listIndexes on 3.0 mongos with 2.6 mongods returns erroneous "not authorized"

XMLWordPrintableJSON

    • Type: Bug
    • Resolution: Done
    • Priority: Major - P3
    • 3.0.7, 3.1.9
    • Affects Version/s: 3.0.6
    • Component/s: Security, Sharding
    • None
    • Fully Compatible
    • ALL
    • Hide

      With auth (fails):

      $ mlaunch init --sharded 2 --replicaset --nodes 2 --arbiter --smallfiles --oplogSize 10 --binarypath /m/2.6.11/bin --port 24205 --auth
launching: /m/2.6.11/bin/mongod on port 24206
launching: /m/2.6.11/bin/mongod on port 24207
launching: /m/2.6.11/bin/mongod on port 24208
launching: /m/2.6.11/bin/mongod on port 24209
launching: /m/2.6.11/bin/mongod on port 24210
launching: /m/2.6.11/bin/mongod on port 24211
launching: config server on port 24212
replica set 'shard01' initialized.
replica set 'shard02' initialized.
launching: /m/2.6.11/bin/mongos on port 24205
adding shards. can take up to 30 seconds...
8 nodes stopped.
launching: /m/2.6.11/bin/mongod on port 24206
launching: /m/2.6.11/bin/mongod on port 24207
launching: /m/2.6.11/bin/mongod on port 24208
launching: /m/2.6.11/bin/mongod on port 24209
launching: /m/2.6.11/bin/mongod on port 24210
launching: /m/2.6.11/bin/mongod on port 24211
launching: config server on port 24212
launching: /m/2.6.11/bin/mongos on port 24205
$ /m/3.0.6/bin/mongo --port 24205 -u user -p password --authenticationDatabase admin --eval 'printjson(db.test.insert({}))'
MongoDB shell version: 3.0.6
connecting to: 127.0.0.1:24205/test
{ "nInserted" : 1 }
$ /m/3.0.6/bin/mongo --port 24205 -u user -p password --authenticationDatabase admin --eval 'printjson(db.test.ensureIndex({a:1}))'
MongoDB shell version: 3.0.6
connecting to: 127.0.0.1:24205/test
{
        "raw" : {
                "shard01/genique:24206,genique:24207" : {
                        "createdCollectionAutomatically" : false,
                        "numIndexesBefore" : 1,
                        "numIndexesAfter" : 2,
                        "ok" : 1,
                        "$gleStats" : {
                                "lastOpTime" : Timestamp(1442426511, 1),
                                "electionId" : ObjectId("55f9ac98c9c1eb9b892a11eb")
                        }
                }
        },
        "ok" : 1
}
$ /m/3.0.6/bin/mongo --port 24205 -u user -p password --authenticationDatabase admin --eval 'printjson(sh.stopBalancer())'
MongoDB shell version: 3.0.6
connecting to: 127.0.0.1:24205/test
Waiting for active hosts...
Waiting for the balancer lock...
Waiting again for active hosts after balancer is off...
undefined
$ mlaunch stop mongos
1 node stopped.
$ mlaunch start mongos --binarypath /m/3.0.6/bin --upgrade
launching: /m/3.0.6/bin/mongos on port 24205
$ mlaunch start mongos --binarypath /m/3.0.6/bin
launching: /m/3.0.6/bin/mongos on port 24205
**** $ /m/3.0.6/bin/mongo --port 24205 -u user -p password --authenticationDatabase admin --eval 'printjson(db.runCommand({listIndexes:"test"}))'
**** MongoDB shell version: 3.0.6
**** connecting to: 127.0.0.1:24205/test
**** {
****         "ok" : 0,
****         "errmsg" : "not authorized on test to execute command { listIndexes: \"test\" }",
****         "code" : 13
**** }
$ /m/3.0.6/bin/mongo --port 24206 -u user -p password --authenticationDatabase admin --eval 'printjson(db.runCommand({listIndexes:"test"}))'
MongoDB shell version: 3.0.6
connecting to: 127.0.0.1:24206/test
{
        "ok" : 0,
        "errmsg" : "no such cmd: listIndexes",
        "code" : 59,
        "bad cmd" : {
                "listIndexes" : "test"
        }
}
$ /m/3.0.6/bin/mongo --port 24205 -u user -p password --authenticationDatabase admin --eval 'printjson(db.system.indexes.find().toArray())'
MongoDB shell version: 3.0.6
connecting to: 127.0.0.1:24205/test
[
        {
                "v" : 1,
                "key" : {
                        "_id" : 1
                },
                "name" : "_id_",
                "ns" : "test.test"
        },
        {
                "v" : 1,
                "key" : {
                        "a" : 1
                },
                "name" : "a_1",
                "ns" : "test.test"
        }
]
$ /m/3.0.6/bin/mongo --port 24206 -u user -p password --authenticationDatabase admin --eval 'printjson(db.system.indexes.find().toArray())'
MongoDB shell version: 3.0.6
connecting to: 127.0.0.1:24206/test
[
        {
                "v" : 1,
                "key" : {
                        "_id" : 1
                },
                "name" : "_id_",
                "ns" : "test.test"
        },
        {
                "v" : 1,
                "key" : {
                        "a" : 1
                },
                "name" : "a_1",
                "ns" : "test.test"
        }
]
$ mlaunch stop
8 nodes stopped.
$ mlaunch start --binarypath /m/3.0.6/bin
launching: /m/3.0.6/bin/mongod on port 24206
launching: /m/3.0.6/bin/mongod on port 24207
launching: /m/3.0.6/bin/mongod on port 24208
launching: /m/3.0.6/bin/mongod on port 24209
launching: /m/3.0.6/bin/mongod on port 24210
launching: /m/3.0.6/bin/mongod on port 24211
launching: config server on port 24212
launching: /m/3.0.6/bin/mongos on port 24205
$ /m/3.0.6/bin/mongo --port 24205 -u user -p password --authenticationDatabase admin --eval 'printjson(db.runCommand({listIndexes:"test"}))'
MongoDB shell version: 3.0.6
connecting to: 127.0.0.1:24205/test
{
        "cursor" : {
                "id" : NumberLong(0),
                "ns" : "test.$cmd.listIndexes.test",
                "firstBatch" : [
                        {
                                "v" : 1,
                                "key" : {
                                        "_id" : 1
                                },
                                "name" : "_id_",
                                "ns" : "test.test"
                        },
                        {
                                "v" : 1,
                                "key" : {
                                        "a" : 1
                                },
                                "name" : "a_1",
                                "ns" : "test.test"
                        }
                ]
        },
        "ok" : 1,
        "$gleStats" : {
                "lastOpTime" : Timestamp(0, 0),
                "electionId" : ObjectId("55faf4ec6f07922dc310b0fd")
        }
}

      Without auth (succeeds):

      $ mlaunch kill
sent signal 15 to 8 processes.
$ rm -rf data
$ mlaunch init --sharded 2 --replicaset --nodes 2 --arbiter --smallfiles --oplogSize 10 --binarypath /m/2.6.11/bin --port 24205
launching: /m/2.6.11/bin/mongod on port 24206
launching: /m/2.6.11/bin/mongod on port 24207
launching: /m/2.6.11/bin/mongod on port 24208
launching: /m/2.6.11/bin/mongod on port 24209
launching: /m/2.6.11/bin/mongod on port 24210
launching: /m/2.6.11/bin/mongod on port 24211
launching: config server on port 24212
replica set 'shard01' initialized.
replica set 'shard02' initialized.
launching: /m/2.6.11/bin/mongos on port 24205
adding shards. can take up to 30 seconds...
$ /m/3.0.6/bin/mongo --port 24205 --eval 'printjson(db.test.insert({}))'
MongoDB shell version: 3.0.6
connecting to: 127.0.0.1:24205/test
{ "nInserted" : 1 }
$ /m/3.0.6/bin/mongo --port 24205 --eval 'printjson(db.test.ensureIndex({a:1}))'
MongoDB shell version: 3.0.6
connecting to: 127.0.0.1:24205/test
{
        "raw" : {
                "shard01/genique:24206,genique:24207" : {
                        "createdCollectionAutomatically" : false,
                        "numIndexesBefore" : 1,
                        "numIndexesAfter" : 2,
                        "ok" : 1
                }
        },
        "ok" : 1
}
$ /m/3.0.6/bin/mongo --port 24205 --eval 'printjson(sh.stopBalancer())'
MongoDB shell version: 3.0.6
connecting to: 127.0.0.1:24205/test
Waiting for active hosts...
Waiting for the balancer lock...
Waiting again for active hosts after balancer is off...
undefined
$ mlaunch stop mongos
1 node stopped.
$ mlaunch start mongos --binarypath /m/3.0.6/bin --upgrade
launching: /m/3.0.6/bin/mongos on port 24205
$ mlaunch start mongos --binarypath /m/3.0.6/bin
launching: /m/3.0.6/bin/mongos on port 24205
**** $ /m/3.0.6/bin/mongo --port 24205 --eval 'printjson(db.runCommand({listIndexes:"test"}))'
**** MongoDB shell version: 3.0.6
**** connecting to: 127.0.0.1:24205/test
**** {
****         "cursor" : {
****                 "id" : NumberLong(0),
****                 "ns" : "test.system.indexes",
****                 "firstBatch" : [
****                         {
****                                 "v" : 1,
****                                 "key" : {
****                                         "_id" : 1
****                                 },
****                                 "name" : "_id_",
****                                 "ns" : "test.test"
****                         },
****                         {
****                                 "v" : 1,
****                                 "key" : {
****                                         "a" : 1
****                                 },
****                                 "name" : "a_1",
****                                 "ns" : "test.test"
****                         }
****                 ]
****         },
****         "ok" : 1,
****         "$gleStats" : {
****                 "lastOpTime" : Timestamp(0, 0),
****                 "electionId" : ObjectId("55faf27148eb9e505441391c")
****         }
**** }
$ /m/3.0.6/bin/mongo --port 24206 --eval 'printjson(db.runCommand({listIndexes:"test"}))'
MongoDB shell version: 3.0.6
connecting to: 127.0.0.1:24206/test
{
        "ok" : 0,
        "errmsg" : "no such cmd: listIndexes",
        "code" : 59,
        "bad cmd" : {
                "listIndexes" : "test"
        }
}
$ /m/3.0.6/bin/mongo --port 24206 --eval 'printjson(db.system.indexes.find().toArray())'
MongoDB shell version: 3.0.6
connecting to: 127.0.0.1:24206/test
[
        {
                "v" : 1,
                "key" : {
                        "_id" : 1
                },
                "name" : "_id_",
                "ns" : "test.test"
        },
        {
                "v" : 1,
                "key" : {
                        "a" : 1
                },
                "name" : "a_1",
                "ns" : "test.test"
        }
]
$ /m/3.0.6/bin/mongo --port 24205 --eval 'printjson(db.system.indexes.find().toArray())'
MongoDB shell version: 3.0.6
connecting to: 127.0.0.1:24205/test
[
        {
                "v" : 1,
                "key" : {
                        "_id" : 1
                },
                "name" : "_id_",
                "ns" : "test.test"
        },
        {
                "v" : 1,
                "key" : {
                        "a" : 1
                },
                "name" : "a_1",
                "ns" : "test.test"
        }
]
      Show
      With auth (fails): $ mlaunch init --sharded 2 --replicaset --nodes 2 --arbiter --smallfiles --oplogSize 10 --binarypath /m/2.6.11/bin --port 24205 --auth launching: /m/2.6.11/bin/mongod on port 24206 launching: /m/2.6.11/bin/mongod on port 24207 launching: /m/2.6.11/bin/mongod on port 24208 launching: /m/2.6.11/bin/mongod on port 24209 launching: /m/2.6.11/bin/mongod on port 24210 launching: /m/2.6.11/bin/mongod on port 24211 launching: config server on port 24212 replica set 'shard01' initialized. replica set 'shard02' initialized. launching: /m/2.6.11/bin/mongos on port 24205 adding shards. can take up to 30 seconds... 8 nodes stopped. launching: /m/2.6.11/bin/mongod on port 24206 launching: /m/2.6.11/bin/mongod on port 24207 launching: /m/2.6.11/bin/mongod on port 24208 launching: /m/2.6.11/bin/mongod on port 24209 launching: /m/2.6.11/bin/mongod on port 24210 launching: /m/2.6.11/bin/mongod on port 24211 launching: config server on port 24212 launching: /m/2.6.11/bin/mongos on port 24205 $ /m/3.0.6/bin/mongo --port 24205 -u user -p password --authenticationDatabase admin --eval 'printjson(db.test.insert({}))' MongoDB shell version: 3.0.6 connecting to: 127.0.0.1:24205/test { "nInserted" : 1 } $ /m/3.0.6/bin/mongo --port 24205 -u user -p password --authenticationDatabase admin --eval 'printjson(db.test.ensureIndex({a:1}))' MongoDB shell version: 3.0.6 connecting to: 127.0.0.1:24205/test { "raw" : { "shard01/genique:24206,genique:24207" : { "createdCollectionAutomatically" : false, "numIndexesBefore" : 1, "numIndexesAfter" : 2, "ok" : 1, "$gleStats" : { "lastOpTime" : Timestamp(1442426511, 1), "electionId" : ObjectId("55f9ac98c9c1eb9b892a11eb") } } }, "ok" : 1 } $ /m/3.0.6/bin/mongo --port 24205 -u user -p password --authenticationDatabase admin --eval 'printjson(sh.stopBalancer())' MongoDB shell version: 3.0.6 connecting to: 127.0.0.1:24205/test Waiting for active hosts... Waiting for the balancer lock... Waiting again for active hosts after balancer is off... undefined $ mlaunch stop mongos 1 node stopped. $ mlaunch start mongos --binarypath /m/3.0.6/bin --upgrade launching: /m/3.0.6/bin/mongos on port 24205 $ mlaunch start mongos --binarypath /m/3.0.6/bin launching: /m/3.0.6/bin/mongos on port 24205 **** $ /m/3.0.6/bin/mongo --port 24205 -u user -p password --authenticationDatabase admin --eval 'printjson(db.runCommand({listIndexes:"test"}))' **** MongoDB shell version: 3.0.6 **** connecting to: 127.0.0.1:24205/test **** { **** "ok" : 0, **** "errmsg" : "not authorized on test to execute command { listIndexes: \"test\" }", **** "code" : 13 **** } $ /m/3.0.6/bin/mongo --port 24206 -u user -p password --authenticationDatabase admin --eval 'printjson(db.runCommand({listIndexes:"test"}))' MongoDB shell version: 3.0.6 connecting to: 127.0.0.1:24206/test { "ok" : 0, "errmsg" : "no such cmd: listIndexes", "code" : 59, "bad cmd" : { "listIndexes" : "test" } } $ /m/3.0.6/bin/mongo --port 24205 -u user -p password --authenticationDatabase admin --eval 'printjson(db.system.indexes.find().toArray())' MongoDB shell version: 3.0.6 connecting to: 127.0.0.1:24205/test [ { "v" : 1, "key" : { "_id" : 1 }, "name" : "_id_", "ns" : "test.test" }, { "v" : 1, "key" : { "a" : 1 }, "name" : "a_1", "ns" : "test.test" } ] $ /m/3.0.6/bin/mongo --port 24206 -u user -p password --authenticationDatabase admin --eval 'printjson(db.system.indexes.find().toArray())' MongoDB shell version: 3.0.6 connecting to: 127.0.0.1:24206/test [ { "v" : 1, "key" : { "_id" : 1 }, "name" : "_id_", "ns" : "test.test" }, { "v" : 1, "key" : { "a" : 1 }, "name" : "a_1", "ns" : "test.test" } ] $ mlaunch stop 8 nodes stopped. $ mlaunch start --binarypath /m/3.0.6/bin launching: /m/3.0.6/bin/mongod on port 24206 launching: /m/3.0.6/bin/mongod on port 24207 launching: /m/3.0.6/bin/mongod on port 24208 launching: /m/3.0.6/bin/mongod on port 24209 launching: /m/3.0.6/bin/mongod on port 24210 launching: /m/3.0.6/bin/mongod on port 24211 launching: config server on port 24212 launching: /m/3.0.6/bin/mongos on port 24205 $ /m/3.0.6/bin/mongo --port 24205 -u user -p password --authenticationDatabase admin --eval 'printjson(db.runCommand({listIndexes:"test"}))' MongoDB shell version: 3.0.6 connecting to: 127.0.0.1:24205/test { "cursor" : { "id" : NumberLong(0), "ns" : "test.$cmd.listIndexes.test", "firstBatch" : [ { "v" : 1, "key" : { "_id" : 1 }, "name" : "_id_", "ns" : "test.test" }, { "v" : 1, "key" : { "a" : 1 }, "name" : "a_1", "ns" : "test.test" } ] }, "ok" : 1, "$gleStats" : { "lastOpTime" : Timestamp(0, 0), "electionId" : ObjectId("55faf4ec6f07922dc310b0fd") } } Without auth (succeeds): $ mlaunch kill sent signal 15 to 8 processes. $ rm -rf data $ mlaunch init --sharded 2 --replicaset --nodes 2 --arbiter --smallfiles --oplogSize 10 --binarypath /m/2.6.11/bin --port 24205 launching: /m/2.6.11/bin/mongod on port 24206 launching: /m/2.6.11/bin/mongod on port 24207 launching: /m/2.6.11/bin/mongod on port 24208 launching: /m/2.6.11/bin/mongod on port 24209 launching: /m/2.6.11/bin/mongod on port 24210 launching: /m/2.6.11/bin/mongod on port 24211 launching: config server on port 24212 replica set 'shard01' initialized. replica set 'shard02' initialized. launching: /m/2.6.11/bin/mongos on port 24205 adding shards. can take up to 30 seconds... $ /m/3.0.6/bin/mongo --port 24205 --eval 'printjson(db.test.insert({}))' MongoDB shell version: 3.0.6 connecting to: 127.0.0.1:24205/test { "nInserted" : 1 } $ /m/3.0.6/bin/mongo --port 24205 --eval 'printjson(db.test.ensureIndex({a:1}))' MongoDB shell version: 3.0.6 connecting to: 127.0.0.1:24205/test { "raw" : { "shard01/genique:24206,genique:24207" : { "createdCollectionAutomatically" : false, "numIndexesBefore" : 1, "numIndexesAfter" : 2, "ok" : 1 } }, "ok" : 1 } $ /m/3.0.6/bin/mongo --port 24205 --eval 'printjson(sh.stopBalancer())' MongoDB shell version: 3.0.6 connecting to: 127.0.0.1:24205/test Waiting for active hosts... Waiting for the balancer lock... Waiting again for active hosts after balancer is off... undefined $ mlaunch stop mongos 1 node stopped. $ mlaunch start mongos --binarypath /m/3.0.6/bin --upgrade launching: /m/3.0.6/bin/mongos on port 24205 $ mlaunch start mongos --binarypath /m/3.0.6/bin launching: /m/3.0.6/bin/mongos on port 24205 **** $ /m/3.0.6/bin/mongo --port 24205 --eval 'printjson(db.runCommand({listIndexes:"test"}))' **** MongoDB shell version: 3.0.6 **** connecting to: 127.0.0.1:24205/test **** { **** "cursor" : { **** "id" : NumberLong(0), **** "ns" : "test.system.indexes", **** "firstBatch" : [ **** { **** "v" : 1, **** "key" : { **** "_id" : 1 **** }, **** "name" : "_id_", **** "ns" : "test.test" **** }, **** { **** "v" : 1, **** "key" : { **** "a" : 1 **** }, **** "name" : "a_1", **** "ns" : "test.test" **** } **** ] **** }, **** "ok" : 1, **** "$gleStats" : { **** "lastOpTime" : Timestamp(0, 0), **** "electionId" : ObjectId("55faf27148eb9e505441391c") **** } **** } $ /m/3.0.6/bin/mongo --port 24206 --eval 'printjson(db.runCommand({listIndexes:"test"}))' MongoDB shell version: 3.0.6 connecting to: 127.0.0.1:24206/test { "ok" : 0, "errmsg" : "no such cmd: listIndexes", "code" : 59, "bad cmd" : { "listIndexes" : "test" } } $ /m/3.0.6/bin/mongo --port 24206 --eval 'printjson(db.system.indexes.find().toArray())' MongoDB shell version: 3.0.6 connecting to: 127.0.0.1:24206/test [ { "v" : 1, "key" : { "_id" : 1 }, "name" : "_id_", "ns" : "test.test" }, { "v" : 1, "key" : { "a" : 1 }, "name" : "a_1", "ns" : "test.test" } ] $ /m/3.0.6/bin/mongo --port 24205 --eval 'printjson(db.system.indexes.find().toArray())' MongoDB shell version: 3.0.6 connecting to: 127.0.0.1:24205/test [ { "v" : 1, "key" : { "_id" : 1 }, "name" : "_id_", "ns" : "test.test" }, { "v" : 1, "key" : { "a" : 1 }, "name" : "a_1", "ns" : "test.test" } ]
    • Security A 10/09/15
    • None
    • None
    • None
    • None
    • None
    • None
    • None

      During the process of upgrading a 2.6 cluster (with auth) to 3.0, there is a period of time where the system is running with 3.0 mongoses and 2.6 shards.

      While in this state, if the listIndexes (new in 3.0) command is sent to the mongos, then if auth is disabled it will return correct results, but if auth is on it will fail with "not authorized" (even though the authenticated user has the correct privs).

      It seems that this is because the mongos is misinterpreting the "command not found" it is getting back from the shards when it runs listIndexes on them, and not realising that it needs to downconvert to querying system.indexes.

            Assignee:
            Andreas Nilsson (Inactive)
            Reporter:
            Kevin Pulo
            Votes:
            0 Vote for this issue
            Watchers:
            7 Start watching this issue

              Created:
              Updated:
              Resolved: