Uploaded image for project: 'Core Server'
  1. Core Server
  2. SERVER-14194

Password logged in error message for db.system.users.insert

XMLWordPrintableJSON

    • Type: Icon: Bug Bug
    • Resolution: Won't Fix
    • Priority: Icon: Major - P3 Major - P3
    • None
    • Affects Version/s: 2.6.1
    • Component/s: Security
    • ALL
    • Hide

      1. Enable auth on mongod
      2. Mongo client
      -Create admin user
      -Authenticate with admin user
      -Insert into system.users

      Show
      1. Enable auth on mongod 2. Mongo client -Create admin user -Authenticate with admin user -Insert into system.users

      The legacy method to create users, db.system.users.insert, can fail if the user does not have the proper access. In this case the password is exposed in both the mongod log and the error message propagated to the client:

      > db.system.users.insert({user:'dbuser', pwd: 'pwd', roles: ['readWrite']});
 m27000| 2014-06-06T13:13:28.706-0400 [conn1] Unauthorized not authorized on admin to execute command { insert: "system.users", documents: [ { _id: ObjectId('5391f6b83cbc4b1dc741c821'), user: "dbuser", pwd: "pwd", roles: [ "readWrite" ] } ], ordered: true }
WriteResult({
	"writeError" : {
		"code" : 13,
		"errmsg" : "not authorized on admin to execute command { insert: \"system.users\", documents: [ { _id: ObjectId('5391f6b83cbc4b1dc741c821'), user: \"dbuser\", pwd: \"pwd\", roles: [ \"readWrite\" ] } ], ordered: true }"
	}
})

            Assignee:
            andreas.nilsson Andreas Nilsson
            Reporter:
            jonathan.abrahams Jonathan Abrahams
            Votes:
            0 Vote for this issue
            Watchers:
            4 Start watching this issue

              Created:
              Updated:
              Resolved: