test harness with a new mongod in dev, I found a breaking change.

      We depend on the `rolesInfo` command to load the roles we are interested in. With the current command params, 4.9 doesn’t populate `inheritedPrivileges` which we use and doesn’t include the `isBuiltin` field.

      Binaries we were using for testing:
      Enterprise MacOS: https://mciuploads.s3.amazonaws.com/mongodb-mongo-master/enterprise-macos/d7da6ab29e45b3ab22652e12bb524d966511ebf8/binaries/mongo-mongodb_mongo_master_enterprise_macos_d7da6ab29e45b3ab22652e12bb524d966511ebf8_20_10_24_03_38_42.tgz
      Enterprise RHEL 7.0: https://mciuploads.s3.amazonaws.com/mongodb-mongo-master/enterprise-rhel-70-64-bit/d7da6ab29e45b3ab22652e12bb524d966511ebf8/binaries/mongo-mongodb_mongo_master_enterprise_rhel_70_64_bit_d7da6ab29e45b3ab22652e12bb524d966511ebf8_20_10_24_03_38_42.tgz

      Code to reproduce the bug:

      arr = [];
arr.push({role: "backup", db: "admin"});
arr.push({role: "clusterMonitor", db: "admin"});
arr.push({role: "dbAdmin", db: "admin"});
arr.push({role: "dbAdminAnyDatabase", db: "admin"});
arr.push({role: "enableSharding", db: "admin"});
arr.push({role: "read", db: "admin"});
arr.push({role: "readAnyDatabase", db: "admin"});
arr.push({role: "readWrite", db: "admin"});
arr.push({role: "readWriteAnyDatabase", db: "admin"});
arr.push({role: "readWrite", db: "eliot1-test"});
arr.push({role: "dbAdmin", db: "eliot1-test"});
arr.push({role: "read", db: "eliot1-test2"});
arr.push({role: "dbAdmin", db: "eliot1-test2"});
arr.push({role: "readWrite", db: "eliot1-timTest"});
arr.push({role: "readWrite", db: "no-limits-test"});
arr.push({role: "dbAdmin", db: "no-limits-test"});
arr.push({role: "read", db: "no-limits-test2"});
arr.push({role: "dbAdmin", db: "no-limits-test2"});
arr.push({role: "readWrite", db: "no-limits-timTest"});
res = db.adminCommand({rolesInfo: arr, showBuiltinRoles: 1, showPrivileges: 1})
printjson(res)

      The output for 4.4 and 4.9+ is attached in the comments for comparison.  

       

        1. 44.json
          42 kB
        2. 49.json
          23 kB

            Assignee:
            sara.golemon@mongodb.com Sara Golemon
            Reporter:
            tanay.abhra@mongodb.com Tanay Abhra
            Votes:
            0 Vote for this issue
            Watchers:
            5 Start watching this issue

              Created:
              Updated:
              Resolved: