mongodb - 未授权在 mongo 4.2 中对 testdb.system.indexes src/mongo/db/commands/find_cmd.cpp 170 进行查询

Question

我最近从 4.0.2 升级到了 mongo 4.2.0。在以前的版本中，用户可以访问 system.indexes，但升级后，用户无法访问 system.indexes 集合。用户已具有读写角色。此外，我尝试提供 dbAdmin，但仍然没有成功。

为 mongo 启用调试日志后，它显示未授权查询 testdb.system.indexes src/mongo/db/commands/find_cmd.cpp 170。

有人遇到过这个问题吗？

下面是

的输出

{
    "role" : "read",
    "db" : "testdb",
    "isBuiltin" : true,
    "roles" : [ ],
    "inheritedRoles" : [ ],
    "privileges" : [
        {
            "resource" : {
                "db" : "testdb",
                "collection" : ""
            },
            "actions" : [
                "changeStream",
                "collStats",
                "dbHash",
                "dbStats",
                "find",
                "killCursors",
                "listCollections",
                "listIndexes",
                "planCacheRead"
            ]
        },
        {
            "resource" : {
                "db" : "testdb",
                "collection" : "system.js"
            },
            "actions" : [
                "changeStream",
                "collStats",
                "dbHash",
                "dbStats",
                "find",
                "killCursors",
                "listCollections",
                "listIndexes",
                "planCacheRead"
            ]
        }
    ],
    "inheritedPrivileges" : [
        {
            "resource" : {
                "db" : "testdb",
                "collection" : ""
            },
            "actions" : [
                "changeStream",
                "collStats",
                "dbHash",
                "dbStats",
                "find",
                "killCursors",
                "listCollections",
                "listIndexes",
                "planCacheRead"
            ]
        },
        {
            "resource" : {
                "db" : "testdb",
                "collection" : "system.js"
            },
            "actions" : [
                "changeStream",
                "collStats",
                "dbHash",
                "dbStats",
                "find",
                "killCursors",
                "listCollections",
                "listIndexes",
                "planCacheRead"
            ]
        }
    ]
}

Answer 1

我可以通过为 system.indexes 集合创建新角色并将此角色附加到用户来解决此问题。

db.createRole({role : "readWriteSystem", privileges: [{resource: { db: "testdb", collection: "system.indexes" }, actions: [ "changeStream", "collStats", "convertToCapped", "createCollection", "createIndex", "dbHash", "dbStats", "dropCollection", "dropIndex", "emptycapped", "find", "insert", "killCursors", "listCollections", "listIndexes", "planCacheRead", "remove", "renameCollectionSameDB", "update" ]}], roles:[]})
db.grantRolesToUser('testuser', ['readWriteSystem'])

奇怪的是，当您通过替换二进制文件升级 mongo 时会发生此问题。

我尝试安装一个 4.2 mongo 的新实例，然后将数据复制到它，它工作正常。但由于某些技术原因，我无法在生产中执行此操作。

---

尊敬的 Mongo 团队，

我尝试使用 https://docs.mongodb.com/manual/tutorial/upgrade-revision/#upgrade-replace-binaries 升级 mongo ，但遇到了上述问题。我认为 doc 缺少与 system.indexes 访问相关更改

相关的一些细节