Loading...

Type: Bug
Resolution: Done
Priority: Major - P3
Fix Version/s: 3.0.7, 3.1.9
Affects Version/s: 3.0.6
Component/s: Security, Sharding
Labels:
None

Backwards Compatibility:
Fully Compatible
Operating System:
ALL
Backport Completed:

3.0.7
Steps To Reproduce:
Hide

With auth (fails):

$ mlaunch init --sharded 2 --replicaset --nodes 2 --arbiter --smallfiles --oplogSize 10 --binarypath /m/2.6.11/bin --port 24205 --auth launching: /m/2.6.11/bin/mongod on port 24206 launching: /m/2.6.11/bin/mongod on port 24207 launching: /m/2.6.11/bin/mongod on port 24208 launching: /m/2.6.11/bin/mongod on port 24209 launching: /m/2.6.11/bin/mongod on port 24210 launching: /m/2.6.11/bin/mongod on port 24211 launching: config server on port 24212 replica set 'shard01' initialized. replica set 'shard02' initialized. launching: /m/2.6.11/bin/mongos on port 24205 adding shards. can take up to 30 seconds... 8 nodes stopped. launching: /m/2.6.11/bin/mongod on port 24206 launching: /m/2.6.11/bin/mongod on port 24207 launching: /m/2.6.11/bin/mongod on port 24208 launching: /m/2.6.11/bin/mongod on port 24209 launching: /m/2.6.11/bin/mongod on port 24210 launching: /m/2.6.11/bin/mongod on port 24211 launching: config server on port 24212 launching: /m/2.6.11/bin/mongos on port 24205 $ /m/3.0.6/bin/mongo --port 24205 -u user -p password --authenticationDatabase admin --eval 'printjson(db.test.insert({}))' MongoDB shell version: 3.0.6 connecting to: 127.0.0.1:24205/test { "nInserted" : 1 } $ /m/3.0.6/bin/mongo --port 24205 -u user -p password --authenticationDatabase admin --eval 'printjson(db.test.ensureIndex({a:1}))' MongoDB shell version: 3.0.6 connecting to: 127.0.0.1:24205/test { "raw" : { "shard01/genique:24206,genique:24207" : { "createdCollectionAutomatically" : false, "numIndexesBefore" : 1, "numIndexesAfter" : 2, "ok" : 1, "$gleStats" : { "lastOpTime" : Timestamp(1442426511, 1), "electionId" : ObjectId("55f9ac98c9c1eb9b892a11eb") } } }, "ok" : 1 } $ /m/3.0.6/bin/mongo --port 24205 -u user -p password --authenticationDatabase admin --eval 'printjson(sh.stopBalancer())' MongoDB shell version: 3.0.6 connecting to: 127.0.0.1:24205/test Waiting for active hosts... Waiting for the balancer lock... Waiting again for active hosts after balancer is off... undefined $ mlaunch stop mongos 1 node stopped. $ mlaunch start mongos --binarypath /m/3.0.6/bin --upgrade launching: /m/3.0.6/bin/mongos on port 24205 $ mlaunch start mongos --binarypath /m/3.0.6/bin launching: /m/3.0.6/bin/mongos on port 24205 **** $ /m/3.0.6/bin/mongo --port 24205 -u user -p password --authenticationDatabase admin --eval 'printjson(db.runCommand({listIndexes:"test"}))' **** MongoDB shell version: 3.0.6 **** connecting to: 127.0.0.1:24205/test **** { **** "ok" : 0, **** "errmsg" : "not authorized on test to execute command { listIndexes: \"test\" }", **** "code" : 13 **** } $ /m/3.0.6/bin/mongo --port 24206 -u user -p password --authenticationDatabase admin --eval 'printjson(db.runCommand({listIndexes:"test"}))' MongoDB shell version: 3.0.6 connecting to: 127.0.0.1:24206/test { "ok" : 0, "errmsg" : "no such cmd: listIndexes", "code" : 59, "bad cmd" : { "listIndexes" : "test" } } $ /m/3.0.6/bin/mongo --port 24205 -u user -p password --authenticationDatabase admin --eval 'printjson(db.system.indexes.find().toArray())' MongoDB shell version: 3.0.6 connecting to: 127.0.0.1:24205/test [ { "v" : 1, "key" : { "_id" : 1 }, "name" : "_id_", "ns" : "test.test" }, { "v" : 1, "key" : { "a" : 1 }, "name" : "a_1", "ns" : "test.test" } ] $ /m/3.0.6/bin/mongo --port 24206 -u user -p password --authenticationDatabase admin --eval 'printjson(db.system.indexes.find().toArray())' MongoDB shell version: 3.0.6 connecting to: 127.0.0.1:24206/test [ { "v" : 1, "key" : { "_id" : 1 }, "name" : "_id_", "ns" : "test.test" }, { "v" : 1, "key" : { "a" : 1 }, "name" : "a_1", "ns" : "test.test" } ] $ mlaunch stop 8 nodes stopped. $ mlaunch start --binarypath /m/3.0.6/bin launching: /m/3.0.6/bin/mongod on port 24206 launching: /m/3.0.6/bin/mongod on port 24207 launching: /m/3.0.6/bin/mongod on port 24208 launching: /m/3.0.6/bin/mongod on port 24209 launching: /m/3.0.6/bin/mongod on port 24210 launching: /m/3.0.6/bin/mongod on port 24211 launching: config server on port 24212 launching: /m/3.0.6/bin/mongos on port 24205 $ /m/3.0.6/bin/mongo --port 24205 -u user -p password --authenticationDatabase admin --eval 'printjson(db.runCommand({listIndexes:"test"}))' MongoDB shell version: 3.0.6 connecting to: 127.0.0.1:24205/test { "cursor" : { "id" : NumberLong(0), "ns" : "test.$cmd.listIndexes.test", "firstBatch" : [ { "v" : 1, "key" : { "_id" : 1 }, "name" : "_id_", "ns" : "test.test" }, { "v" : 1, "key" : { "a" : 1 }, "name" : "a_1", "ns" : "test.test" } ] }, "ok" : 1, "$gleStats" : { "lastOpTime" : Timestamp(0, 0), "electionId" : ObjectId("55faf4ec6f07922dc310b0fd") } }

Without auth (succeeds):

$ mlaunch kill sent signal 15 to 8 processes. $ rm -rf data $ mlaunch init --sharded 2 --replicaset --nodes 2 --arbiter --smallfiles --oplogSize 10 --binarypath /m/2.6.11/bin --port 24205 launching: /m/2.6.11/bin/mongod on port 24206 launching: /m/2.6.11/bin/mongod on port 24207 launching: /m/2.6.11/bin/mongod on port 24208 launching: /m/2.6.11/bin/mongod on port 24209 launching: /m/2.6.11/bin/mongod on port 24210 launching: /m/2.6.11/bin/mongod on port 24211 launching: config server on port 24212 replica set 'shard01' initialized. replica set 'shard02' initialized. launching: /m/2.6.11/bin/mongos on port 24205 adding shards. can take up to 30 seconds... $ /m/3.0.6/bin/mongo --port 24205 --eval 'printjson(db.test.insert({}))' MongoDB shell version: 3.0.6 connecting to: 127.0.0.1:24205/test { "nInserted" : 1 } $ /m/3.0.6/bin/mongo --port 24205 --eval 'printjson(db.test.ensureIndex({a:1}))' MongoDB shell version: 3.0.6 connecting to: 127.0.0.1:24205/test { "raw" : { "shard01/genique:24206,genique:24207" : { "createdCollectionAutomatically" : false, "numIndexesBefore" : 1, "numIndexesAfter" : 2, "ok" : 1 } }, "ok" : 1 } $ /m/3.0.6/bin/mongo --port 24205 --eval 'printjson(sh.stopBalancer())' MongoDB shell version: 3.0.6 connecting to: 127.0.0.1:24205/test Waiting for active hosts... Waiting for the balancer lock... Waiting again for active hosts after balancer is off... undefined $ mlaunch stop mongos 1 node stopped. $ mlaunch start mongos --binarypath /m/3.0.6/bin --upgrade launching: /m/3.0.6/bin/mongos on port 24205 $ mlaunch start mongos --binarypath /m/3.0.6/bin launching: /m/3.0.6/bin/mongos on port 24205 **** $ /m/3.0.6/bin/mongo --port 24205 --eval 'printjson(db.runCommand({listIndexes:"test"}))' **** MongoDB shell version: 3.0.6 **** connecting to: 127.0.0.1:24205/test **** { **** "cursor" : { **** "id" : NumberLong(0), **** "ns" : "test.system.indexes", **** "firstBatch" : [ **** { **** "v" : 1, **** "key" : { **** "_id" : 1 **** }, **** "name" : "_id_", **** "ns" : "test.test" **** }, **** { **** "v" : 1, **** "key" : { **** "a" : 1 **** }, **** "name" : "a_1", **** "ns" : "test.test" **** } **** ] **** }, **** "ok" : 1, **** "$gleStats" : { **** "lastOpTime" : Timestamp(0, 0), **** "electionId" : ObjectId("55faf27148eb9e505441391c") **** } **** } $ /m/3.0.6/bin/mongo --port 24206 --eval 'printjson(db.runCommand({listIndexes:"test"}))' MongoDB shell version: 3.0.6 connecting to: 127.0.0.1:24206/test { "ok" : 0, "errmsg" : "no such cmd: listIndexes", "code" : 59, "bad cmd" : { "listIndexes" : "test" } } $ /m/3.0.6/bin/mongo --port 24206 --eval 'printjson(db.system.indexes.find().toArray())' MongoDB shell version: 3.0.6 connecting to: 127.0.0.1:24206/test [ { "v" : 1, "key" : { "_id" : 1 }, "name" : "_id_", "ns" : "test.test" }, { "v" : 1, "key" : { "a" : 1 }, "name" : "a_1", "ns" : "test.test" } ] $ /m/3.0.6/bin/mongo --port 24205 --eval 'printjson(db.system.indexes.find().toArray())' MongoDB shell version: 3.0.6 connecting to: 127.0.0.1:24205/test [ { "v" : 1, "key" : { "_id" : 1 }, "name" : "_id_", "ns" : "test.test" }, { "v" : 1, "key" : { "a" : 1 }, "name" : "a_1", "ns" : "test.test" } ]
Show
With auth (fails): $ mlaunch init --sharded 2 --replicaset --nodes 2 --arbiter --smallfiles --oplogSize 10 --binarypath /m/2.6.11/bin --port 24205 --auth launching: /m/2.6.11/bin/mongod on port 24206 launching: /m/2.6.11/bin/mongod on port 24207 launching: /m/2.6.11/bin/mongod on port 24208 launching: /m/2.6.11/bin/mongod on port 24209 launching: /m/2.6.11/bin/mongod on port 24210 launching: /m/2.6.11/bin/mongod on port 24211 launching: config server on port 24212 replica set 'shard01' initialized. replica set 'shard02' initialized. launching: /m/2.6.11/bin/mongos on port 24205 adding shards. can take up to 30 seconds... 8 nodes stopped. launching: /m/2.6.11/bin/mongod on port 24206 launching: /m/2.6.11/bin/mongod on port 24207 launching: /m/2.6.11/bin/mongod on port 24208 launching: /m/2.6.11/bin/mongod on port 24209 launching: /m/2.6.11/bin/mongod on port 24210 launching: /m/2.6.11/bin/mongod on port 24211 launching: config server on port 24212 launching: /m/2.6.11/bin/mongos on port 24205 $ /m/3.0.6/bin/mongo --port 24205 -u user -p password --authenticationDatabase admin --eval 'printjson(db.test.insert({}))' MongoDB shell version: 3.0.6 connecting to: 127.0.0.1:24205/test { "nInserted" : 1 } $ /m/3.0.6/bin/mongo --port 24205 -u user -p password --authenticationDatabase admin --eval 'printjson(db.test.ensureIndex({a:1}))' MongoDB shell version: 3.0.6 connecting to: 127.0.0.1:24205/test { "raw" : { "shard01/genique:24206,genique:24207" : { "createdCollectionAutomatically" : false, "numIndexesBefore" : 1, "numIndexesAfter" : 2, "ok" : 1, "$gleStats" : { "lastOpTime" : Timestamp(1442426511, 1), "electionId" : ObjectId("55f9ac98c9c1eb9b892a11eb") } } }, "ok" : 1 } $ /m/3.0.6/bin/mongo --port 24205 -u user -p password --authenticationDatabase admin --eval 'printjson(sh.stopBalancer())' MongoDB shell version: 3.0.6 connecting to: 127.0.0.1:24205/test Waiting for active hosts... Waiting for the balancer lock... Waiting again for active hosts after balancer is off... undefined $ mlaunch stop mongos 1 node stopped. $ mlaunch start mongos --binarypath /m/3.0.6/bin --upgrade launching: /m/3.0.6/bin/mongos on port 24205 $ mlaunch start mongos --binarypath /m/3.0.6/bin launching: /m/3.0.6/bin/mongos on port 24205 **** $ /m/3.0.6/bin/mongo --port 24205 -u user -p password --authenticationDatabase admin --eval 'printjson(db.runCommand({listIndexes:"test"}))' **** MongoDB shell version: 3.0.6 **** connecting to: 127.0.0.1:24205/test **** { **** "ok" : 0, **** "errmsg" : "not authorized on test to execute command { listIndexes: \"test\" }", **** "code" : 13 **** } $ /m/3.0.6/bin/mongo --port 24206 -u user -p password --authenticationDatabase admin --eval 'printjson(db.runCommand({listIndexes:"test"}))' MongoDB shell version: 3.0.6 connecting to: 127.0.0.1:24206/test { "ok" : 0, "errmsg" : "no such cmd: listIndexes", "code" : 59, "bad cmd" : { "listIndexes" : "test" } } $ /m/3.0.6/bin/mongo --port 24205 -u user -p password --authenticationDatabase admin --eval 'printjson(db.system.indexes.find().toArray())' MongoDB shell version: 3.0.6 connecting to: 127.0.0.1:24205/test [ { "v" : 1, "key" : { "_id" : 1 }, "name" : "_id_", "ns" : "test.test" }, { "v" : 1, "key" : { "a" : 1 }, "name" : "a_1", "ns" : "test.test" } ] $ /m/3.0.6/bin/mongo --port 24206 -u user -p password --authenticationDatabase admin --eval 'printjson(db.system.indexes.find().toArray())' MongoDB shell version: 3.0.6 connecting to: 127.0.0.1:24206/test [ { "v" : 1, "key" : { "_id" : 1 }, "name" : "_id_", "ns" : "test.test" }, { "v" : 1, "key" : { "a" : 1 }, "name" : "a_1", "ns" : "test.test" } ] $ mlaunch stop 8 nodes stopped. $ mlaunch start --binarypath /m/3.0.6/bin launching: /m/3.0.6/bin/mongod on port 24206 launching: /m/3.0.6/bin/mongod on port 24207 launching: /m/3.0.6/bin/mongod on port 24208 launching: /m/3.0.6/bin/mongod on port 24209 launching: /m/3.0.6/bin/mongod on port 24210 launching: /m/3.0.6/bin/mongod on port 24211 launching: config server on port 24212 launching: /m/3.0.6/bin/mongos on port 24205 $ /m/3.0.6/bin/mongo --port 24205 -u user -p password --authenticationDatabase admin --eval 'printjson(db.runCommand({listIndexes:"test"}))' MongoDB shell version: 3.0.6 connecting to: 127.0.0.1:24205/test { "cursor" : { "id" : NumberLong(0), "ns" : "test.$cmd.listIndexes.test", "firstBatch" : [ { "v" : 1, "key" : { "_id" : 1 }, "name" : "_id_", "ns" : "test.test" }, { "v" : 1, "key" : { "a" : 1 }, "name" : "a_1", "ns" : "test.test" } ] }, "ok" : 1, "$gleStats" : { "lastOpTime" : Timestamp(0, 0), "electionId" : ObjectId("55faf4ec6f07922dc310b0fd") } } Without auth (succeeds): $ mlaunch kill sent signal 15 to 8 processes. $ rm -rf data $ mlaunch init --sharded 2 --replicaset --nodes 2 --arbiter --smallfiles --oplogSize 10 --binarypath /m/2.6.11/bin --port 24205 launching: /m/2.6.11/bin/mongod on port 24206 launching: /m/2.6.11/bin/mongod on port 24207 launching: /m/2.6.11/bin/mongod on port 24208 launching: /m/2.6.11/bin/mongod on port 24209 launching: /m/2.6.11/bin/mongod on port 24210 launching: /m/2.6.11/bin/mongod on port 24211 launching: config server on port 24212 replica set 'shard01' initialized. replica set 'shard02' initialized. launching: /m/2.6.11/bin/mongos on port 24205 adding shards. can take up to 30 seconds... $ /m/3.0.6/bin/mongo --port 24205 --eval 'printjson(db.test.insert({}))' MongoDB shell version: 3.0.6 connecting to: 127.0.0.1:24205/test { "nInserted" : 1 } $ /m/3.0.6/bin/mongo --port 24205 --eval 'printjson(db.test.ensureIndex({a:1}))' MongoDB shell version: 3.0.6 connecting to: 127.0.0.1:24205/test { "raw" : { "shard01/genique:24206,genique:24207" : { "createdCollectionAutomatically" : false, "numIndexesBefore" : 1, "numIndexesAfter" : 2, "ok" : 1 } }, "ok" : 1 } $ /m/3.0.6/bin/mongo --port 24205 --eval 'printjson(sh.stopBalancer())' MongoDB shell version: 3.0.6 connecting to: 127.0.0.1:24205/test Waiting for active hosts... Waiting for the balancer lock... Waiting again for active hosts after balancer is off... undefined $ mlaunch stop mongos 1 node stopped. $ mlaunch start mongos --binarypath /m/3.0.6/bin --upgrade launching: /m/3.0.6/bin/mongos on port 24205 $ mlaunch start mongos --binarypath /m/3.0.6/bin launching: /m/3.0.6/bin/mongos on port 24205 **** $ /m/3.0.6/bin/mongo --port 24205 --eval 'printjson(db.runCommand({listIndexes:"test"}))' **** MongoDB shell version: 3.0.6 **** connecting to: 127.0.0.1:24205/test **** { **** "cursor" : { **** "id" : NumberLong(0), **** "ns" : "test.system.indexes", **** "firstBatch" : [ **** { **** "v" : 1, **** "key" : { **** "_id" : 1 **** }, **** "name" : "_id_", **** "ns" : "test.test" **** }, **** { **** "v" : 1, **** "key" : { **** "a" : 1 **** }, **** "name" : "a_1", **** "ns" : "test.test" **** } **** ] **** }, **** "ok" : 1, **** "$gleStats" : { **** "lastOpTime" : Timestamp(0, 0), **** "electionId" : ObjectId("55faf27148eb9e505441391c") **** } **** } $ /m/3.0.6/bin/mongo --port 24206 --eval 'printjson(db.runCommand({listIndexes:"test"}))' MongoDB shell version: 3.0.6 connecting to: 127.0.0.1:24206/test { "ok" : 0, "errmsg" : "no such cmd: listIndexes", "code" : 59, "bad cmd" : { "listIndexes" : "test" } } $ /m/3.0.6/bin/mongo --port 24206 --eval 'printjson(db.system.indexes.find().toArray())' MongoDB shell version: 3.0.6 connecting to: 127.0.0.1:24206/test [ { "v" : 1, "key" : { "_id" : 1 }, "name" : "_id_", "ns" : "test.test" }, { "v" : 1, "key" : { "a" : 1 }, "name" : "a_1", "ns" : "test.test" } ] $ /m/3.0.6/bin/mongo --port 24205 --eval 'printjson(db.system.indexes.find().toArray())' MongoDB shell version: 3.0.6 connecting to: 127.0.0.1:24205/test [ { "v" : 1, "key" : { "_id" : 1 }, "name" : "_id_", "ns" : "test.test" }, { "v" : 1, "key" : { "a" : 1 }, "name" : "a_1", "ns" : "test.test" } ]
Sprint:
Security A 10/09/15

During the process of upgrading a 2.6 cluster (with auth) to 3.0, there is a period of time where the system is running with 3.0 mongoses and 2.6 shards.

While in this state, if the listIndexes (new in 3.0) command is sent to the mongos, then if auth is disabled it will return correct results, but if auth is on it will fail with "not authorized" (even though the authenticated user has the correct privs).

It seems that this is because the mongos is misinterpreting the "command not found" it is getting back from the shards when it runs listIndexes on them, and not realising that it needs to downconvert to querying system.indexes.

is duplicated by

SERVER-20482 Change of behaviour in db.system.users.getIndexes() b/w 2.6 and 3.0

Closed

is related to

SERVER-17529 Can't list collections when mongos is running 3.0 and config servers are running 2.6 and auth is on

Closed

related to

SERVER-20482 Change of behaviour in db.system.users.getIndexes() b/w 2.6 and 3.0

Closed

Details

Description

Attachments

Issue Links

Activity

People

Dates