Uploaded image for project: 'Core Server'
  1. Core Server
  2. SERVER-4933

auth not working at all

    XMLWordPrintable

    Details

    • Type: Bug
    • Status: Closed
    • Priority: Major - P3
    • Resolution: Works as Designed
    • Affects Version/s: 2.1.0
    • Fix Version/s: None
    • Component/s: Security
    • Labels:
      None
    • Operating System:
      ALL

      Description

      According to http://www.mongodb.org/display/DOCS/Security+and+Authentication, if you run with --auth, you can still do anything to a db until the first user for that db is created. However, I just did an experiment to verify this, and found that even after I created a user for a db, I was able to do anything without having to authenticate.

      $ ./mongo
      MongoDB shell version: 2.1.1-pre-
      connecting to: test
      >
      > use bezos
      switched to db bezos
      > db.foob.insert(

      {blah:1}

      );
      > db.foob.insert(

      {blah:2}

      );
      > db.foob.find();

      { "_id" : ObjectId("4f35a84ccf5576708e221733"), "blah" : 1 } { "_id" : ObjectId("4f35a853cf5576708e221734"), "blah" : 2 }

      > db.addUser("scott", "tiger", false);

      { "user" : "scott", "readOnly" : false, "pwd" : "0cbd24414b7e463fdaaec5ec64f3982f", "_id" : ObjectId("4f35a87acf5576708e221735") } { "n" : 0, "connectionId" : 1, "err" : null, "ok" : 1 }

      > db.foob.insert(

      {blah:3}

      );
      > db.foob.find();

      { "_id" : ObjectId("4f35a84ccf5576708e221733"), "blah" : 1 } { "_id" : ObjectId("4f35a853cf5576708e221734"), "blah" : 2 } { "_id" : ObjectId("4f35a888cf5576708e221736"), "blah" : 3 }

      > db.auth("scott", "tiger");
      1
      > db.foob.find();

      { "_id" : ObjectId("4f35a84ccf5576708e221733"), "blah" : 1 } { "_id" : ObjectId("4f35a853cf5576708e221734"), "blah" : 2 } { "_id" : ObjectId("4f35a888cf5576708e221736"), "blah" : 3 }

      > exit
      bye

      Given this, I stopped my server to make sure I was really running with --auth. It was in my config file, so I started again:

      $ ./mongo
      MongoDB shell version: 2.1.1-pre-
      connecting to: test
      > use bezos
      switched to db bezos
      > show collections
      foob
      system.indexes
      system.users
      > db.foob.find();

      { "_id" : ObjectId("4f35a84ccf5576708e221733"), "blah" : 1 } { "_id" : ObjectId("4f35a853cf5576708e221734"), "blah" : 2 } { "_id" : ObjectId("4f35a888cf5576708e221736"), "blah" : 3 }

      > db.system.users.find();

      { "_id" : ObjectId("4f35a87acf5576708e221735"), "user" : "scott", "readOnly" : f alse, "pwd" : "0cbd24414b7e463fdaaec5ec64f3982f" }

      > db.runCommand(

      {getCmdLineOpts:1}

      );

      { "errmsg" : "access denied; use admin db", "ok" : 0 }

      > use admin
      switched to db admin
      > db.runCommand(

      {getCmdLineOpts:1}

      );
      {
      "argv" : [
      "C:\\cygwin\\home\\cwestin\\mongo
      mongod.exe",
      "--config",
      "../sandbox/mongodb.conf"
      ],
      "parsed" :

      { "auth" : "true", "config" : "../sandbox/mongodb.conf", "dbpath" : "c:/cygwin/home/cwestin/sandbox/dbfiles", "directoryperdb" : "true", "logappend" : "true", "logpath" : "c:/cygwin/home/cwestin/sandbox/mongodb.log", "rest" : "true" }

      ,
      "ok" : 1
      }
      >

      I used getCmdLineOpts to verify that auth is indeed on. But you can see that I can still insert and query against this database without authenticating.

        Attachments

          Activity

            People

            • Votes:
              0 Vote for this issue
              Watchers:
              3 Start watching this issue

              Dates

              • Created:
                Updated:
                Resolved: