Details
Description
I can consistently reproduce the following:
$ mongod --version
|
db version v3.2.0-rc3-89-g3a8aab6
|
git version: 3a8aab65a494f6e5b31ea0358a517b103e1cbcb6
|
-bash-4.2$ rm -rf /data/db/*
|
-bash-4.2$ mongod -vvvv --smallfiles --logpath=/data/db/mongod.log --auth --dbpath=/data/db --fork
|
about to fork child process, waiting until server is ready for connections.
|
forked process: 20505
|
child process started successfully, parent exiting
|
-bash-4.2$ mongo
|
MongoDB shell version: 3.2.0-rc3-89-g3a8aab6
|
connecting to: test
|
> use admin
|
switched to db admin
|
> db.runCommand({createUser: "example", "pwd": "password", roles: [
|
... {'role': 'userAdminAnyDatabase', 'db': 'admin'},
|
... {'role': 'clusterAdmin', 'db': 'admin'},
|
... {'role': 'dbAdminAnyDatabase', 'db': 'admin'},
|
... {'role': 'readWriteAnyDatabase', 'db': 'admin'}
|
... ]})
|
{ "ok" : 1 }
|
>
|
bye
|
Then. Using the latest master of mongo-c-driver:
- Create new client using "mongodb://example:password@localhost:27017/admin"
- Create a schema validator: {"validator": {"number": {"$gte": 5, "validationAction": "error"}}}
- Bulk insert 3 document that fail the validation, and get "Document failed validation" error back
- Bulk insert 3 documents that fail the validation, passing bypassDocumentValidation: true
Now, what happens depends on the following:
- If I have an active shell session logged in with the same username and password, the bypassDocumentValidation succeeds
- If I have no active shell session the bypassDocumentValidation fails with authentication error.
|
"bypass.c" |
#include <bcon.h>
|
#include <mongoc.h>
|
|
|
int main(void) |
{
|
mongoc_collection_t *collection;
|
bson_t reply = BSON_INITIALIZER;
|
mongoc_bulk_operation_t *bulk;
|
mongoc_database_t *database;
|
mongoc_write_concern_t *wr;
|
mongoc_client_t *client;
|
bson_error_t error;
|
bson_t *options;
|
int r; |
int i; |
|
|
client = mongoc_client_new ("mongodb://example:password@localhost:27017/admin"); |
|
|
database = mongoc_client_get_database (client, "databaseName"); |
collection = mongoc_database_get_collection (database, "collectionName"); |
mongoc_collection_drop (collection, NULL);
|
|
|
options = bson_new_from_json ("{\"validator\": {\"number\": {\"$gte\": 5}}, \"validationAction\": \"error\"}", -1, NULL); |
if (!mongoc_database_create_collection (database, "collectionName", options, &error)) { |
fprintf(stderr, "Got error %s on line %d\n", error.message, __LINE__); |
fprintf(stderr, "\nFAILED\n"); |
return 1; |
}
|
|
|
/* {{{ Default fails validation */ |
bulk = mongoc_collection_create_bulk_operation (collection, true, NULL); |
for (i = 0; i < 3; i++) { |
bson_t *doc = bson_new_from_json ("{\"number\": 3 }", -1, NULL); |
mongoc_bulk_operation_insert (bulk, doc);
|
bson_destroy (doc);
|
}
|
r = mongoc_bulk_operation_execute (bulk, &reply, &error);
|
if (r) { |
fprintf(stderr, "Should have got error line %d\n", __LINE__); |
fprintf(stderr, "\nFAILED\n"); |
return 1; |
} else { |
fprintf(stdout, "Correctly failed validation (%s) on line %d\n", error.message, __LINE__); |
}
|
mongoc_bulk_operation_destroy (bulk);
|
/* }}} */ |
|
|
/* {{{ bypass_document_validation=true ignores validation */ |
bulk = mongoc_collection_create_bulk_operation (collection, true, NULL); |
mongoc_bulk_operation_set_bypass_document_validation (bulk, true); |
for (i = 0; i < 3; i++) { |
bson_t *doc = bson_new_from_json ("{\"number\": 3 }", -1, NULL); |
mongoc_bulk_operation_insert (bulk, doc);
|
bson_destroy (doc);
|
}
|
r = mongoc_bulk_operation_execute (bulk, &reply, &error);
|
if (r) { |
fprintf(stdout, "Correctly bypassed document validation on line %d\n", __LINE__); |
} else { |
fprintf(stderr, "Got error %s on line %d\n", error.message, __LINE__); |
fprintf(stderr, "\nFAILED\n"); |
return 1; |
}
|
mongoc_bulk_operation_destroy (bulk);
|
/* }}} */ |
|
|
bson_destroy (options);
|
mongoc_database_destroy (database);
|
mongoc_collection_destroy (collection);
|
mongoc_client_destroy (client);
|
}
|
—
EDIT: This was originally noticed on Solaris spawnhost that had nightly deployed on it. It was later confirmed on Linux too.
Attachments
Issue Links
- is documented by
-
DOCS-8944 bypassDocumentValidation authentication error
-
- Closed
-
- is related to
-
CDRIVER-1024 bypassDocumentValidation test fails on Solaris
-
- Closed
-
-
SERVER-21486 successful authentication does not give full privilege with 3.0 mongos and 3.2 mongod
-
- Closed
-
-
SERVER-21561 Remove privilege redaction added for backwards compatility
-
- Closed
-
-
SERVER-21673 Shell ignores "opQueryOnly", "opCommandOnly" values for rpcProtocols option
-
- Closed
-