-
Type:
Improvement
-
Resolution: Unresolved
-
Priority:
Minor - P4
-
None
-
Affects Version/s: 4.2.13
-
Component/s: None
-
Labels:
-
Server Security
-
(copied to CRM)
When converting a single instance previously configured with users into an arbiter we should warn the user that the target instance does contain users.
This behaviour can mislead the user as the arbiters should not hold any data and therefore should not be able to perform authorization. Also, those users are not in sync with the rest of the cluster.
Here are the steps to reproduce the issue:
Bash:
rm -rf pem.pemecho "ABCDEFGHIJKLMNOPQABCDEFGHIJKLMNOPQABCDEFGHIJKLMNOPQ" > pem.pem chmod 500 pem.pem killall mongod sleep 5 rm -rf data2 data1 mkdir data1 data2 mongod --dbpath ./data1 --fork --logpath ./data1/log --replSet foo --auth --keyFile pem.pem sleep 10 mongo localhost/admin --eval 'rs.initiate(); sleep(400); db.createUser({user: "admin", pwd : "123", roles : ["root"]})' sleep 5 rm -rf ./data2/ mkdir data2 mongod --dbpath ./data2 --fork --logpath ./data2/log --auth --port 27018 sleep 10 mongo localhost:27018/admin --eval 'db.createUser({user: "admin_arb", pwd : "123", roles : ["root"]})' ps -ef | grep data2 | grep -v color | grep -v data1 | awk {'print $2'} | xargs kill sleep 5 mongod --dbpath ./data2 --fork --logpath ./data2/log --auth --keyFile pem.pem --replSet foo --port 27018 sleep 5 mongo localhost --port 27017 -uadmin -p123 --authenticationDatabase admin --eval 'rs.addArb("localhost:27018")' sleep 3 # This is not expected: mongo localhost --port 27018 -uadmin_arb -p123 --authenticationDatabase admin
At the end of the process we are able to login on arbiter with the user admin_arb which is not expected.