Uploaded image for project: 'Core Server'
  1. Core Server
  2. SERVER-14170

Cannot read from secondary if both audit and auth are enabled in a sharded cluster

    XMLWordPrintable

    Details

    • Type: Bug
    • Status: Closed
    • Priority: Critical - P2
    • Resolution: Fixed
    • Affects Version/s: 2.6.0, 2.6.2
    • Fix Version/s: 2.6.4, 2.7.2
    • Component/s: Security
    • Labels:
      None
    • Backwards Compatibility:
      Fully Compatible
    • Operating System:
      ALL
    • Backport Completed:

      Description

      Issue Status as of Jul 18, 2014

      ISSUE SUMMARY
      When both audit and authentication are enabled in a sharded cluster it is not possible to read from secondaries.

      USER IMPACT
      Attempts to read from a secondary fail with an error.

      WORKAROUNDS
      Users can read from primary nodes instead.

      AFFECTED VERSIONS
      MongoDB production releases in the 2.6 series up to 2.6.3 (inclusive) are affected by this issue.

      FIX VERSION
      The fix is included in the 2.6.4 production release.

      RESOLUTION DETAILS
      Do not invoke the runCommand hook when executing authentication commands. Executing this hook leads to commands that cannot be run by unauthenticated users, which prevents authentication of connections when auditing is enabled.

      Original description
      1. Start a sharded cluster with audit and authentication enabled using MongoDB 2.6 enterprise.
      2. Create a user in the admin database with root role.
      3. Authenticate with this user.
      4. Insert a document to test database.
      5. Set read preference to secondary and it will fail to query the document.
      6. Set read preference to primary and it will return the document.

      mongos> db.auth("root","root")
      1
      mongos> use test
      switched to db test
      mongos> db.docs.insert({x:1})
      WriteResult({ "nInserted" : 1 })
      mongos> db.getMongo().setReadPref('secondary' );
      mongos> db.docs.findOne()
      2014-06-04T22:26:36.647-0400 error: { "$err" : "not authorized for query on test.docs", "code" : 13 } at src/mongo/shell/query.js:131
      mongos> db.getMongo().setReadPref('primary' );
      mongos> db.docs.findOne()
      { "_id" : ObjectId("538fd55871f795733df60f5d"), "x" : 1 }

        Attachments

          Activity

            People

            • Votes:
              0 Vote for this issue
              Watchers:
              19 Start watching this issue

              Dates

              • Created:
                Updated:
                Resolved: