Uploaded image for project: 'Core Server'
  1. Core Server
  2. SERVER-13148

Authentication still holds after user removed

    XMLWordPrintable

Details

    • ALL
    • Hide

      Ensure there is already an user with userAdminAnyDatabase privilege.
      Run mongod with --auth option
      Open mongo shell
      use admin
      db.auth(<superusername>,<superuserpw>)
      use try
      db.addUser(

      {user:"a",pwd:"a",roles:["userAdmin"]}

      )
      db.auth("a","a")
      db.removeUser("a")
      db.addUser(

      {user:"a",pwd:"b",roles:["read"]}

      )
      Check whether user b is added

      Show
      Ensure there is already an user with userAdminAnyDatabase privilege. Run mongod with --auth option Open mongo shell use admin db.auth(<superusername>,<superuserpw>) use try db.addUser( {user:"a",pwd:"a",roles:["userAdmin"]} ) db.auth("a","a") db.removeUser("a") db.addUser( {user:"a",pwd:"b",roles:["read"]} ) Check whether user b is added

    Description

      We have database called "try" and a user with "userAdmin" privilege on that database named "userA".

      First we authenticate userA using
      db.auth("userA","a")
      Then, we remove userA using
      db.removeUser("userA")
      Then, we try to add a user on database "try"
      db.addUser(

      {user:"userB",pwd:"b",roles:["read"]}

      )
      It still works!
      Now we authenticate B
      db.auth("userB")
      And see the content of Database
      db.customers.find()
      This shows the documents.

      The problem is, the user authentication seems to be still there even after the user itself being removed. The removeUser() implementation should call db.runCommand(

      {logout:1}

      ) if the current authenticated user is the user being removed.

      For note, I tried it in an --auth enabled environment.

      Attachments

        Issue Links

          Activity

            People

              andreas.nilsson Andreas Nilsson
              wongsolo yudho ahmad diponegoro
              Votes:
              0 Vote for this issue
              Watchers:
              7 Start watching this issue

              Dates

                Created:
                Updated:
                Resolved: