Uploaded image for project: 'Core Server'
  1. Core Server
  2. SERVER-11018

Auth behavior of mergeChunks command is inconsistent with splitChunk

XMLWordPrintableJSON

    • Type: Icon: Bug Bug
    • Resolution: Done
    • Priority: Icon: Minor - P4 Minor - P4
    • 2.5.3
    • Affects Version/s: None
    • Component/s: None
    • ALL
    • Hide

      1) run mongod with --auth
      2) use admin
      3) 

      db.addUser({user: "x", pwd: "x", roles: ["clusterAdmin"]})

      4) 

      db.auth("x", "x")

      5) use test
      6) 

      db.runCommand({splitChunk: "x"}) and receive expected auth error
{
	"ok" : 0,
	"errmsg" : "splitChunk may only be run against the admin database.",
	"code" : 13
}

      7) 

      db.runCommand({mergeChunks: "x", bounds: [{i: 1}, {i: 5}]}), and get a different error, other than auth:
{
	"ok" : 0,
	"errmsg" : "sharding state must be enabled or config server specified to merge chunks"
}

      This exposes the problem, because the auth error checking happens before checking that sharding is enabled.

      Show
      1) run mongod with --auth 2) use admin 3) db.addUser({user: "x" , pwd: "x" , roles: [ "clusterAdmin" ]}) 4) db.auth( "x" , "x" ) 5) use test 6) db.runCommand({splitChunk: "x" }) and receive expected auth error { "ok" : 0, "errmsg" : "splitChunk may only be run against the admin database." , "code" : 13 } 7) db.runCommand({mergeChunks: "x" , bounds: [{i: 1}, {i: 5}]}), and get a different error, other than auth: { "ok" : 0, "errmsg" : "sharding state must be enabled or config server specified to merge chunks" } This exposes the problem, because the auth error checking happens before checking that sharding is enabled.
    • None
    • 0
    • None
    • None
    • None
    • None
    • None
    • None

      Both the mergeChunks command and the splitChunk command require the clusterAdmin role.

      When logged in as a user with the clusterAdmin role, splitChunk can only be run on the admin database. MergeChunks, however, can be run on any database. In order to be consistent, mergeChunks should return a "not authorized" error when run on any database other than admin.

            Assignee:
            greg_10gen Greg Studer (Inactive)
            Reporter:
            david.storch@mongodb.com David Storch
            Votes:
            0 Vote for this issue
            Watchers:
            2 Start watching this issue

              Created:
              Updated:
              Resolved: