Uploaded image for project: 'Core Server'
  1. Core Server
  2. SERVER-20460

listIndexes on 3.0 mongos with 2.6 mongods returns erroneous "not authorized"

    XMLWordPrintable

    Details

    • Type: Bug
    • Status: Closed
    • Priority: Major - P3
    • Resolution: Fixed
    • Affects Version/s: 3.0.6
    • Fix Version/s: 3.0.7, 3.1.9
    • Component/s: Security, Sharding
    • Labels:
      None
    • Backwards Compatibility:
      Fully Compatible
    • Operating System:
      ALL
    • Backport Completed:
    • Steps To Reproduce:
      Hide

      With auth (fails):

      $ mlaunch init --sharded 2 --replicaset --nodes 2 --arbiter --smallfiles --oplogSize 10 --binarypath /m/2.6.11/bin --port 24205 --auth
      launching: /m/2.6.11/bin/mongod on port 24206
      launching: /m/2.6.11/bin/mongod on port 24207
      launching: /m/2.6.11/bin/mongod on port 24208
      launching: /m/2.6.11/bin/mongod on port 24209
      launching: /m/2.6.11/bin/mongod on port 24210
      launching: /m/2.6.11/bin/mongod on port 24211
      launching: config server on port 24212
      replica set 'shard01' initialized.
      replica set 'shard02' initialized.
      launching: /m/2.6.11/bin/mongos on port 24205
      adding shards. can take up to 30 seconds...
      8 nodes stopped.
      launching: /m/2.6.11/bin/mongod on port 24206
      launching: /m/2.6.11/bin/mongod on port 24207
      launching: /m/2.6.11/bin/mongod on port 24208
      launching: /m/2.6.11/bin/mongod on port 24209
      launching: /m/2.6.11/bin/mongod on port 24210
      launching: /m/2.6.11/bin/mongod on port 24211
      launching: config server on port 24212
      launching: /m/2.6.11/bin/mongos on port 24205
      $ /m/3.0.6/bin/mongo --port 24205 -u user -p password --authenticationDatabase admin --eval 'printjson(db.test.insert({}))'
      MongoDB shell version: 3.0.6
      connecting to: 127.0.0.1:24205/test
      { "nInserted" : 1 }
      $ /m/3.0.6/bin/mongo --port 24205 -u user -p password --authenticationDatabase admin --eval 'printjson(db.test.ensureIndex({a:1}))'
      MongoDB shell version: 3.0.6
      connecting to: 127.0.0.1:24205/test
      {
              "raw" : {
                      "shard01/genique:24206,genique:24207" : {
                              "createdCollectionAutomatically" : false,
                              "numIndexesBefore" : 1,
                              "numIndexesAfter" : 2,
                              "ok" : 1,
                              "$gleStats" : {
                                      "lastOpTime" : Timestamp(1442426511, 1),
                                      "electionId" : ObjectId("55f9ac98c9c1eb9b892a11eb")
                              }
                      }
              },
              "ok" : 1
      }
      $ /m/3.0.6/bin/mongo --port 24205 -u user -p password --authenticationDatabase admin --eval 'printjson(sh.stopBalancer())'
      MongoDB shell version: 3.0.6
      connecting to: 127.0.0.1:24205/test
      Waiting for active hosts...
      Waiting for the balancer lock...
      Waiting again for active hosts after balancer is off...
      undefined
      $ mlaunch stop mongos
      1 node stopped.
      $ mlaunch start mongos --binarypath /m/3.0.6/bin --upgrade
      launching: /m/3.0.6/bin/mongos on port 24205
      $ mlaunch start mongos --binarypath /m/3.0.6/bin
      launching: /m/3.0.6/bin/mongos on port 24205
      **** $ /m/3.0.6/bin/mongo --port 24205 -u user -p password --authenticationDatabase admin --eval 'printjson(db.runCommand({listIndexes:"test"}))'
      **** MongoDB shell version: 3.0.6
      **** connecting to: 127.0.0.1:24205/test
      **** {
      ****         "ok" : 0,
      ****         "errmsg" : "not authorized on test to execute command { listIndexes: \"test\" }",
      ****         "code" : 13
      **** }
      $ /m/3.0.6/bin/mongo --port 24206 -u user -p password --authenticationDatabase admin --eval 'printjson(db.runCommand({listIndexes:"test"}))'
      MongoDB shell version: 3.0.6
      connecting to: 127.0.0.1:24206/test
      {
              "ok" : 0,
              "errmsg" : "no such cmd: listIndexes",
              "code" : 59,
              "bad cmd" : {
                      "listIndexes" : "test"
              }
      }
      $ /m/3.0.6/bin/mongo --port 24205 -u user -p password --authenticationDatabase admin --eval 'printjson(db.system.indexes.find().toArray())'
      MongoDB shell version: 3.0.6
      connecting to: 127.0.0.1:24205/test
      [
              {
                      "v" : 1,
                      "key" : {
                              "_id" : 1
                      },
                      "name" : "_id_",
                      "ns" : "test.test"
              },
              {
                      "v" : 1,
                      "key" : {
                              "a" : 1
                      },
                      "name" : "a_1",
                      "ns" : "test.test"
              }
      ]
      $ /m/3.0.6/bin/mongo --port 24206 -u user -p password --authenticationDatabase admin --eval 'printjson(db.system.indexes.find().toArray())'
      MongoDB shell version: 3.0.6
      connecting to: 127.0.0.1:24206/test
      [
              {
                      "v" : 1,
                      "key" : {
                              "_id" : 1
                      },
                      "name" : "_id_",
                      "ns" : "test.test"
              },
              {
                      "v" : 1,
                      "key" : {
                              "a" : 1
                      },
                      "name" : "a_1",
                      "ns" : "test.test"
              }
      ]
      $ mlaunch stop
      8 nodes stopped.
      $ mlaunch start --binarypath /m/3.0.6/bin
      launching: /m/3.0.6/bin/mongod on port 24206
      launching: /m/3.0.6/bin/mongod on port 24207
      launching: /m/3.0.6/bin/mongod on port 24208
      launching: /m/3.0.6/bin/mongod on port 24209
      launching: /m/3.0.6/bin/mongod on port 24210
      launching: /m/3.0.6/bin/mongod on port 24211
      launching: config server on port 24212
      launching: /m/3.0.6/bin/mongos on port 24205
      $ /m/3.0.6/bin/mongo --port 24205 -u user -p password --authenticationDatabase admin --eval 'printjson(db.runCommand({listIndexes:"test"}))'
      MongoDB shell version: 3.0.6
      connecting to: 127.0.0.1:24205/test
      {
              "cursor" : {
                      "id" : NumberLong(0),
                      "ns" : "test.$cmd.listIndexes.test",
                      "firstBatch" : [
                              {
                                      "v" : 1,
                                      "key" : {
                                              "_id" : 1
                                      },
                                      "name" : "_id_",
                                      "ns" : "test.test"
                              },
                              {
                                      "v" : 1,
                                      "key" : {
                                              "a" : 1
                                      },
                                      "name" : "a_1",
                                      "ns" : "test.test"
                              }
                      ]
              },
              "ok" : 1,
              "$gleStats" : {
                      "lastOpTime" : Timestamp(0, 0),
                      "electionId" : ObjectId("55faf4ec6f07922dc310b0fd")
              }
      }
      

      Without auth (succeeds):

      $ mlaunch kill
      sent signal 15 to 8 processes.
      $ rm -rf data
      $ mlaunch init --sharded 2 --replicaset --nodes 2 --arbiter --smallfiles --oplogSize 10 --binarypath /m/2.6.11/bin --port 24205
      launching: /m/2.6.11/bin/mongod on port 24206
      launching: /m/2.6.11/bin/mongod on port 24207
      launching: /m/2.6.11/bin/mongod on port 24208
      launching: /m/2.6.11/bin/mongod on port 24209
      launching: /m/2.6.11/bin/mongod on port 24210
      launching: /m/2.6.11/bin/mongod on port 24211
      launching: config server on port 24212
      replica set 'shard01' initialized.
      replica set 'shard02' initialized.
      launching: /m/2.6.11/bin/mongos on port 24205
      adding shards. can take up to 30 seconds...
      $ /m/3.0.6/bin/mongo --port 24205 --eval 'printjson(db.test.insert({}))'
      MongoDB shell version: 3.0.6
      connecting to: 127.0.0.1:24205/test
      { "nInserted" : 1 }
      $ /m/3.0.6/bin/mongo --port 24205 --eval 'printjson(db.test.ensureIndex({a:1}))'
      MongoDB shell version: 3.0.6
      connecting to: 127.0.0.1:24205/test
      {
              "raw" : {
                      "shard01/genique:24206,genique:24207" : {
                              "createdCollectionAutomatically" : false,
                              "numIndexesBefore" : 1,
                              "numIndexesAfter" : 2,
                              "ok" : 1
                      }
              },
              "ok" : 1
      }
      $ /m/3.0.6/bin/mongo --port 24205 --eval 'printjson(sh.stopBalancer())'
      MongoDB shell version: 3.0.6
      connecting to: 127.0.0.1:24205/test
      Waiting for active hosts...
      Waiting for the balancer lock...
      Waiting again for active hosts after balancer is off...
      undefined
      $ mlaunch stop mongos
      1 node stopped.
      $ mlaunch start mongos --binarypath /m/3.0.6/bin --upgrade
      launching: /m/3.0.6/bin/mongos on port 24205
      $ mlaunch start mongos --binarypath /m/3.0.6/bin
      launching: /m/3.0.6/bin/mongos on port 24205
      **** $ /m/3.0.6/bin/mongo --port 24205 --eval 'printjson(db.runCommand({listIndexes:"test"}))'
      **** MongoDB shell version: 3.0.6
      **** connecting to: 127.0.0.1:24205/test
      **** {
      ****         "cursor" : {
      ****                 "id" : NumberLong(0),
      ****                 "ns" : "test.system.indexes",
      ****                 "firstBatch" : [
      ****                         {
      ****                                 "v" : 1,
      ****                                 "key" : {
      ****                                         "_id" : 1
      ****                                 },
      ****                                 "name" : "_id_",
      ****                                 "ns" : "test.test"
      ****                         },
      ****                         {
      ****                                 "v" : 1,
      ****                                 "key" : {
      ****                                         "a" : 1
      ****                                 },
      ****                                 "name" : "a_1",
      ****                                 "ns" : "test.test"
      ****                         }
      ****                 ]
      ****         },
      ****         "ok" : 1,
      ****         "$gleStats" : {
      ****                 "lastOpTime" : Timestamp(0, 0),
      ****                 "electionId" : ObjectId("55faf27148eb9e505441391c")
      ****         }
      **** }
      $ /m/3.0.6/bin/mongo --port 24206 --eval 'printjson(db.runCommand({listIndexes:"test"}))'
      MongoDB shell version: 3.0.6
      connecting to: 127.0.0.1:24206/test
      {
              "ok" : 0,
              "errmsg" : "no such cmd: listIndexes",
              "code" : 59,
              "bad cmd" : {
                      "listIndexes" : "test"
              }
      }
      $ /m/3.0.6/bin/mongo --port 24206 --eval 'printjson(db.system.indexes.find().toArray())'
      MongoDB shell version: 3.0.6
      connecting to: 127.0.0.1:24206/test
      [
              {
                      "v" : 1,
                      "key" : {
                              "_id" : 1
                      },
                      "name" : "_id_",
                      "ns" : "test.test"
              },
              {
                      "v" : 1,
                      "key" : {
                              "a" : 1
                      },
                      "name" : "a_1",
                      "ns" : "test.test"
              }
      ]
      $ /m/3.0.6/bin/mongo --port 24205 --eval 'printjson(db.system.indexes.find().toArray())'
      MongoDB shell version: 3.0.6
      connecting to: 127.0.0.1:24205/test
      [
              {
                      "v" : 1,
                      "key" : {
                              "_id" : 1
                      },
                      "name" : "_id_",
                      "ns" : "test.test"
              },
              {
                      "v" : 1,
                      "key" : {
                              "a" : 1
                      },
                      "name" : "a_1",
                      "ns" : "test.test"
              }
      ]
      

      Show
      With auth (fails): $ mlaunch init --sharded 2 --replicaset --nodes 2 --arbiter --smallfiles --oplogSize 10 --binarypath /m/2.6.11/bin --port 24205 --auth launching: /m/2.6.11/bin/mongod on port 24206 launching: /m/2.6.11/bin/mongod on port 24207 launching: /m/2.6.11/bin/mongod on port 24208 launching: /m/2.6.11/bin/mongod on port 24209 launching: /m/2.6.11/bin/mongod on port 24210 launching: /m/2.6.11/bin/mongod on port 24211 launching: config server on port 24212 replica set 'shard01' initialized. replica set 'shard02' initialized. launching: /m/2.6.11/bin/mongos on port 24205 adding shards. can take up to 30 seconds... 8 nodes stopped. launching: /m/2.6.11/bin/mongod on port 24206 launching: /m/2.6.11/bin/mongod on port 24207 launching: /m/2.6.11/bin/mongod on port 24208 launching: /m/2.6.11/bin/mongod on port 24209 launching: /m/2.6.11/bin/mongod on port 24210 launching: /m/2.6.11/bin/mongod on port 24211 launching: config server on port 24212 launching: /m/2.6.11/bin/mongos on port 24205 $ /m/3.0.6/bin/mongo --port 24205 -u user -p password --authenticationDatabase admin --eval 'printjson(db.test.insert({}))' MongoDB shell version: 3.0.6 connecting to: 127.0.0.1:24205/test { "nInserted" : 1 } $ /m/3.0.6/bin/mongo --port 24205 -u user -p password --authenticationDatabase admin --eval 'printjson(db.test.ensureIndex({a:1}))' MongoDB shell version: 3.0.6 connecting to: 127.0.0.1:24205/test { "raw" : { "shard01/genique:24206,genique:24207" : { "createdCollectionAutomatically" : false, "numIndexesBefore" : 1, "numIndexesAfter" : 2, "ok" : 1, "$gleStats" : { "lastOpTime" : Timestamp(1442426511, 1), "electionId" : ObjectId("55f9ac98c9c1eb9b892a11eb") } } }, "ok" : 1 } $ /m/3.0.6/bin/mongo --port 24205 -u user -p password --authenticationDatabase admin --eval 'printjson(sh.stopBalancer())' MongoDB shell version: 3.0.6 connecting to: 127.0.0.1:24205/test Waiting for active hosts... Waiting for the balancer lock... Waiting again for active hosts after balancer is off... undefined $ mlaunch stop mongos 1 node stopped. $ mlaunch start mongos --binarypath /m/3.0.6/bin --upgrade launching: /m/3.0.6/bin/mongos on port 24205 $ mlaunch start mongos --binarypath /m/3.0.6/bin launching: /m/3.0.6/bin/mongos on port 24205 **** $ /m/3.0.6/bin/mongo --port 24205 -u user -p password --authenticationDatabase admin --eval 'printjson(db.runCommand({listIndexes:"test"}))' **** MongoDB shell version: 3.0.6 **** connecting to: 127.0.0.1:24205/test **** { **** "ok" : 0, **** "errmsg" : "not authorized on test to execute command { listIndexes: \"test\" }", **** "code" : 13 **** } $ /m/3.0.6/bin/mongo --port 24206 -u user -p password --authenticationDatabase admin --eval 'printjson(db.runCommand({listIndexes:"test"}))' MongoDB shell version: 3.0.6 connecting to: 127.0.0.1:24206/test { "ok" : 0, "errmsg" : "no such cmd: listIndexes", "code" : 59, "bad cmd" : { "listIndexes" : "test" } } $ /m/3.0.6/bin/mongo --port 24205 -u user -p password --authenticationDatabase admin --eval 'printjson(db.system.indexes.find().toArray())' MongoDB shell version: 3.0.6 connecting to: 127.0.0.1:24205/test [ { "v" : 1, "key" : { "_id" : 1 }, "name" : "_id_", "ns" : "test.test" }, { "v" : 1, "key" : { "a" : 1 }, "name" : "a_1", "ns" : "test.test" } ] $ /m/3.0.6/bin/mongo --port 24206 -u user -p password --authenticationDatabase admin --eval 'printjson(db.system.indexes.find().toArray())' MongoDB shell version: 3.0.6 connecting to: 127.0.0.1:24206/test [ { "v" : 1, "key" : { "_id" : 1 }, "name" : "_id_", "ns" : "test.test" }, { "v" : 1, "key" : { "a" : 1 }, "name" : "a_1", "ns" : "test.test" } ] $ mlaunch stop 8 nodes stopped. $ mlaunch start --binarypath /m/3.0.6/bin launching: /m/3.0.6/bin/mongod on port 24206 launching: /m/3.0.6/bin/mongod on port 24207 launching: /m/3.0.6/bin/mongod on port 24208 launching: /m/3.0.6/bin/mongod on port 24209 launching: /m/3.0.6/bin/mongod on port 24210 launching: /m/3.0.6/bin/mongod on port 24211 launching: config server on port 24212 launching: /m/3.0.6/bin/mongos on port 24205 $ /m/3.0.6/bin/mongo --port 24205 -u user -p password --authenticationDatabase admin --eval 'printjson(db.runCommand({listIndexes:"test"}))' MongoDB shell version: 3.0.6 connecting to: 127.0.0.1:24205/test { "cursor" : { "id" : NumberLong(0), "ns" : "test.$cmd.listIndexes.test", "firstBatch" : [ { "v" : 1, "key" : { "_id" : 1 }, "name" : "_id_", "ns" : "test.test" }, { "v" : 1, "key" : { "a" : 1 }, "name" : "a_1", "ns" : "test.test" } ] }, "ok" : 1, "$gleStats" : { "lastOpTime" : Timestamp(0, 0), "electionId" : ObjectId("55faf4ec6f07922dc310b0fd") } } Without auth (succeeds): $ mlaunch kill sent signal 15 to 8 processes. $ rm -rf data $ mlaunch init --sharded 2 --replicaset --nodes 2 --arbiter --smallfiles --oplogSize 10 --binarypath /m/2.6.11/bin --port 24205 launching: /m/2.6.11/bin/mongod on port 24206 launching: /m/2.6.11/bin/mongod on port 24207 launching: /m/2.6.11/bin/mongod on port 24208 launching: /m/2.6.11/bin/mongod on port 24209 launching: /m/2.6.11/bin/mongod on port 24210 launching: /m/2.6.11/bin/mongod on port 24211 launching: config server on port 24212 replica set 'shard01' initialized. replica set 'shard02' initialized. launching: /m/2.6.11/bin/mongos on port 24205 adding shards. can take up to 30 seconds... $ /m/3.0.6/bin/mongo --port 24205 --eval 'printjson(db.test.insert({}))' MongoDB shell version: 3.0.6 connecting to: 127.0.0.1:24205/test { "nInserted" : 1 } $ /m/3.0.6/bin/mongo --port 24205 --eval 'printjson(db.test.ensureIndex({a:1}))' MongoDB shell version: 3.0.6 connecting to: 127.0.0.1:24205/test { "raw" : { "shard01/genique:24206,genique:24207" : { "createdCollectionAutomatically" : false, "numIndexesBefore" : 1, "numIndexesAfter" : 2, "ok" : 1 } }, "ok" : 1 } $ /m/3.0.6/bin/mongo --port 24205 --eval 'printjson(sh.stopBalancer())' MongoDB shell version: 3.0.6 connecting to: 127.0.0.1:24205/test Waiting for active hosts... Waiting for the balancer lock... Waiting again for active hosts after balancer is off... undefined $ mlaunch stop mongos 1 node stopped. $ mlaunch start mongos --binarypath /m/3.0.6/bin --upgrade launching: /m/3.0.6/bin/mongos on port 24205 $ mlaunch start mongos --binarypath /m/3.0.6/bin launching: /m/3.0.6/bin/mongos on port 24205 **** $ /m/3.0.6/bin/mongo --port 24205 --eval 'printjson(db.runCommand({listIndexes:"test"}))' **** MongoDB shell version: 3.0.6 **** connecting to: 127.0.0.1:24205/test **** { **** "cursor" : { **** "id" : NumberLong(0), **** "ns" : "test.system.indexes", **** "firstBatch" : [ **** { **** "v" : 1, **** "key" : { **** "_id" : 1 **** }, **** "name" : "_id_", **** "ns" : "test.test" **** }, **** { **** "v" : 1, **** "key" : { **** "a" : 1 **** }, **** "name" : "a_1", **** "ns" : "test.test" **** } **** ] **** }, **** "ok" : 1, **** "$gleStats" : { **** "lastOpTime" : Timestamp(0, 0), **** "electionId" : ObjectId("55faf27148eb9e505441391c") **** } **** } $ /m/3.0.6/bin/mongo --port 24206 --eval 'printjson(db.runCommand({listIndexes:"test"}))' MongoDB shell version: 3.0.6 connecting to: 127.0.0.1:24206/test { "ok" : 0, "errmsg" : "no such cmd: listIndexes", "code" : 59, "bad cmd" : { "listIndexes" : "test" } } $ /m/3.0.6/bin/mongo --port 24206 --eval 'printjson(db.system.indexes.find().toArray())' MongoDB shell version: 3.0.6 connecting to: 127.0.0.1:24206/test [ { "v" : 1, "key" : { "_id" : 1 }, "name" : "_id_", "ns" : "test.test" }, { "v" : 1, "key" : { "a" : 1 }, "name" : "a_1", "ns" : "test.test" } ] $ /m/3.0.6/bin/mongo --port 24205 --eval 'printjson(db.system.indexes.find().toArray())' MongoDB shell version: 3.0.6 connecting to: 127.0.0.1:24205/test [ { "v" : 1, "key" : { "_id" : 1 }, "name" : "_id_", "ns" : "test.test" }, { "v" : 1, "key" : { "a" : 1 }, "name" : "a_1", "ns" : "test.test" } ]
    • Sprint:
      Security A 10/09/15

      Description

      During the process of upgrading a 2.6 cluster (with auth) to 3.0, there is a period of time where the system is running with 3.0 mongoses and 2.6 shards.

      While in this state, if the listIndexes (new in 3.0) command is sent to the mongos, then if auth is disabled it will return correct results, but if auth is on it will fail with "not authorized" (even though the authenticated user has the correct privs).

      It seems that this is because the mongos is misinterpreting the "command not found" it is getting back from the shards when it runs listIndexes on them, and not realising that it needs to downconvert to querying system.indexes.

        Attachments

          Issue Links

            Activity

              People

              • Votes:
                0 Vote for this issue
                Watchers:
                8 Start watching this issue

                Dates

                • Created:
                  Updated:
                  Resolved: