Description
When all config servers are down, admin commands can be executed on a mongos without the necessary privileges.
Reproduction steps:
- start sharded cluster with --keyFile authentication, add users
- kill all config servers
- log into mongos and execute admin commands that would otherwise require certain privileges, e.g. serverStatus would require clusterAdmin role
jstest is attached.
Example shell transcript:
with config server (here only 1) running
mongo
|
MongoDB shell version: 2.5.5
|
connecting to: test
|
Error while trying to show server startup warnings: not authorized on admin to execute command { getLog: "startupWarnings" }
|
mongos> db.adminCommand('serverStatus')
|
{
|
"ok" : 0,
|
"errmsg" : "not authorized on admin to execute command { serverStatus: 1.0 }",
|
"code" : 13
|
}
|
mongos>
|
bye
|
kill config server
(ve)tr@enter:~/Documents/tmp$ psmongo
|
tr 86292 0.5 0.3 2751984 44876 ?? S 9:50pm 0:10.92 mongod --dbpath /Users/tr/Documents/tmp/data/config/db --logpath /Users/tr/Documents/tmp/data/config/mongod.log --port 27020 --logappend --keyFile /Users/tr/Documents/tmp/data/keyfile --configsvr --fork
|
tr 86262 0.4 0.1 2718168 10840 ?? S 9:47pm 0:10.07 mongod --dbpath /Users/tr/Documents/tmp/data/shard01/db --logpath /Users/tr/Documents/tmp/data/shard01/mongod.log --port 27018 --logappend --keyFile /Users/tr/Documents/tmp/data/keyfile --fork
|
tr 86265 0.4 0.1 2718168 10540 ?? S 9:47pm 0:09.96 mongod --dbpath /Users/tr/Documents/tmp/data/shard02/db --logpath /Users/tr/Documents/tmp/data/shard02/mongod.log --port 27019 --logappend --keyFile /Users/tr/Documents/tmp/data/keyfile --fork
|
tr 86271 0.3 0.0 2489404 6844 ?? S 9:47pm 0:07.25 mongos --logpath /Users/tr/Documents/tmp/data/mongos.log --port 27017 --configdb enter.local:27020 --logappend --keyFile /Users/tr/Documents/tmp/data/keyfile --fork
|
(ve)tr@enter:~/Documents/tmp$ kill 86292
|
Trying the same command again
(ve)tr@enter:~/Documents/tmp$ mongo
|
MongoDB shell version: 2.5.5
|
connecting to: test
|
mongos> db.adminCommand('serverStatus')
|
{
|
"host" : "enter.local",
|
"version" : "2.5.5",
|
"process" : "mongos",
|
"pid" : NumberLong(86271),
|
"uptime" : 1821,
|
...
|