[JAVA-890] With authentication enabled with a replica set, it is still possible to get the replica status from the java driver even when not authenticated. Created: 19/Jul/13 Updated: 19/Jul/13 Resolved: 19/Jul/13 |
|
| Status: | Closed |
| Project: | Java Driver |
| Component/s: | Authentication |
| Affects Version/s: | 2.2, 2.4 |
| Fix Version/s: | None |
| Type: | Bug | Priority: | Minor - P4 |
| Reporter: | Sigurd Lund | Assignee: | Unassigned |
| Resolution: | Done | Votes: | 0 |
| Labels: | driver, replicaset | ||
| Remaining Estimate: | Not Specified | ||
| Time Spent: | Not Specified | ||
| Original Estimate: | Not Specified | ||
| Environment: |
Tested with version 2.4.5 and 2.2.5 in Ubuntu with the java driver 2.11.1. |
||
| Description |
|
I believe I found a bug after I enabled authentication on my mongodb this day. When the server is requiring authentication, it is not possible to view the replica status with rs.status() in the mongo client if you are not authenticated, and I guess this is how it should be. However when i tried to view some info of the database with the java driver without authenticating, I get the replica status with no problems. All other commands like client.getDB(dbName) fails since I'm not authenticated. I think this is a security breach? |
| Comments |
| Comment by Jeffrey Yemin [ 19/Jul/13 ] |
|
Cool, thanks for responding. |
| Comment by Sigurd Lund [ 19/Jul/13 ] |
|
Ah, I'm using the last one, so that explains it. Thank you. |
| Comment by Jeffrey Yemin [ 19/Jul/13 ] |
|
How are you getting the replica set status? Are you calling db.command("replSetGetStatus")? Note that Mongo.getReplicaSetStatus() doesn't actually use that command, it uses "isMaster", which does not currently require authentication. |