Uploaded image for project: 'Core Server'
  1. Core Server
  2. SERVER-15575

Cannot do cluster actions on mongos despite having clusterAdmin role.

XMLWordPrintableJSON

    • Type: Icon: Bug Bug
    • Resolution: Done
    • Priority: Icon: Major - P3 Major - P3
    • 2.7.8
    • Affects Version/s: None
    • Component/s: Security
    • Labels:
      None
    • Fully Compatible
    • ALL
    • Hide

      Set up a sharded cluster with auth.

      Add a user with clusterAdmin role.

      Login to the mongos as the user and try cluster actions such as getCmdLineOpts or "show dbs"

      Show
      Set up a sharded cluster with auth. Add a user with clusterAdmin role. Login to the mongos as the user and try cluster actions such as getCmdLineOpts or "show dbs"

      I am unable to execute commands on the cluster resource despite having the clusterAdmin role.

      This is with master git commit 51aebc9b94c272eb251ff94d28be0c6fdd180de8 (binary downloaded from MCI)

      mongos> db.version()
2.7.8-pre-
mongos> db.serverBuildInfo()
{
	"version" : "2.7.8-pre-",
	"gitVersion" : "51aebc9b94c272eb251ff94d28be0c6fdd180de8",
	"OpenSSLVersion" : "",
	"sysInfo" : "Darwin mci-osx108-2.build.10gen.cc 12.3.0 Darwin Kernel Version 12.3.0: Sun Jan  6 22:37:10 PST 2013; root:xnu-2050.22.13~1/RELEASE_X86_64 x86_64 BOOST_LIB_VERSION=1_49",
	"loaderFlags" : "-fPIC -pthread -Wl,-bind_at_load -mmacosx-version-min=10.6",
	"compilerFlags" : "-Wnon-virtual-dtor -Woverloaded-virtual -fPIC -fno-strict-aliasing -ggdb -pthread -Wall -Wsign-compare -Wno-unknown-pragmas -Winvalid-pch -pipe -Werror -O3 -Wno-unused-function -Wno-deprecated-declarations -mmacosx-version-min=10.6",
	"allocator" : "system",
	"versionArray" : [
		2,
		7,
		8,
		-100
	],
	"javascriptEngine" : "V8",
	"bits" : 64,
	"debug" : false,
	"maxBsonObjectSize" : 16777216,
	"ok" : 1
}
mongos> use admin
switched to db admin
mongos> db.auth('testuser', 'testpwd')
1
mongos> db.getUser('testuser')
{
	"_id" : "admin.testuser",
	"user" : "testuser",
	"db" : "admin",
	"roles" : [
		{
			"role" : "clusterAdmin",
			"db" : "admin"
		},
		{
			"role" : "dbAdminAnyDatabase",
			"db" : "admin"
		},
		{
			"role" : "readWriteAnyDatabase",
			"db" : "admin"
		},
		{
			"role" : "userAdminAnyDatabase",
			"db" : "admin"
		}
	]
}
mongos> db.runCommand({getCmdLineOpts: 1})
{
	"ok" : 0,
	"errmsg" : "not authorized on admin to execute command { getCmdLineOpts: 1.0 }",
	"code" : 13
}
mongos> show dbs
2014-10-08T18:33:52.465-0400 listDatabases failed:{
	"ok" : 0,
	"errmsg" : "not authorized on admin to execute command { listDatabases: 1.0 }",
	"code" : 13
} at src/mongo/shell/mongo.js:47
mongos>

      This does not happen with 2.7.7. I don't believe this happens with a replica set without sharding.

      Assigning to andreas.nilsson@10gen.com on suggestion from spencer

            Assignee:
            andreas.nilsson Andreas Nilsson
            Reporter:
            tim.olsen@mongodb.com Timothy Olsen (Inactive)
            Votes:
            0 Vote for this issue
            Watchers:
            6 Start watching this issue

              Created:
              Updated:
              Resolved: