[SERVER-10946] MONGODB-X509 auth appears to succeed but all operations fail with code 13 Created: 27/Sep/13  Updated: 11/Jul/16  Resolved: 30/Sep/13

Status: Closed
Project: Core Server
Component/s: Security
Affects Version/s: None
Fix Version/s: 2.5.3

Type: Bug Priority: Major - P3
Reporter: Bernie Hackett Assignee: Andreas Nilsson
Resolution: Done Votes: 0
Labels: 26qa
Remaining Estimate: Not Specified
Time Spent: Not Specified
Original Estimate: Not Specified

Issue Links:
Depends
Operating System: ALL
Participants:

 Description   

Start the server like so:

$ ./mongod --dbpath /path/to/data --sslOnNormalPorts --sslPEMKeyFile jstests/libs/server.pem --sslCRLFile jstests/libs/crl.pem --sslCAFile jstests/libs/ca.pem --sslWeakCertificateValidation --auth

Start the shell, create a user with all the any* roles, then try to do anything:

./mongo --ssl --sslPEMKeyFile jstests/libs/client.pem 
MongoDB shell version: 2.5.3-pre-
connecting to: test
Server has startup warnings: 
2013-09-27T12:35:16.503-0700 [initandlisten] 
2013-09-27T12:35:16.503-0700 [initandlisten] ** NOTE: This is a development version (2.5.3-pre-) of MongoDB.
2013-09-27T12:35:16.503-0700 [initandlisten] **       Not recommended for production.
2013-09-27T12:35:16.503-0700 [initandlisten] 
> use $external
switched to db $external
> db.addUser({user: "CN=client,OU=kerneluser,O=10Gen,L=New York City,ST=New York,C=US", roles: [
... {name: 'clusterAdmin', source: 'admin', hasRole: true, 'canDelegate': true},
... {name: 'userAdminAnyDatabase', source: 'admin', hasRole: true, 'canDelegate': true},
... {name: 'readWriteAnyDatabase', source: 'admin', hasRole: true, 'canDelegate': true},
... {name: 'dbAdminAnyDatabase', source: 'admin', hasRole: true, 'canDelegate': true}]})
{
	"user" : "CN=client,OU=kerneluser,O=10Gen,L=New York City,ST=New York,C=US",
	"roles" : [
		{
			"name" : "clusterAdmin",
			"source" : "admin",
			"hasRole" : true,
			"canDelegate" : true
		},
		{
			"name" : "userAdminAnyDatabase",
			"source" : "admin",
			"hasRole" : true,
			"canDelegate" : true
		},
		{
			"name" : "readWriteAnyDatabase",
			"source" : "admin",
			"hasRole" : true,
			"canDelegate" : true
		},
		{
			"name" : "dbAdminAnyDatabase",
			"source" : "admin",
			"hasRole" : true,
			"canDelegate" : true
		}
	]
}
> db.auth({user: "CN=client,OU=kerneluser,O=10Gen,L=New York City,ST=New York,C=US", mechanism: 'MONGODB-X509'})
1
> use test
switched to db test
> db.foo.count()
2013-09-27T12:39:04.609-0700 count failed: {
	"ok" : 0,
	"errmsg" : "not authorized on test to execute command { count: \"foo\", query: {}, fields: {} }",
	"code" : 13
} at src/mongo/shell/query.js:188
> 

Note that db.auth() returns 1 (successful). From the mongod log:

2013-09-27T12:38:16.551-0700 [clientcursormon]  connections:1
2013-09-27T12:38:57.504-0700 [conn1]  authenticate db: $external { authenticate: 1, mechanism: "MONGODB-X509", user: "CN=client,OU=kerneluser,O=10Gen,L=New York City,ST=New York,C=US" }
2013-09-27T12:38:57.504-0700 [conn1] Unauthorized not authorized on admin to execute command { replSetGetStatus: 1.0, forShell: 1.0 }
2013-09-27T12:39:04.608-0700 [conn1] Unauthorized not authorized on test to execute command { count: "foo", query: {}, fields: {} }



 Comments   
Comment by Bernie Hackett [ 30/Sep/13 ]

Great! Seems to work right now. Thanks.

Comment by auto [ 30/Sep/13 ]

Author:

{u'username': u'agralius', u'name': u'Andreas Nilsson', u'email': u'andreas.nilsson@10gen.com'}

Message: SERVER-10946 Fixed user acquisition for $external
Branch: master
https://github.com/mongodb/mongo/commit/7e57c5311b0b660cf2df6d3c2cd01245adbafe21

Comment by Bernie Hackett [ 27/Sep/13 ]

I wonder if the roles are just being ignored because they aren't defined on $external? That would explain why auth succeeded but subsequent operations fail. It's like adding a user with no roles.

Generated at Thu Feb 08 03:24:28 UTC 2024 using Jira 9.7.1#970001-sha1:2222b88b221c4928ef0de3161136cc90c8356a66.