With authentication enabled with a replica set, it is still possible to get the replica status from the java driver even when not authenticated.

XMLWordPrintableJSON

    • Type: Bug
    • Resolution: Done
    • Priority: Minor - P4
    • None
    • Affects Version/s: 2.2, 2.4
    • Component/s: Authentication
    • Environment:
      Tested with version 2.4.5 and 2.2.5 in Ubuntu with the java driver 2.11.1.
    • None
    • None
    • None
    • None
    • None
    • None
    • None

      I believe I found a bug after I enabled authentication on my mongodb this day.

      When the server is requiring authentication, it is not possible to view the replica status with rs.status() in the mongo client if you are not authenticated, and I guess this is how it should be.

      However when i tried to view some info of the database with the java driver without authenticating, I get the replica status with no problems. All other commands like client.getDB(dbName) fails since I'm not authenticated. I think this is a security breach?

            Assignee:
            Unassigned
            Reporter:
            Sigurd Lund
            None
            Votes:
            0 Vote for this issue
            Watchers:
            2 Start watching this issue

              Created:
              Updated:
              Resolved: