Uploaded image for project: 'Core Server'
  1. Core Server
  2. SERVER-20515

Administrator commands for authentication and authorization

    XMLWordPrintable

    Details

    • Type: Improvement
    • Status: Open
    • Priority: Major - P3
    • Resolution: Unresolved
    • Affects Version/s: None
    • Fix Version/s: Needs Further Definition
    • Component/s: Security
    • Labels:
      None

      Description

      There is a confusion in relation to the authentication/authorization administration commands. It isn't clear what users have permissions over specific databases.

      For example, given the following list of users:

      { "_id" : "test3.User1", "user" : "User1", "db" : "test3", "credentials" : { "SCRAM-SHA-1" : { "iterationCount" : 10000, "salt" : "ygM/kiHkaPwO9PdQiaz5jA==", "storedKey" : "lwFro0w7SOlCISM/3T8JQZUdTHg=", "serverKey" : "vKHY+md3GfeKKWCOyXVjeOYucLE=" } }, "roles" : [ { "role" : "readWrite", "db" : "test3" } ] }
      { "_id" : "admin.User1", "user" : "User1", "db" : "admin", "credentials" : { "SCRAM-SHA-1" : { "iterationCount" : 10000, "salt" : "ytOprpTqw89YH+7mX1gLEA==", "storedKey" : "5T3Jz0PzFp6bhVzYvshq36N1ixA=", "serverKey" : "5veDlNCSeb1uBHKUCkp3XGYadtE=" } }, "roles" : [ { "role" : "readWrite", "db" : "test3" } ] }
      { "_id" : "admin.User2", "user" : "User2", "db" : "admin", "credentials" : { "SCRAM-SHA-1" : { "iterationCount" : 10000, "salt" : "uV8HbDYpMiIEkAyLGahOgA==", "storedKey" : "4gUDtjyVdXNNYDWnrl0/BXTt6/Y=", "serverKey" : "b2MQHgH2vr59ej1oVmZ8g1KQR3g=" } }, "roles" : [ { "role" : "readWrite", "db" : "test3" } ] }
      { "_id" : "test3.User3", "user" : "User3", "db" : "test3", "credentials" : { "SCRAM-SHA-1" : { "iterationCount" : 10000, "salt" : "c51wUDI6OxbS/YW+tL2mfw==", "storedKey" : "A2CehUtqrp227cjkM2wKFmtaFMk=", "serverKey" : "eCJ3iWdMv42GFHZQRXEijDwJzrg=" } }, "roles" : [ { "role" : "readWrite", "db" : "test3" } ] }
      

      These users have a different behavior in relation to how the authentication is performed, but it is consistent in relation to what actions can be executed on the specific database.

      For example, User2 can authenticate against admin database but not against test3. However, this user can perform read/write operations on test3.

      $ mongo -u User2 -p password test3
      MongoDB shell version: 3.0.6
      connecting to: test3
      2015-09-14T23:20:06.726+0100 E QUERY    Error: 18 Authentication failed.
          at DB._authOrThrow (src/mongo/shell/db.js:1236:32)
          at (auth):6:8
          at (auth):7:2 at src/mongo/shell/db.js:1236
      exception: login failed
      

      $ mongo -u User2 -p password admin
      MongoDB shell version: 3.0.6
      connecting to: admin
      > use test3
      switched to db test3
      > db.stats()
      {
      	"db" : "test3",
      	"collections" : 0,
      	"objects" : 0,
      	"avgObjSize" : 0,
      	"dataSize" : 0,
      	"storageSize" : 0,
      	"numExtents" : 0,
      	"indexes" : 0,
      	"indexSize" : 0,
      	"fileSize" : 0,
      	"ok" : 1
      }
      > db.col1.insert({ a: 1, b: 1 })
      WriteResult({ "nInserted" : 1 })
      

      In the same way, User3 can perform the same actions only over test3 database. As you can see, this user cannot authenticate against the admin database.

      $ mongo -u User3 -p password admin
      MongoDB shell version: 3.0.6
      connecting to: admin
      2015-09-14T23:24:14.742+0100 E QUERY    Error: 18 Authentication failed.
          at DB._authOrThrow (src/mongo/shell/db.js:1236:32)
          at (auth):6:8
          at (auth):7:2 at src/mongo/shell/db.js:1236
      exception: login failed
      

      $ mongo -u User3 -p password test3
      MongoDB shell version: 3.0.6
      connecting to: test3
      > db.stats()
      {
      	"db" : "test3",
      	"collections" : 3,
      	"objects" : 5,
      	"avgObjSize" : 60.8,
      	"dataSize" : 304,
      	"storageSize" : 20480,
      	"numExtents" : 3,
      	"indexes" : 1,
      	"indexSize" : 8176,
      	"fileSize" : 16777216,
      	"nsSizeMB" : 16,
      	"extentFreeList" : {
      		"num" : 0,
      		"totalSize" : 0
      	},
      	"dataFileVersion" : {
      		"major" : 4,
      		"minor" : 22
      	},
      	"ok" : 1
      }
      > db.col1.insert({ a: 1, b: 1 })
      WriteResult({ "nInserted" : 1 })
      

      Additionally, as you can see in the first list of users, you can also have the same user twice associated to different databases. They are two separate documents as they represent two independent users. This could represent a huge challenge for the security administrator.

      The relevant point here is the actions you could perform on a specific database. So there are two relevant points:

      • The database against which the user is authenticated.
      • The database for which he has permissions.

      The method db.getUsers() is adding confusion as it shows the users associated to this database which is only useful for authentication. However, it is not showing the users who have read/write/admin permissions on this database.

      The authentication and authorization are different subjects. It doesn't really matter if your user needs to be authenticated against admin or test3 database. Which is really important is what permissions on what database the user has (authorization). In order to avoid the administrative problems of having multiple users, we should recommend having a single user, with multiple permissions for different databases.

      In relation to the explanation above, the security administrator should have two different commands (for example):

      • db.getAuthenticatedUsers(): Shows the users who can authenticate against the current database. Perhaps, it could also show if the user has a current session.
      • db.getAuthorizedUsers(): List of the users and the actions that can be performed on the current database.

        Attachments

          Issue Links

            Activity

              People

              Assignee:
              backlog-server-security Backlog - Security Team
              Reporter:
              ricardo.lorenzo Ricardo Lorenzo
              Participants:
              Votes:
              0 Vote for this issue
              Watchers:
              7 Start watching this issue

                Dates

                Created:
                Updated: