Uploaded image for project: 'Core Server'
  1. Core Server
  2. SERVER-12616

can run adminCommands on mongos without authorization if config servers are down

    XMLWordPrintableJSON

Details

    • Icon: Bug Bug
    • Resolution: Done
    • Icon: Critical - P2 Critical - P2
    • 2.6.0-rc0
    • 2.5.5
    • Security
    • None
    • Fully Compatible
    • ALL

    Description

      When all config servers are down, admin commands can be executed on a mongos without the necessary privileges.

      Reproduction steps:

      1. start sharded cluster with --keyFile authentication, add users
      2. kill all config servers
      3. log into mongos and execute admin commands that would otherwise require certain privileges, e.g. serverStatus would require clusterAdmin role

      jstest is attached.

      Example shell transcript:

      with config server (here only 1) running

      mongo
      MongoDB shell version: 2.5.5
      connecting to: test
      Error while trying to show server startup warnings: not authorized on admin to execute command { getLog: "startupWarnings" }
      mongos> db.adminCommand('serverStatus')
      {
              "ok" : 0,
              "errmsg" : "not authorized on admin to execute command { serverStatus: 1.0 }",
              "code" : 13
      }
      mongos>
      bye

      kill config server

      (ve)tr@enter:~/Documents/tmp$ psmongo
      tr              86292   0.5  0.3  2751984  44876   ??  S     9:50pm   0:10.92 mongod --dbpath /Users/tr/Documents/tmp/data/config/db --logpath /Users/tr/Documents/tmp/data/config/mongod.log --port 27020 --logappend --keyFile /Users/tr/Documents/tmp/data/keyfile --configsvr --fork
      tr              86262   0.4  0.1  2718168  10840   ??  S     9:47pm   0:10.07 mongod --dbpath /Users/tr/Documents/tmp/data/shard01/db --logpath /Users/tr/Documents/tmp/data/shard01/mongod.log --port 27018 --logappend --keyFile /Users/tr/Documents/tmp/data/keyfile --fork
      tr              86265   0.4  0.1  2718168  10540   ??  S     9:47pm   0:09.96 mongod --dbpath /Users/tr/Documents/tmp/data/shard02/db --logpath /Users/tr/Documents/tmp/data/shard02/mongod.log --port 27019 --logappend --keyFile /Users/tr/Documents/tmp/data/keyfile --fork
      tr              86271   0.3  0.0  2489404   6844   ??  S     9:47pm   0:07.25 mongos --logpath /Users/tr/Documents/tmp/data/mongos.log --port 27017 --configdb enter.local:27020 --logappend --keyFile /Users/tr/Documents/tmp/data/keyfile --fork
      (ve)tr@enter:~/Documents/tmp$ kill 86292

      Trying the same command again

      (ve)tr@enter:~/Documents/tmp$ mongo
      MongoDB shell version: 2.5.5
      connecting to: test
      mongos> db.adminCommand('serverStatus')
      {
              "host" : "enter.local",
              "version" : "2.5.5",
              "process" : "mongos",
              "pid" : NumberLong(86271),
              "uptime" : 1821,
      ...

      Attachments

        Activity

          People

            schwerin@mongodb.com Andy Schwerin
            thomas.rueckstiess@mongodb.com Thomas Rueckstiess
            Votes:
            0 Vote for this issue
            Watchers:
            9 Start watching this issue

            Dates

              Created:
              Updated:
              Resolved: