Uploaded image for project: 'Core Server'
  1. Core Server
  2. SERVER-19324

Restricted user, can see / modify in every database

XMLWordPrintableJSON

    • Type: Icon: Bug Bug
    • Resolution: Done
    • Priority: Icon: Critical - P2 Critical - P2
    • None
    • Affects Version/s: 3.0.4
    • Component/s: Security
    • Labels:
      None
    • Fully Compatible
    • ALL
    • Hide

      1. Create a user in a database (db.createUser(

      {user: "youruser",pwd: "securepassword", roles: [ "read"]}

      ))
      2. Connect to the database : mongo.exe -username youruser -password securepassword databasename
      3. use databaseX
      4. show collections

      Show
      1. Create a user in a database (db.createUser( {user: "youruser",pwd: "securepassword", roles: [ "read"]} )) 2. Connect to the database : mongo.exe -username youruser -password securepassword databasename 3. use databaseX 4. show collections
    • Security 6 07/17/15

      I'm running MongoDB 3.0, used the upgrade document (http://docs.mongodb.org/manual/release-notes/3.0-upgrade/) and upgraded the storage engine to WiredTiger.

      I created a user in 1 of the databases with the read role.

      When I connect to the database and select another database it gives me the "Authentication Failed" message. That is ok.

      When i connect to the database i created the user in, it connects... But then i can : use <databaseX> and do a show collections. It displays everything from that database (where the user shouldn't have access to), i can even show and modify documents.

      Is this a bug, or is there something missing in the migration manual?

            Assignee:
            Unassigned Unassigned
            Reporter:
            dennis@hoefakkr.nl Dennis Hoefakker
            Votes:
            0 Vote for this issue
            Watchers:
            2 Start watching this issue

              Created:
              Updated:
              Resolved: