Uploaded image for project: 'Core Server'
  1. Core Server
  2. SERVER-18359

authentication operations fail on mongos with auditing enabled

    XMLWordPrintable

    Details

    • Type: Bug
    • Status: Closed
    • Priority: Critical - P2
    • Resolution: Works as Designed
    • Affects Version/s: 3.0.2
    • Fix Version/s: None
    • Component/s: Security
    • Labels:
      None
    • Operating System:
      ALL
    • Steps To Reproduce:
      Hide
      1. start a mongos and config server
      2. add a user
      3. restart the mongos with --auditDestination, --auditFormat and --auditPath
      4. attempt to authenticate
      Show
      start a mongos and config server add a user restart the mongos with --auditDestination , --auditFormat and --auditPath attempt to authenticate

      Description

      If you attempt to authenticate on a mongos node with auditing enabled, the authentication attempt will fail. The logs will indicate an error in authentication:

      2015-05-07T05:27:20.715+0000 I ACCESS   [conn2] SCRAM-SHA-1 authentication failed for user on admin from client 127.0.0.1 ; BadValue "impersonatedUsers" is not a valid argument to usersInfo
      

      There does not appear to be any further information in higher verbosity logs.

      The audit log just indicates a 18 on the authentication attempt

      Additionally, other security or authentication operations are not available is auditing if enabled. Trying to create a user gives a similar error in the shell:

      mongos> db.createUser( { user : "user", pwd : "pword", roles : [ { role : "readWrite", db : "test" } ] } )
      2015-05-07T05:48:00.359+0000 E QUERY    Error: couldn't add user: "impersonatedUsers" is not a valid argument to rolesInfo
          at Error (<anonymous>)
          at DB.createUser (src/mongo/shell/db.js:1066:11)
          at (shell):1:4 at src/mongo/shell/db.js:1066
      

      Note : it is not necessary to enable --keyFile for this to fail, the authentication attempts will give the above error even when no authentication options are given in the config file/command line options

        Attachments

          Issue Links

            Activity

              People

              Assignee:
              amalia.hawkins@10gen.com Amalia Hawkins
              Reporter:
              andre.defrere Andre de Frere
              Participants:
              Votes:
              0 Vote for this issue
              Watchers:
              15 Start watching this issue

                Dates

                Created:
                Updated:
                Resolved: