stackoom
  简体   繁体   中英

Mongodb cluster:can query on normal collections ,but not on system.users

 原文  2014-01-20 05:58:08       mongodb/ authentication/ admin/ roles

Question

I use keyFile to authenticate my mongodb cluster system.I have already had an administrator role against admin db:

So , at first I login with authentication: 

mongo localhost:40000/admin -u root -p 123456
mongos> use admin
switched to db admin
mongos> db.system.users.find()
{ "_id" : ObjectId("52dcb305398751501c530378"), "user" : "root", "pwd" : "a02786431d8419bbebee7aa4dad6aee9", "roles" : [  "clusterAdmin",  "userAdmin",  "readWriteAnyDatabase",  "dbAdmin",  "read" ] }

After I log in with such a role ,I can do any thing(including query,delete,modify and so on) on admin and any other normal databases except for addUser operation!

For example, for a normal database genbank ,I tried to add a user : 

mongos> use genbank
switched to db genbank
mongos> db.addUser({user:"genbankReader",pwd:"123456",roles:["read"]})
{
        "user" : "genbankReader",
        "pwd" : "6f755264f6d28045198f6ae53523005e",
        "roles" : [
                "read"
        ],
        "_id" : ObjectId("52dcb8495ec4b673f09b66eb")
}
Mon Jan 20 13:46:49.007 couldn't add user: not authorized for insert on genbank.system.users at src/mongo/shell/db.js:128

But for database admin ,I can do addUser() as I want: 

mongos> use admin
switched to db admin
mongos> db.addUser({user:"adminReader",pwd:"123456",roles:["read"]})
{
        "user" : "adminReader",
        "pwd" : "60c67cf3181b8b8570583ddfb62dd32e",
        "roles" : [
                "read"
        ],
        "_id" : ObjectId("52dcb8b25ec4b673f09b66ec")
}

It is really strange!

1 answers

solution1
 0  2014-01-20 06:50:58

After I change the root roles from 

[  "clusterAdmin",  "userAdmin",  "readWriteAnyDatabase",  "dbAdmin",  "read" ]

to 

[ "clusterAdmin", "userAdminAnyDatabase",  "dbAdminAnyDatabase", "readWriteAnyDatabase" ]

,problem solved!

It seems that the problem comes from the role type "userAdmin".From mongodb doc , the user admin role against db admin is the same as userAdminAnyDatabase: 

Note The userAdmin role is a database-specific privilege, and only grants a user the ability to administer users on a single database. However, for the admin database, userAdmin **allows a user the ability to gain userAdminAnyDatabase**. Thus, for the admin database only, these roles are effectively the same.

So , the role type userAdmin against database admin doesn't provide us directly the ability to administer users on other dbs , but user under this role can create another role 'userAdminAnyDatabase' and only under this can user administer other db's users.

暂无
暂无

The technical post webpages of this site follow the CC BY-SA 4.0 protocol. If you need to reprint, please indicate the site URL or the original address.Any question please contact:yoyou2525@163.com.

Related Question mongodb - abuse of system.users collection? how can I drop user from "system.users" using mongodb and PHP? Can MongoDB changeStreams listen to system level collections? MongoDB not authorized for query admin.system.users MongoDB - query with two collections MongoDb query on two collections mongodb query in 2 collections Import “normal” MongoDB collections into DerbyJS 0.6 Structuring MongoDb Collections for a tracking system How can I query multiple collections in mongodb at the same time?
Related Tags
 
粤ICP备18138465号  © 2020-2024 STACKOOM.COM