|
Start the server like so:
$ ./mongod --dbpath /path/to/data --sslOnNormalPorts --sslPEMKeyFile jstests/libs/server.pem --sslCRLFile jstests/libs/crl.pem --sslCAFile jstests/libs/ca.pem --sslWeakCertificateValidation --auth
|
Start the shell, create a user with all the any* roles, then try to do anything:
./mongo --ssl --sslPEMKeyFile jstests/libs/client.pem
|
MongoDB shell version: 2.5.3-pre-
|
connecting to: test
|
Server has startup warnings:
|
2013-09-27T12:35:16.503-0700 [initandlisten]
|
2013-09-27T12:35:16.503-0700 [initandlisten] ** NOTE: This is a development version (2.5.3-pre-) of MongoDB.
|
2013-09-27T12:35:16.503-0700 [initandlisten] ** Not recommended for production.
|
2013-09-27T12:35:16.503-0700 [initandlisten]
|
> use $external
|
switched to db $external
|
> db.addUser({user: "CN=client,OU=kerneluser,O=10Gen,L=New York City,ST=New York,C=US", roles: [
|
... {name: 'clusterAdmin', source: 'admin', hasRole: true, 'canDelegate': true},
|
... {name: 'userAdminAnyDatabase', source: 'admin', hasRole: true, 'canDelegate': true},
|
... {name: 'readWriteAnyDatabase', source: 'admin', hasRole: true, 'canDelegate': true},
|
... {name: 'dbAdminAnyDatabase', source: 'admin', hasRole: true, 'canDelegate': true}]})
|
{
|
"user" : "CN=client,OU=kerneluser,O=10Gen,L=New York City,ST=New York,C=US",
|
"roles" : [
|
{
|
"name" : "clusterAdmin",
|
"source" : "admin",
|
"hasRole" : true,
|
"canDelegate" : true
|
},
|
{
|
"name" : "userAdminAnyDatabase",
|
"source" : "admin",
|
"hasRole" : true,
|
"canDelegate" : true
|
},
|
{
|
"name" : "readWriteAnyDatabase",
|
"source" : "admin",
|
"hasRole" : true,
|
"canDelegate" : true
|
},
|
{
|
"name" : "dbAdminAnyDatabase",
|
"source" : "admin",
|
"hasRole" : true,
|
"canDelegate" : true
|
}
|
]
|
}
|
> db.auth({user: "CN=client,OU=kerneluser,O=10Gen,L=New York City,ST=New York,C=US", mechanism: 'MONGODB-X509'})
|
1
|
> use test
|
switched to db test
|
> db.foo.count()
|
2013-09-27T12:39:04.609-0700 count failed: {
|
"ok" : 0,
|
"errmsg" : "not authorized on test to execute command { count: \"foo\", query: {}, fields: {} }",
|
"code" : 13
|
} at src/mongo/shell/query.js:188
|
>
|
Note that db.auth() returns 1 (successful). From the mongod log:
2013-09-27T12:38:16.551-0700 [clientcursormon] connections:1
|
2013-09-27T12:38:57.504-0700 [conn1] authenticate db: $external { authenticate: 1, mechanism: "MONGODB-X509", user: "CN=client,OU=kerneluser,O=10Gen,L=New York City,ST=New York,C=US" }
|
2013-09-27T12:38:57.504-0700 [conn1] Unauthorized not authorized on admin to execute command { replSetGetStatus: 1.0, forShell: 1.0 }
|
2013-09-27T12:39:04.608-0700 [conn1] Unauthorized not authorized on test to execute command { count: "foo", query: {}, fields: {} }
|
|