Loading...

XML

Word

Printable

JSON

Type: Bug
Resolution: Done
Priority: Critical - P2
Fix Version/s: None
Affects Version/s: 3.0.4
Component/s: Security
Labels:
None

Backwards Compatibility:
Fully Compatible
Operating System:
ALL
Steps To Reproduce:

Hide

1. Create a user in a database (db.createUser(
{user: "youruser",pwd: "securepassword", roles: [ "read"]}
))
2. Connect to the database : mongo.exe -username youruser -password securepassword databasename
3. use databaseX
4. show collections

Show
1. Create a user in a database (db.createUser( {user: "youruser",pwd: "securepassword", roles: [ "read"]} )) 2. Connect to the database : mongo.exe -username youruser -password securepassword databasename 3. use databaseX 4. show collections
Sprint:
Security 6 07/17/15
CAR Domain/s:
None

Aha! Reference:
None
Tracking Level:
None
Risk Status:
None
Exec Notes:
None
Goal Name(s):
None
Goal Link:
None

I'm running MongoDB 3.0, used the upgrade document (http://docs.mongodb.org/manual/release-notes/3.0-upgrade/) and upgraded the storage engine to WiredTiger.

I created a user in 1 of the databases with the read role.

When I connect to the database and select another database it gives me the "Authentication Failed" message. That is ok.

When i connect to the database i created the user in, it connects... But then i can : use <databaseX> and do a show collections. It displays everything from that database (where the user shouldn't have access to), i can even show and modify documents.

Is this a bug, or is there something missing in the migration manual?

Assignee:: Unassigned
Reporter:: Dennis Hoefakker
Participants:: Andreas Nilsson, Dennis Hoefakker
Votes:: 0 Vote for this issue
Watchers:: 2 Start watching this issue

Created:: Jul 08 2015 09:20:12 AM UTC
Updated:: Apr 03 2023 12:56:41 PM UTC
Resolved:: Jul 08 2015 01:51:21 PM UTC

Details

Description

Attachments

Activity

People

Dates