Uploaded image for project: 'Core Server'
  1. Core Server
  2. SERVER-5479

Arbiter in authenticated replica set should allow and require login/auth for admin-only operations

    • Type: Icon: Improvement Improvement
    • Resolution: Unresolved
    • Priority: Icon: Major - P3 Major - P3
    • None
    • Affects Version/s: 2.0.3, 2.1.0
    • Component/s: Admin, Replication, Security
    • Labels:
    • Environment:
      Tested on Ubuntu 11.10 64-bit with 2.0.3 and today's 2.1.1-pre- but probably the same on all platforms.
    • Server Security
    • Minor Change

      Create a replica set with one primary, one secondary and one arbiter, each started with --auth and --keyFile. Create a user in the admin database on the primary and log in with db.auth(). Admin-only commands like logRotate work on the primary. Set db to the local database on the secondary but do not log in with db.auth(). Admin-only commands fail as they should. Now set db to the local database on the arbiter. Admin-only commands work without log-in.

      This is convenient, since you CAN'T log in to the arbiter ... it has no admin database to hold the system.users collection.

      This is both inconsistent and a security problem. Once connected to the arbiter, the commands "use admin" and "db.shutdownServer()" will shut down the arbiter, for example.

      We should add a mechanism to make the admin.system.users collection from the primary available to the arbiter and enforced by the arbiter so that if authentication is running on the replica set then the arbiter follows the same rules as the primary and secondaries.

            42 Vote for this issue
            66 Start watching this issue