Loading...

XML

Word

Printable

JSON

Type: Bug
Resolution: Done
Priority: Major - P3
Fix Version/s: None
Affects Version/s: 2.3.2
Component/s: Replication, Security
Labels:
None

Operating System:
ALL
CAR Domain/s:
None

Aha! Reference:
None
Tracking Level:
None
Risk Status:
None
Exec Notes:
None
Goal Name(s):
None
Goal Link:
None

In the process of creating tests for ~~SERVER-4073~~ I created a user who had only access to test database, not auth access. This user is not allowed to run rs.status() command. However via a write followed by getlasterror he can access information about what replica nodes there are and their address.

> rs.status()
{ "ok" : 0, "errmsg" : "unauthorized" }
> db.c1.insert({}); db.runCommand({getlasterror:1, w:9, wtimeout:5000})
{
	"n" : 0,
	"lastOp" : {
		"t" : 1358901189000,
		"i" : 1
	},
	"connectionId" : 13,
	"wtimeout" : true,
	"waited" : 5000,
	"replicatedTo" : [
		"10.5.1.168"
	],
	"err" : "timeout",
	"ok" : 1
}

Assignee:: Unassigned
Reporter:: Asya Kamsky
Participants:: Asya Kamsky, Eliot Horowitz, Scott Hernandez
Votes:: 0 Vote for this issue
Watchers:: 5 Start watching this issue

Created:: Jan 23 2013 12:33:54 AM UTC
Updated:: Feb 15 2013 03:06:04 PM UTC
Resolved:: Jan 23 2013 07:28:39 AM UTC

Details

Description

Attachments

Activity

People

Dates