[DRIVERS-169] Work around localhost exception issues in addUser helpers Created: 20/Jun/14  Updated: 15/Apr/19  Resolved: 21/Jun/16

Status: Closed
Project: Drivers
Component/s: None
Fix Version/s: None

Type: Task Priority: Major - P3
Reporter: Bernie Hackett Assignee: Barrie Segal
Resolution: Done Votes: 0
Labels: None
Remaining Estimate: Not Specified
Time Spent: Not Specified
Original Estimate: Not Specified

Issue Links:
Depends
depends on CDRIVER-642 Work around localhost exception issue... Closed
depends on CXX-178 Add Security Helper Methods Closed
depends on CSHARP-1090 Work around localhost exception issue... Closed
depends on PYTHON-714 Work around localhost exception issue... Closed
depends on RUBY-782 Change add_user helper command to wor... Closed
depends on JAVA-1528 Work around localhost exception issue... Closed
Related
is related to DRIVERS-127 Deprecate "addUser" helpers in favor ... Closed
is related to DRIVERS-162 Work around reduction of localhost ex... Closed
is related to SERVER-12621 Reduce localhost exception permissions Closed
Driver Compliance:
Key Status/Resolution FixVersion
RUBY-782 Done 1.11.0
PYTHON-714 Done 2.7.2, 3.0
CXX-178 Won't Fix
CSHARP-1090 Done 1.10, 2.0
JAVA-1528 Done 2.13.0, 3.0.0
CDRIVER-642 Done 1.1.5

 Description   

Most drivers that provide an addUser helper also support updating users through that helper. With MongoDB 2.6 the usersInfo command is used to determine if the addUser helper should call createUser or updateUser when passed a given username. Starting with MongoDB 2.7.0 the scope of the localhost exception for authentication was dramatically narrowed. It is no longer possible to call the userInfo command unauthenticated, even when the localhost exception is in effect. Any driver that calls usersInfo in its addUser helper can no longer be used to add the first admin user while the localhost exception is in effect:

>>> c = pymongo.MongoClient()
>>> try:
...     c.admin.add_user('admin', 'pass', roles=['root'])
... except Exception as exc:
...     print exc.details
... 
{u'code': 13, u'ok': 0.0, u'errmsg': u'not authorized on admin to execute command { usersInfo: "admin" }'}
>>> 
>>> c.admin.command('createUser', 'admin', pwd='pass', roles=['root'])
{u'ok': 1.0}
>>> c.admin.authenticate('admin', 'pass')
True
>>> c.server_info()['version']
u'2.7.2'

A workaround for this issue is to catch the exception and call createUser if the error code is 13 (Unauthorized). Any exception from the createUser call should propagate to the user application.

https://github.com/mongodb/mongo/blob/master/src/mongo/base/error_codes.err



 Comments   
Comment by A. Jesse Jiryu Davis [ 11/May/15 ]

Actually the C Driver has not yet implemented this, I've filed CDRIVER-642. However, I think validating for C++11 is still accurate.

Comment by Andrew Morrow (Inactive) [ 03/Mar/15 ]

Validating for C+11 because validated for C, also C+11 has no user helpers.

Generated at Thu Feb 08 08:20:54 UTC 2024 using Jira 9.7.1#970001-sha1:2222b88b221c4928ef0de3161136cc90c8356a66.