Uploaded image for project: 'Core Server'
  1. Core Server
  2. SERVER-94657

The restore role should allow dropping system.views in any database

XMLWordPrintableJSON

    • Type: Icon: Bug Bug
    • Resolution: Fixed
    • Priority: Icon: Major - P3 Major - P3
    • 8.1.0-rc0
    • Affects Version/s: 7.0.5
    • Component/s: None
    • None
    • Server Security
    • Minor Change
    • ALL
    • v8.0, v7.0
    • Hide

      Follow these steps to create a user with the restore role. Then start a 6.0+ mongod with auth like this:

      mongod --port 33333 --dbpath ./testdir --auth

      And connect to the mongod:

      mongosh --port 33333 -u "user" -p "password" --authenticationDatabase "admin"

      Trying to drop system.views for a non-admin database will fail:

      > show collections
testColl
testView          [view]
system.views

> db.runCommand( { drop: "system.views" } )
MongoServerError[Unauthorized]: not authorized on test to execute command { drop: "system.views", lsid: { id: UUID("27b1a92b-6389-4057-ada0-63e4120bc67e") }, $db: "test" }
      Show
      Follow these steps to create a user with the restore role. Then start a 6.0+ mongod with auth like this: mongod --port 33333 --dbpath ./testdir --auth And connect to the mongod: mongosh --port 33333 -u "user" -p "password" --authenticationDatabase "admin" Trying to drop system.views for a non-admin database will fail: > show collections testColl testView [view] system.views > db.runCommand( { drop: "system.views" } ) MongoServerError[Unauthorized]: not authorized on test to execute command { drop: "system.views" , lsid: { id: UUID( "27b1a92b-6389-4057-ada0-63e4120bc67e" ) }, $db: "test" }
    • Security 2024-09-16

      SERVER-77827 allowed the restore role to drop system.views, but it did so by specifying matchType: exact_namespace. This will realistically only allow dropping admin.system.views which isn't useful.

      The restore role should instead allow dropping system.views in any database. This is relied on by mongosync, so it only needs to be addressed for 6.0 and 7.0.

            Assignee:
            sara.golemon@mongodb.com Sara Golemon
            Reporter:
            evgeni.dobranov@mongodb.com Evgeni Dobranov
            Votes:
            0 Vote for this issue
            Watchers:
            4 Start watching this issue

              Created:
              Updated:
              Resolved: