Uploaded image for project: 'Python Driver'
  1. Python Driver
  2. PYTHON-458

PyMongo doesn't correctly reauthenticate to non-admin databases when user has read-only access to admin

    XMLWordPrintableJSON

Details

    • Bug
    • Status: Closed
    • Critical - P2
    • Resolution: Fixed
    • None
    • 2.4.2
    • None
    • None

    Description

      The admin database is unique. Users with normal access to the admin database have read and write access to all databases. Users with read only access to the admin database have read only access to all databases.

      Pymongo mongo_client does this:

              # Once logged into the admin database we can access anything.
              if "admin" in authset:
                  return
       
              if "admin" in self.__auth_credentials:
                  username, password = self.__auth_credentials["admin"]
                  self.__auth(sock_info, 'admin', username, password)
                  authset.add('admin')
              else:
                  for db_name in names - authset:
                      user, pwd = self.__auth_credentials[db_name]
                      self.__auth(sock_info, db_name, user, pwd)
                      authset.add(db_name)

      It seems to make the assumption that auth'ing to the admin database is sufficient. This is incorrect in the case where the user has write access to a single database, and read access to all other databases.

      The code above should probably just be replaced with:

              for db_name in names - authset:
                  user, pwd = self.__auth_credentials[db_name]
                  self.__auth(sock_info, db_name, user, pwd)
                  authset.add(db_name)

      Attachments

        Issue Links

          Activity

            People

              bernie@mongodb.com Bernie Hackett
              jblackburn James Blackburn
              Votes:
              0 Vote for this issue
              Watchers:
              3 Start watching this issue

              Dates

                Created:
                Updated:
                Resolved: