[SERVER-10063] Authenticating as 2 users on the same DB, the privileges of latest authenticated user should take effect but does not Created: 29/Jun/13 Updated: 10/Dec/14 Resolved: 01/Jul/13 |
|
| Status: | Closed |
| Project: | Core Server |
| Component/s: | Security |
| Affects Version/s: | 2.4.3 |
| Fix Version/s: | None |
| Type: | Bug | Priority: | Major - P3 |
| Reporter: | Ravi Shakya | Assignee: | Spencer Brody (Inactive) |
| Resolution: | Done | Votes: | 0 |
| Labels: | None | ||
| Remaining Estimate: | Not Specified | ||
| Time Spent: | Not Specified | ||
| Original Estimate: | Not Specified | ||
| Environment: |
Ubuntu 10.04 |
||
| Operating System: | ALL |
| Participants: |
| Description |
|
I have users 'mampakha' and 'gor' (pls refer to the output of db.system.users.find() in the mongo shell interaction below for privilege details) on 'admin' database. ) (where himal is a collection on 'admin' database) and it executes successfully. This should not have been allowed as 'gor' has just 'read' privilege on 'admin' database. ravi@ravi-laptop:~$ mongo --port 27021 --authenticationDatabase test -u mampakha -p mampakha admin > db.system.users.find() { "_id" : ObjectId("519b70680662676664e559ba"), "pwd" : "f339ed38b24579da0ede4155f512f5cb", "roles" : [ "userAdminAnyDatabase", "clusterAdmin", "dbAdminAnyDatabase", "readWriteAnyDatabase" ], "user" : "pakhandi" } { "_id" : ObjectId("51c96e1484ae4576ab5cc36b"), "user" : "maloom", "pwd" : "05185521272a43524855f972b57b27b3", "roles" : [ "readWrite" ] }{ "_id" : ObjectId("51c96a1384ae4576ab5cc360"), "otherDBRoles" : { "resto" : [ "readWrite" ] }, "roles" : [ "userAdmin", "read", "readWrite" ], "user" : "mampakha", "userSource" : "test" } { "_id" : ObjectId("51cec37684ae2f40a8ef6a9b"), "user" : "gor", "pwd" : "f5faa32210f2c4c281f375b0299069f2", "roles" : [ "read" ] }> db.auth('gor', 'gor') ) //this should have failed |
| Comments |
| Comment by Spencer Brody (Inactive) [ 01/Jul/13 ] |
|
This is working as designed. You can only have 1 user logged per database on each connection, however the user "mampakha" is from the "test" database, while the user "gor" is from the "admin" database. We allow one connection to have multiple authentications so long as each authenticated user is from a different database. If you want to lose the privileges acquired via the "mampakha" user, you'll have to log out of the "test" database explicitly. |