Uploaded image for project: 'Core Server'
  1. Core Server
  2. SERVER-5479

Arbiter in authenticated replica set should allow and require login/auth for admin-only operations

    XMLWordPrintableJSON

Details

    • Improvement
    • Status: Backlog
    • Major - P3
    • Resolution: Unresolved
    • 2.0.3, 2.1.0
    • None
    • Admin, Replication, Security
    • Tested on Ubuntu 11.10 64-bit with 2.0.3 and today's 2.1.1-pre- but probably the same on all platforms.
    • Security
    • Minor Change

    Description

      Create a replica set with one primary, one secondary and one arbiter, each started with --auth and --keyFile. Create a user in the admin database on the primary and log in with db.auth(). Admin-only commands like logRotate work on the primary. Set db to the local database on the secondary but do not log in with db.auth(). Admin-only commands fail as they should. Now set db to the local database on the arbiter. Admin-only commands work without log-in.

      This is convenient, since you CAN'T log in to the arbiter ... it has no admin database to hold the system.users collection.

      This is both inconsistent and a security problem. Once connected to the arbiter, the commands "use admin" and "db.shutdownServer()" will shut down the arbiter, for example.

      We should add a mechanism to make the admin.system.users collection from the primary available to the arbiter and enforced by the arbiter so that if authentication is running on the replica set then the arbiter follows the same rules as the primary and secondaries.

      Attachments

        Issue Links

          Activity

            People

              Votes:
              42 Vote for this issue
              Watchers:
              66 Start watching this issue

              Dates

                Created:
                Updated: