Loading...

XML

Word

Printable

JSON

Type: Bug
Resolution: Done
Priority: Major - P3
Fix Version/s: 2.5.3
Affects Version/s: None
Component/s: Security
Labels:
- 26qa

Operating System:
ALL
CAR Domain/s:
None

Aha! Reference:
None
Tracking Level:
None
Risk Status:
None
Exec Notes:
None
Goal Name(s):
None
Goal Link:
None

Start the server like so:

$ ./mongod --dbpath /path/to/data --sslOnNormalPorts --sslPEMKeyFile jstests/libs/server.pem --sslCRLFile jstests/libs/crl.pem --sslCAFile jstests/libs/ca.pem --sslWeakCertificateValidation --auth

Start the shell, create a user with all the any* roles, then try to do anything:

./mongo --ssl --sslPEMKeyFile jstests/libs/client.pem 
MongoDB shell version: 2.5.3-pre-
connecting to: test
Server has startup warnings: 
2013-09-27T12:35:16.503-0700 [initandlisten] 
2013-09-27T12:35:16.503-0700 [initandlisten] ** NOTE: This is a development version (2.5.3-pre-) of MongoDB.
2013-09-27T12:35:16.503-0700 [initandlisten] **       Not recommended for production.
2013-09-27T12:35:16.503-0700 [initandlisten] 
> use $external
switched to db $external
> db.addUser({user: "CN=client,OU=kerneluser,O=10Gen,L=New York City,ST=New York,C=US", roles: [
... {name: 'clusterAdmin', source: 'admin', hasRole: true, 'canDelegate': true},
... {name: 'userAdminAnyDatabase', source: 'admin', hasRole: true, 'canDelegate': true},
... {name: 'readWriteAnyDatabase', source: 'admin', hasRole: true, 'canDelegate': true},
... {name: 'dbAdminAnyDatabase', source: 'admin', hasRole: true, 'canDelegate': true}]})
{
	"user" : "CN=client,OU=kerneluser,O=10Gen,L=New York City,ST=New York,C=US",
	"roles" : [
		{
			"name" : "clusterAdmin",
			"source" : "admin",
			"hasRole" : true,
			"canDelegate" : true
		},
		{
			"name" : "userAdminAnyDatabase",
			"source" : "admin",
			"hasRole" : true,
			"canDelegate" : true
		},
		{
			"name" : "readWriteAnyDatabase",
			"source" : "admin",
			"hasRole" : true,
			"canDelegate" : true
		},
		{
			"name" : "dbAdminAnyDatabase",
			"source" : "admin",
			"hasRole" : true,
			"canDelegate" : true
		}
	]
}
> db.auth({user: "CN=client,OU=kerneluser,O=10Gen,L=New York City,ST=New York,C=US", mechanism: 'MONGODB-X509'})
1
> use test
switched to db test
> db.foo.count()
2013-09-27T12:39:04.609-0700 count failed: {
	"ok" : 0,
	"errmsg" : "not authorized on test to execute command { count: \"foo\", query: {}, fields: {} }",
	"code" : 13
} at src/mongo/shell/query.js:188
>

Note that db.auth() returns 1 (successful). From the mongod log:

2013-09-27T12:38:16.551-0700 [clientcursormon]  connections:1
2013-09-27T12:38:57.504-0700 [conn1]  authenticate db: $external { authenticate: 1, mechanism: "MONGODB-X509", user: "CN=client,OU=kerneluser,O=10Gen,L=New York City,ST=New York,C=US" }
2013-09-27T12:38:57.504-0700 [conn1] Unauthorized not authorized on admin to execute command { replSetGetStatus: 1.0, forShell: 1.0 }
2013-09-27T12:39:04.608-0700 [conn1] Unauthorized not authorized on test to execute command { count: "foo", query: {}, fields: {} }

Assignee:: Andreas Nilsson (Inactive)
Reporter:: Bernie Hackett
Participants:: Andreas Nilsson, auto, Bernie Hackett
Votes:: 0 Vote for this issue
Watchers:: 8 Start watching this issue

Created:: Sep 27 2013 08:07:52 PM UTC
Updated:: Jul 11 2016 05:38:57 PM UTC
Resolved:: Sep 30 2013 03:57:32 PM UTC

Details

Description

Attachments

Activity

People

Dates