-
Type:
Improvement
-
Resolution: Unresolved
-
Priority:
Major - P3
-
None
-
Affects Version/s: None
-
Component/s: None
-
None
-
Server Security
Tested on 4.4.10 and 5.0.3, same behavior. Invalid options inside a role object are silently ignored. There should be an error.
Steps to Reproduce:
The invalid option "blahblah" is silently ignored. It is not just the shell helper; the createUser database command has the same behavior when directly invoked.
Enterprise test> user = { user: "barbarbar", pwd: "foo", roles: [ {role: "readWrite", db: "test", blahblah: "foobar"} ] }
{
user: 'barbarbar',
pwd: 'foo',
roles: [ { role: 'readWrite', db: 'test', blahblah: 'foobar' } ]
}
Enterprise test> db.createUser(user)
{ ok: 1 }
Enterprise test> db.getUsers()
{
users: [
{
_id: 'test.barbarbar',
userId: UUID("ed815425-c913-4aba-99f2-692b2adf322e"),
user: 'barbarbar',
db: 'test',
roles: [ { role: 'readWrite', db: 'test' } ],
mechanisms: [ 'SCRAM-SHA-1', 'SCRAM-SHA-256' ]
}
],
ok: 1
}
Enterprise test> db.runCommand( { createUser: "barfoobar", pwd: "foo", roles: user.roles } )
{ ok: 1 }
Enterprise test> db.getUsers()
{
users: [
{
_id: 'test.barbarbar',
userId: UUID("ed815425-c913-4aba-99f2-692b2adf322e"),
user: 'barbarbar',
db: 'test',
roles: [ { role: 'readWrite', db: 'test' } ],
mechanisms: [ 'SCRAM-SHA-1', 'SCRAM-SHA-256' ]
},
{
_id: 'test.barfoobar',
userId: UUID("b418efd2-424c-4c84-92c9-5948591fdff0"),
user: 'barfoobar',
db: 'test',
roles: [ { role: 'readWrite', db: 'test' } ],
mechanisms: [ 'SCRAM-SHA-1', 'SCRAM-SHA-256' ]
}
],
ok: 1
}
Enterprise test>