Uploaded image for project: 'Core Server'
  1. Core Server
  2. SERVER-7604

On MongoS read-only users should be denied access to system.users collection

    XMLWordPrintable

    Details

    • Type: Bug
    • Status: Closed
    • Priority: Major - P3
    • Resolution: Fixed
    • Affects Version/s: 2.2.1
    • Fix Version/s: 2.2.4
    • Component/s: Security
    • Labels:
      None
    • Operating System:
      ALL

      Description

      On MongoD

      Steps to reproduce:

      Create a read-only user in any database:

      > db.addUser('mod', 'pass', true)

      Restart with mongod --auth.

      > db.auth('mod','pass')
      > db.system.users.find()
      error: {
        "$err": "unauthorized db:test ns:test.system.users lock type:1 client:127.0.0.1",
        "code": 10057
      }

      On MongoS started --keyFile filename and members with --auth --keyFile filename

      > db.auth('mod','pass')
      > db.system.users.find()
       
      { "_id": ObjectId("509cea7b45f86c6fcc64b71c"), "user": "mod", "readOnly": true, "pwd": "aa387b99960161d09f7a38d57fd7a15a" }

      Note that the mongoD is not part of the mongoS shard. And same occurs on localhost and connecting from a remote host in LAN.

        Attachments

          Issue Links

            Activity

              People

              Assignee:
              spencer Spencer Brody
              Reporter:
              gianfranco Gianfranco Palumbo
              Participants:
              Votes:
              0 Vote for this issue
              Watchers:
              6 Start watching this issue

                Dates

                Created:
                Updated:
                Resolved: