[SERVER-12616] can run adminCommands on mongos without authorization if config servers are down Created: 05/Feb/14  Updated: 11/Jul/16  Resolved: 12/Feb/14

Status: Closed
Project: Core Server
Component/s: Security
Affects Version/s: 2.5.5
Fix Version/s: 2.6.0-rc0

Type: Bug Priority: Critical - P2
Reporter: Thomas Rueckstiess Assignee: Andy Schwerin
Resolution: Done Votes: 0
Labels: None
Remaining Estimate: Not Specified
Time Spent: Not Specified
Original Estimate: Not Specified

Attachments: File mongos_authed_noconfig.js    
Backwards Compatibility: Fully Compatible
Operating System: ALL
Participants:

 Description   

When all config servers are down, admin commands can be executed on a mongos without the necessary privileges.

Reproduction steps:

  1. start sharded cluster with --keyFile authentication, add users
  2. kill all config servers
  3. log into mongos and execute admin commands that would otherwise require certain privileges, e.g. serverStatus would require clusterAdmin role

jstest is attached.

Example shell transcript:

with config server (here only 1) running

mongo
MongoDB shell version: 2.5.5
connecting to: test
Error while trying to show server startup warnings: not authorized on admin to execute command { getLog: "startupWarnings" }
mongos> db.adminCommand('serverStatus')
{
        "ok" : 0,
        "errmsg" : "not authorized on admin to execute command { serverStatus: 1.0 }",
        "code" : 13
}
mongos>
bye

kill config server

(ve)tr@enter:~/Documents/tmp$ psmongo
tr              86292   0.5  0.3  2751984  44876   ??  S     9:50pm   0:10.92 mongod --dbpath /Users/tr/Documents/tmp/data/config/db --logpath /Users/tr/Documents/tmp/data/config/mongod.log --port 27020 --logappend --keyFile /Users/tr/Documents/tmp/data/keyfile --configsvr --fork
tr              86262   0.4  0.1  2718168  10840   ??  S     9:47pm   0:10.07 mongod --dbpath /Users/tr/Documents/tmp/data/shard01/db --logpath /Users/tr/Documents/tmp/data/shard01/mongod.log --port 27018 --logappend --keyFile /Users/tr/Documents/tmp/data/keyfile --fork
tr              86265   0.4  0.1  2718168  10540   ??  S     9:47pm   0:09.96 mongod --dbpath /Users/tr/Documents/tmp/data/shard02/db --logpath /Users/tr/Documents/tmp/data/shard02/mongod.log --port 27019 --logappend --keyFile /Users/tr/Documents/tmp/data/keyfile --fork
tr              86271   0.3  0.0  2489404   6844   ??  S     9:47pm   0:07.25 mongos --logpath /Users/tr/Documents/tmp/data/mongos.log --port 27017 --configdb enter.local:27020 --logappend --keyFile /Users/tr/Documents/tmp/data/keyfile --fork
(ve)tr@enter:~/Documents/tmp$ kill 86292

Trying the same command again

(ve)tr@enter:~/Documents/tmp$ mongo
MongoDB shell version: 2.5.5
connecting to: test
mongos> db.adminCommand('serverStatus')
{
        "host" : "enter.local",
        "version" : "2.5.5",
        "process" : "mongos",
        "pid" : NumberLong(86271),
        "uptime" : 1821,
...



 Comments   
Comment by Eric Franckx [ 16/Jun/16 ]

Hi,
problem solved.
The config file (customer config) used to start the MMS database contains --> keyFile: /mongodb/keyfile --> we set it in comment and restart the database and could start the : service mongodb-mms start

Starting pre-flight checks
Successfully finished pre-flight checks

Migrate Ops Manager data
Running migrations...

[ OK ]
Start Ops Manager server
Instance 0 starting........................[ OK ]
Starting pre-flight checks
Successfully finished pre-flight checks

Start Backup Daemon...[ OK ]

ticket can be closed.
Regards,
Eric

Comment by Githook User [ 12/Feb/14 ]

Author:

{u'username': u'andy10gen', u'name': u'Andy Schwerin', u'email': u'schwerin@10gen.com'}

Message: SERVER-12616 Presume that the localhost exception does not apply in mongos when configs unreachable.

If the config servers become unreachable by a mongos server in systems with access control enabled,
that mongos must assume that there are user documents in the config server and so the localhost
exception does not apply. Otherwise, one needs only block access to the config servers to bypass
access controls. While the mongos won't be able to do metadata operations, it will be able to
read and write arbitrary data, when directed to do so by a client on the localhost interface.
Branch: master
https://github.com/mongodb/mongo/commit/3c3b8ee5fcd3f26cf09f6d2997a1dbed55942e59

Generated at Thu Feb 08 03:29:03 UTC 2024 using Jira 9.7.1#970001-sha1:2222b88b221c4928ef0de3161136cc90c8356a66.