Uploaded image for project: 'Core Server'
  1. Core Server
  2. SERVER-4275

in sharded cluster, authentication not enforced from localhost even with admin user set

    XMLWordPrintableJSON

Details

    • Icon: Question Question
    • Resolution: Done
    • Icon: Major - P3 Major - P3
    • None
    • None
    • Security
    • None

    Description

      If a mongod has authentication on but no admin user, then connections are allowed from localhost, on purpose.
      Sun Nov 13 17:04:47 [conn1] note: no users configured in admin.system.users, allowing localhost access

      But if you have a sharded environment, the admin user is stored in the config db.
      So even if there is an admin user, individual mongod dont know about it and let you query from localhost.
      This seems like a security hole, do we need to allow free localhost access in any circumstance?
      Also it means that a lot of our tests using authentication pass even though they shouldnt, because authentication is not really enforced (e.g. sharded map/reduce)

      Attachments

        Activity

          People

            Unassigned Unassigned
            antoine Antoine Girbal
            Votes:
            2 Vote for this issue
            Watchers:
            6 Start watching this issue

            Dates

              Created:
              Updated:
              Resolved: