Start the server like so:
$ ./mongod --dbpath /path/to/data --sslOnNormalPorts --sslPEMKeyFile jstests/libs/server.pem --sslCRLFile jstests/libs/crl.pem --sslCAFile jstests/libs/ca.pem --sslWeakCertificateValidation --auth
Start the shell, create a user with all the any* roles, then try to do anything:
./mongo --ssl --sslPEMKeyFile jstests/libs/client.pem MongoDB shell version: 2.5.3-pre- connecting to: test Server has startup warnings: 2013-09-27T12:35:16.503-0700 [initandlisten] 2013-09-27T12:35:16.503-0700 [initandlisten] ** NOTE: This is a development version (2.5.3-pre-) of MongoDB. 2013-09-27T12:35:16.503-0700 [initandlisten] ** Not recommended for production. 2013-09-27T12:35:16.503-0700 [initandlisten] > use $external switched to db $external > db.addUser({user: "CN=client,OU=kerneluser,O=10Gen,L=New York City,ST=New York,C=US", roles: [ ... {name: 'clusterAdmin', source: 'admin', hasRole: true, 'canDelegate': true}, ... {name: 'userAdminAnyDatabase', source: 'admin', hasRole: true, 'canDelegate': true}, ... {name: 'readWriteAnyDatabase', source: 'admin', hasRole: true, 'canDelegate': true}, ... {name: 'dbAdminAnyDatabase', source: 'admin', hasRole: true, 'canDelegate': true}]}) { "user" : "CN=client,OU=kerneluser,O=10Gen,L=New York City,ST=New York,C=US", "roles" : [ { "name" : "clusterAdmin", "source" : "admin", "hasRole" : true, "canDelegate" : true }, { "name" : "userAdminAnyDatabase", "source" : "admin", "hasRole" : true, "canDelegate" : true }, { "name" : "readWriteAnyDatabase", "source" : "admin", "hasRole" : true, "canDelegate" : true }, { "name" : "dbAdminAnyDatabase", "source" : "admin", "hasRole" : true, "canDelegate" : true } ] } > db.auth({user: "CN=client,OU=kerneluser,O=10Gen,L=New York City,ST=New York,C=US", mechanism: 'MONGODB-X509'}) 1 > use test switched to db test > db.foo.count() 2013-09-27T12:39:04.609-0700 count failed: { "ok" : 0, "errmsg" : "not authorized on test to execute command { count: \"foo\", query: {}, fields: {} }", "code" : 13 } at src/mongo/shell/query.js:188 >
Note that db.auth() returns 1 (successful). From the mongod log:
2013-09-27T12:38:16.551-0700 [clientcursormon] connections:1 2013-09-27T12:38:57.504-0700 [conn1] authenticate db: $external { authenticate: 1, mechanism: "MONGODB-X509", user: "CN=client,OU=kerneluser,O=10Gen,L=New York City,ST=New York,C=US" } 2013-09-27T12:38:57.504-0700 [conn1] Unauthorized not authorized on admin to execute command { replSetGetStatus: 1.0, forShell: 1.0 } 2013-09-27T12:39:04.608-0700 [conn1] Unauthorized not authorized on test to execute command { count: "foo", query: {}, fields: {} }