Uploaded image for project: 'Core Server'
  1. Core Server
  2. SERVER-10946

MONGODB-X509 auth appears to succeed but all operations fail with code 13

XMLWordPrintableJSON

    • Type: Icon: Bug Bug
    • Resolution: Done
    • Priority: Icon: Major - P3 Major - P3
    • 2.5.3
    • Affects Version/s: None
    • Component/s: Security
    • Labels:
    • ALL

      Start the server like so:

      $ ./mongod --dbpath /path/to/data --sslOnNormalPorts --sslPEMKeyFile jstests/libs/server.pem --sslCRLFile jstests/libs/crl.pem --sslCAFile jstests/libs/ca.pem --sslWeakCertificateValidation --auth

      Start the shell, create a user with all the any* roles, then try to do anything:

      ./mongo --ssl --sslPEMKeyFile jstests/libs/client.pem 
MongoDB shell version: 2.5.3-pre-
connecting to: test
Server has startup warnings: 
2013-09-27T12:35:16.503-0700 [initandlisten] 
2013-09-27T12:35:16.503-0700 [initandlisten] ** NOTE: This is a development version (2.5.3-pre-) of MongoDB.
2013-09-27T12:35:16.503-0700 [initandlisten] **       Not recommended for production.
2013-09-27T12:35:16.503-0700 [initandlisten] 
> use $external
switched to db $external
> db.addUser({user: "CN=client,OU=kerneluser,O=10Gen,L=New York City,ST=New York,C=US", roles: [
... {name: 'clusterAdmin', source: 'admin', hasRole: true, 'canDelegate': true},
... {name: 'userAdminAnyDatabase', source: 'admin', hasRole: true, 'canDelegate': true},
... {name: 'readWriteAnyDatabase', source: 'admin', hasRole: true, 'canDelegate': true},
... {name: 'dbAdminAnyDatabase', source: 'admin', hasRole: true, 'canDelegate': true}]})
{
	"user" : "CN=client,OU=kerneluser,O=10Gen,L=New York City,ST=New York,C=US",
	"roles" : [
		{
			"name" : "clusterAdmin",
			"source" : "admin",
			"hasRole" : true,
			"canDelegate" : true
		},
		{
			"name" : "userAdminAnyDatabase",
			"source" : "admin",
			"hasRole" : true,
			"canDelegate" : true
		},
		{
			"name" : "readWriteAnyDatabase",
			"source" : "admin",
			"hasRole" : true,
			"canDelegate" : true
		},
		{
			"name" : "dbAdminAnyDatabase",
			"source" : "admin",
			"hasRole" : true,
			"canDelegate" : true
		}
	]
}
> db.auth({user: "CN=client,OU=kerneluser,O=10Gen,L=New York City,ST=New York,C=US", mechanism: 'MONGODB-X509'})
1
> use test
switched to db test
> db.foo.count()
2013-09-27T12:39:04.609-0700 count failed: {
	"ok" : 0,
	"errmsg" : "not authorized on test to execute command { count: \"foo\", query: {}, fields: {} }",
	"code" : 13
} at src/mongo/shell/query.js:188
>

      Note that db.auth() returns 1 (successful). From the mongod log:

      2013-09-27T12:38:16.551-0700 [clientcursormon]  connections:1
2013-09-27T12:38:57.504-0700 [conn1]  authenticate db: $external { authenticate: 1, mechanism: "MONGODB-X509", user: "CN=client,OU=kerneluser,O=10Gen,L=New York City,ST=New York,C=US" }
2013-09-27T12:38:57.504-0700 [conn1] Unauthorized not authorized on admin to execute command { replSetGetStatus: 1.0, forShell: 1.0 }
2013-09-27T12:39:04.608-0700 [conn1] Unauthorized not authorized on test to execute command { count: "foo", query: {}, fields: {} }

            Assignee:
            andreas.nilsson Andreas Nilsson
            Reporter:
            bernie@mongodb.com Bernie Hackett
            Votes:
            0 Vote for this issue
            Watchers:
            8 Start watching this issue

              Created:
              Updated:
              Resolved: