[JAVA-890] With authentication enabled with a replica set, it is still possible to get the replica status from the java driver even when not authenticated. Created: 19/Jul/13  Updated: 19/Jul/13  Resolved: 19/Jul/13

Status: Closed
Project: Java Driver
Component/s: Authentication
Affects Version/s: 2.2, 2.4
Fix Version/s: None

Type: Bug Priority: Minor - P4
Reporter: Sigurd Lund Assignee: Unassigned
Resolution: Done Votes: 0
Labels: driver, replicaset
Remaining Estimate: Not Specified
Time Spent: Not Specified
Original Estimate: Not Specified
Environment:

Tested with version 2.4.5 and 2.2.5 in Ubuntu with the java driver 2.11.1.



 Description   

I believe I found a bug after I enabled authentication on my mongodb this day.

When the server is requiring authentication, it is not possible to view the replica status with rs.status() in the mongo client if you are not authenticated, and I guess this is how it should be.

However when i tried to view some info of the database with the java driver without authenticating, I get the replica status with no problems. All other commands like client.getDB(dbName) fails since I'm not authenticated. I think this is a security breach?



 Comments   
Comment by Jeffrey Yemin [ 19/Jul/13 ]

Cool, thanks for responding.

Comment by Sigurd Lund [ 19/Jul/13 ]

Ah, I'm using the last one, so that explains it. Thank you.

Comment by Jeffrey Yemin [ 19/Jul/13 ]

How are you getting the replica set status? Are you calling db.command("replSetGetStatus")? Note that Mongo.getReplicaSetStatus() doesn't actually use that command, it uses "isMaster", which does not currently require authentication.

Generated at Thu Feb 08 08:53:19 UTC 2024 using Jira 9.7.1#970001-sha1:2222b88b221c4928ef0de3161136cc90c8356a66.