[SERVER-10063] Authenticating as 2 users on the same DB, the privileges of latest authenticated user should take effect but does not Created: 29/Jun/13  Updated: 10/Dec/14  Resolved: 01/Jul/13

Status: Closed
Project: Core Server
Component/s: Security
Affects Version/s: 2.4.3
Fix Version/s: None

Type: Bug Priority: Major - P3
Reporter: Ravi Shakya Assignee: Spencer Brody (Inactive)
Resolution: Done Votes: 0
Labels: None
Remaining Estimate: Not Specified
Time Spent: Not Specified
Original Estimate: Not Specified
Environment:

Ubuntu 10.04


Operating System: ALL
Participants:

 Description   

I have users 'mampakha' and 'gor' (pls refer to the output of db.system.users.find() in the mongo shell interaction below for privilege details) on 'admin' database.
I initiate mongo shell for user 'mampakha' authenticating against 'test' database but connecting to 'admin' database.
Now on this same shell, I authenticate as user 'gor' using db.auth('gor', 'gor'). This user 'gor' has just 'read' privilege on 'admin' database.
Now I execute db.himal.insert(

{cat : 89890898}

) (where himal is a collection on 'admin' database) and it executes successfully. This should not have been allowed as 'gor' has just 'read' privilege on 'admin' database.
Could you please investigate this issue?

ravi@ravi-laptop:~$ mongo --port 27021 --authenticationDatabase test -u mampakha -p mampakha admin
MongoDB shell version: 2.4.3
connecting to: 127.0.0.1:27021/admin
> db
admin
> rs.status()

{ "ok" : 0, "errmsg" : "unauthorized" }

> db.system.users.find()

{ "_id" : ObjectId("519b70680662676664e559ba"), "pwd" : "f339ed38b24579da0ede4155f512f5cb", "roles" : [ "userAdminAnyDatabase", "clusterAdmin", "dbAdminAnyDatabase", "readWriteAnyDatabase" ], "user" : "pakhandi" } { "_id" : ObjectId("51c96e1484ae4576ab5cc36b"), "user" : "maloom", "pwd" : "05185521272a43524855f972b57b27b3", "roles" : [ "readWrite" ] }

{ "_id" : ObjectId("51c96a1384ae4576ab5cc360"), "otherDBRoles" :

{ "resto" : [ "readWrite" ] }

, "roles" : [ "userAdmin", "read", "readWrite" ], "user" : "mampakha", "userSource" : "test" }

{ "_id" : ObjectId("51cec37684ae2f40a8ef6a9b"), "user" : "gor", "pwd" : "f5faa32210f2c4c281f375b0299069f2", "roles" : [ "read" ] }

> db.auth('gor', 'gor')
1
> db.himal.insert(

{cat : 89890898}

) //this should have failed
>



 Comments   
Comment by Spencer Brody (Inactive) [ 01/Jul/13 ]

This is working as designed.

You can only have 1 user logged per database on each connection, however the user "mampakha" is from the "test" database, while the user "gor" is from the "admin" database. We allow one connection to have multiple authentications so long as each authenticated user is from a different database. If you want to lose the privileges acquired via the "mampakha" user, you'll have to log out of the "test" database explicitly.

Generated at Thu Feb 08 03:22:10 UTC 2024 using Jira 9.7.1#970001-sha1:2222b88b221c4928ef0de3161136cc90c8356a66.