Uploaded image for project: 'Core Server'
  1. Core Server
  2. SERVER-13148

Authentication still holds after user removed

    XMLWordPrintable

    Details

    • Operating System:
      ALL
    • Steps To Reproduce:
      Hide

      Ensure there is already an user with userAdminAnyDatabase privilege.
      Run mongod with --auth option
      Open mongo shell
      use admin
      db.auth(<superusername>,<superuserpw>)
      use try
      db.addUser(

      {user:"a",pwd:"a",roles:["userAdmin"]}

      )
      db.auth("a","a")
      db.removeUser("a")
      db.addUser(

      {user:"a",pwd:"b",roles:["read"]}

      )
      Check whether user b is added

      Show
      Ensure there is already an user with userAdminAnyDatabase privilege. Run mongod with --auth option Open mongo shell use admin db.auth(<superusername>,<superuserpw>) use try db.addUser( {user:"a",pwd:"a",roles:["userAdmin"]} ) db.auth("a","a") db.removeUser("a") db.addUser( {user:"a",pwd:"b",roles:["read"]} ) Check whether user b is added

      Description

      We have database called "try" and a user with "userAdmin" privilege on that database named "userA".

      First we authenticate userA using
      db.auth("userA","a")
      Then, we remove userA using
      db.removeUser("userA")
      Then, we try to add a user on database "try"
      db.addUser(

      {user:"userB",pwd:"b",roles:["read"]}

      )
      It still works!
      Now we authenticate B
      db.auth("userB")
      And see the content of Database
      db.customers.find()
      This shows the documents.

      The problem is, the user authentication seems to be still there even after the user itself being removed. The removeUser() implementation should call db.runCommand(

      {logout:1}

      ) if the current authenticated user is the user being removed.

      For note, I tried it in an --auth enabled environment.

        Attachments

          Issue Links

            Activity

              People

              Assignee:
              andreas.nilsson Andreas Nilsson
              Reporter:
              wongsolo yudho ahmad diponegoro
              Participants:
              Votes:
              0 Vote for this issue
              Watchers:
              7 Start watching this issue

                Dates

                Created:
                Updated:
                Resolved: