eval in a secured database (repro steps)

[Will Chan]

I am having trouble running the eval command when a database is secured. It seems that I can execute commands on the mongo CLI when the database is unsecured, but as soon as I set the --auth flag, it stops working here.

Here are repro steps:

# Start from a new database:

mongod &
mongo
db.eval( function(x) { return x + x; }, 3 );
# This returns 6 as expected

# Create a user with superuser privileges, then shutdown and exit:

use admin
db.createUser(
    {
        user: "devops",
        pwd: "devops",
        roles: [
            { role: "userAdminAnyDatabase", db: "admin" },
            { role: "readAnyDatabase", db: "admin" },
            { role: "dbAdminAnyDatabase", db: "admin" },
            { role: "clusterAdmin", db: "admin" }
        ]
    }
)
db.shutdownServer()
exit

# Restart mongod with authentication turned on:

mongod --auth --setParameter enableLocalhostAuthBypass=0 &

# Log back into mongo CLI, authenticate, and try the eval command:

mongo
use admin
db.auth("devops", "devops")
db.eval( function(x) { return x + x; }, 3 );

# At this point, I see the following error message:

Error: {

"ok" : 0,

"errmsg" : "not authorized on admin to execute command { $eval: function (x) { return x + x; }, args: [ 3.0 ] }",

"code" : 13

}

What am I missing here? Based on the documentation on MongoDB roles, I thought I had already given my user the "superuser" roles, so I am not sure what additional permissions I can grant the "devops" user.

In case it clarifies anything I have said, here is a gist of my full console printout.

My application actually invokes the DB#eval method in the mongo-java-driver, and that results in the same error message.

I appreciate any help anyone can provide. Thanks in advance.

Best Regards,

Will Chan

[Envel Le Hir]

Hi,

To use eval, a user needs a role that grants anyAction on anyResource:
http://docs.mongodb.org/manual/reference/method/db.eval/#access-control
http://docs.mongodb.org/manual/reference/privilege-actions/#authr.anyAction
http://docs.mongodb.org/manual/reference/resource-document/#resource-anyresource

Be aware that eval is deprecated since MongoDB 3.0.

Regards.

--
You received this message because you are subscribed to the Google Groups "mongodb-user"
group.
 
For other MongoDB technical support options, see: http://www.mongodb.org/about/support/.
---
You received this message because you are subscribed to the Google Groups "mongodb-user" group.
To unsubscribe from this group and stop receiving emails from it, send an email to mongodb-user...@googlegroups.com.
To post to this group, send email to mongod...@googlegroups.com.
Visit this group at http://groups.google.com/group/mongodb-user.
To view this discussion on the web visit https://groups.google.com/d/msgid/mongodb-user/9db5e215-a770-4a43-8105-63fa2539de78%40googlegroups.com.
For more options, visit https://groups.google.com/d/optout.

[Will Chan]

Thanks for the reply, Envel.

I was able to create a custom role with a permission:

db.createRole( { role: "myrole", privileges: [ { resource: {anyResource: true}, actions: [ "anyAction" ] } ], roles: [] } )

and then update a user with that role on db: "admin".

Also I followed the instructions on https://github.com/mongodb/mongo-java-driver and filed a JIRA "JAVA-1782" to request that the java driver mark the eval methods as deprecated.

If any Mongo employee is reading this, I would have been happy to submit a pull request myself. In any case, I am still wondering if there will be a post-3.0 alternative to eval, which was useful for touching a lot of data lightly in ways that would make network transfer a potential bottleneck.

Will Chan