Details
-
Improvement
-
Resolution: Unresolved
-
Minor - P4
-
None
-
4.2.13
-
None
-
Server Security
-
(copied to CRM)
Description
When converting a single instance previously configured with users into an arbiter we should warn the user that the target instance does contain users.
This behaviour can mislead the user as the arbiters should not hold any data and therefore should not be able to perform authorization. Also, those users are not in sync with the rest of the cluster.
Here are the steps to reproduce the issue:
Bash:
rm -rf pem.pemecho "ABCDEFGHIJKLMNOPQABCDEFGHIJKLMNOPQABCDEFGHIJKLMNOPQ" > pem.pem
|
chmod 500 pem.pem
|
killall mongod
|
sleep 5
|
rm -rf data2 data1
|
mkdir data1 data2
|
mongod --dbpath ./data1 --fork --logpath ./data1/log --replSet foo --auth --keyFile pem.pem
|
sleep 10
|
mongo localhost/admin --eval 'rs.initiate(); sleep(400); db.createUser({user: "admin", pwd : "123", roles : ["root"]})'
|
sleep 5
|
rm -rf ./data2/
|
mkdir data2
|
mongod --dbpath ./data2 --fork --logpath ./data2/log --auth --port 27018
|
sleep 10
|
mongo localhost:27018/admin --eval 'db.createUser({user: "admin_arb", pwd : "123", roles : ["root"]})'
|
ps -ef | grep data2 | grep -v color | grep -v data1 | awk {'print $2'} | xargs kill
|
sleep 5
|
mongod --dbpath ./data2 --fork --logpath ./data2/log --auth --keyFile pem.pem --replSet foo --port 27018
|
sleep 5
|
mongo localhost --port 27017 -uadmin -p123 --authenticationDatabase admin --eval 'rs.addArb("localhost:27018")'
|
|
|
sleep 3
|
# This is not expected:
|
mongo localhost --port 27018 -uadmin_arb -p123 --authenticationDatabase admin
|
At the end of the process we are able to login on arbiter with the user admin_arb which is not expected.