Uploaded image for project: 'Core Server'
  1. Core Server
  2. SERVER-12155

2.4 mongos can continue creating old schema user docs even after auth schema has been upgraded

    XMLWordPrintableJSON

Details

    • Icon: Bug Bug
    • Resolution: Won't Fix
    • Icon: Major - P3 Major - P3
    • None
    • 2.5.4
    • Security
    • ALL

    Description

      1. Create a sharded cluster on 2.4, with auth enabled and 2 or more mongos processes, create a user with privileges for userAdminAnyDatabase
      2. On one of the 2.4 mongos, log in as the user with userAdminAnyDatabase
      3. On the other 2.4 mongos:

      • shut it down, upgrade its binary to 2.5 and restart with --upgrade
      • log in and run the authSchemaUpgrade commands

      4. On the first 2.4 mongos (which is still connected and logged in as the user with userAdminAnyDatabase) run the db.addUser command.
      It will create a user doc with the old schema. So listing system users shows:

      > st1.s0.getDB("admin").system.users.find().pretty()
      {
      	"_id" : "admin.mike",
      	"user" : "mike",
      	"db" : "admin",
      	"credentials" : {
      		"MONGODB-CR" : "0b201b8e2a0193849c8acdcfd92ee73c"
      	},
      	"roles" : [
      		{
      			"role" : "userAdminAnyDatabase",
      			"db" : "admin"
      		},
      		{
      			"role" : "clusterAdmin",
      			"db" : "admin"
      		},
      		{
      			"role" : "readWriteAnyDatabase",
      			"db" : "admin"
      		}
      	]
      }
      {
      	"_id" : ObjectId("52b1f1a06a1f4ec0f8a6f7da"),
      	"user" : "mike2",
      	"pwd" : "e6861c06f0f85ed57ddede151b59d49e",
      	"roles" : [
      		"read"
      	]
      }
      {
      	"_id" : "admin.mike3",
      	"user" : "mike3",
      	"db" : "admin",
      	"credentials" : {
      		"MONGODB-CR" : "1946dc61e1429e2195d1706f057084fe"
      	},
      	"roles" : [
      		{
      			"role" : "read",
      			"db" : "admin"
      		}
      	]
      }

      Script to reproduce this:

      var st1 = new ShardingTest({shards:2, mongos:2, keyFile: "testkeyfile",
                                  other:{mongosOptions:{binVersion:MongoRunner.versionIterator(["2.4", "2.4"])},
                                  shardOptions:{binVersion:MongoRunner.versionIterator(["2.5"])},
                                  configOptions:{binVersion:"2.5"}, separateConfig:true}})
       
      st1.s1.getDB("admin").addUser({user:"mike", pwd:"blah", roles:["userAdminAnyDatabase", "clusterAdmin", "readWriteAnyDatabase"]})
      st1.s1.getDB("admin").auth("mike", "blah")
      //Stop balancer so that --upgrade can proceed
      st1.s1.getDB("config").settings.update({ _id: "balancer" }, { $set : { stopped: true } }, true );
      MongoRunner.stopMongos(st1.s0)
      st1.s0 = MongoRunner.runMongos({restart:st1.s0, binVersion:"2.5", upgrade:""})
      st1.s0.getDB("admin").auth("mike","blah")
       
      do {
      	res = st1.s0.getDB("admin").runCommand({authSchemaUpgradeStep: 1});
      	print(tojson(res));
      } while (res.ok && !res.done);
       
       
      st1.s1.getDB("admin").addUser({user:"mike2", pwd:"blah", roles:["read"]})
      printjson(st1.s1.getDB("admin").system.users.find().toArray())

      Attachments

        Activity

          People

            schwerin@mongodb.com Andy Schwerin
            mikeo@mongodb.com Michael O'Brien
            Votes:
            0 Vote for this issue
            Watchers:
            5 Start watching this issue

            Dates

              Created:
              Updated:
              Resolved: