Uploaded image for project: 'Core Server'
  1. Core Server
  2. SERVER-20308

Unauthorized query generates partial log line in v3.0

    XMLWordPrintable

    Details

    • Type: Improvement
    • Status: Open
    • Priority: Minor - P4
    • Resolution: Unresolved
    • Affects Version/s: 2.6.11, 3.0.6
    • Fix Version/s: Backlog
    • Component/s: Logging, Querying
    • Labels:
    • Environment:
      v3.0.6 sharded cluster

      Description

      1. Start up a 3.0.6 sharded cluster

        mlaunch init --sharded 1 --single --auth --port 29070 --smallfiles --config 1
        

      2. Connect to the config server and authenticate
      3. Increase logLevel to 1
      4. Create a new user (modelled on the requirements for Cloud Manager monitoring)

        db.createUser({user:"monitor", pwd:"monitor", roles:[{role:"clusterMonitor", db:"admin"}]})
        

      5. Authenticate as the monitor user and try a query on local.oplog.$main in the config server. It fails, but the log lines are strange

        configsvr> db.oplog.$main.find().sort({$natural:1}).skip(0).limit(-1)
        Error: error: { "$err" : "not authorized for query on local.oplog.$main", "code" : 13 }
        configsvr> show log
        ...
        2015-09-07T16:06:05.447+1000 [conn12] User Assertion: 13:not authorized for query on admin.oplog.$main
        2015-09-07T16:06:05.448+1000 [conn12] assertion 13 not authorized for query on admin.oplog.$main ns:admin.oplog.$main query:{ query: {}, orderby: { $natural: 1.0 } }
        2015-09-07T16:06:05.448+1000 [conn12]  ntoskip:0 ntoreturn:-1
        2015-09-07T16:06:05.448+1000 [conn12] query  keyUpdates:0 exception: not authorized for query on admin.oplog.$main code:13 numYields:0  reslen:91 0ms
        

        specifically the last 2 lines, which look like normal query log lines, except without logging the actual query part

      6. Removing the limit(-1) makes the extra line go away

        configsvr> db.oplog.$main.find().sort({$natural:1}).skip(0)
        ...
        2015-09-07T16:06:49.905+1000 [conn12] User Assertion: 13:not authorized for query on admin.oplog.$main
        2015-09-07T16:06:49.906+1000 [conn12] assertion 13 not authorized for query on admin.oplog.$main ns:admin.oplog.$main query:{ query: {}, orderby: { $natural: 1.0 } }
        2015-09-07T16:06:49.906+1000 [conn12] query  keyUpdates:0 exception: not authorized for query on admin.oplog.$main code:13 numYields:0  reslen:91 0ms
        

      7. Auth as a user that does have permissions to read this collection, and run the original query

        2015-09-07T15:56:47.909+1000 I QUERY    [conn9] query local.oplog.$main query: { query: {}, orderby: { $natural: 1.0 } } planSummary: COLLSCAN ntoskip:0 nscanned:0 nscannedObjects:1 keyUpdates:0 writeConflicts:0 numYields:0 nreturned:1 reslen:64 locks:{ Global: { acquireCount: { r: 2 } }, MMAPV1Journal: { acquireCount: { r: 1 } }, Database: { acquireCount: { r: 1 } }, Collection: { acquireCount: { R: 1 } } } 0ms
        

        ntoreturn is not logged.

        Attachments

          Activity

            People

            Assignee:
            backlog-server-query Backlog - Query Team
            Reporter:
            joanna.cheng Joanna Cheng
            Participants:
            Votes:
            0 Vote for this issue
            Watchers:
            10 Start watching this issue

              Dates

              Created:
              Updated: