[SERVER-12621] Reduce localhost exception permissions Created: 05/Feb/14  Updated: 27/Oct/15  Resolved: 23/May/14

Status: Closed
Project: Core Server
Component/s: Security
Affects Version/s: 2.5.5
Fix Version/s: 2.7.1

Type: Improvement Priority: Major - P3
Reporter: Andreas Nilsson Assignee: Amalia Hawkins
Resolution: Done Votes: 0
Labels: 26qa
Remaining Estimate: Not Specified
Time Spent: Not Specified
Original Estimate: Not Specified

Issue Links:
Depends
is depended on by DRIVERS-162 Work around reduction of localhost ex... Closed
Gantt Dependency
has to be done before DOCS-3310 Update Localhost Exception Documentat... Closed
Related
related to DRIVERS-169 Work around localhost exception issue... Closed
related to RUBY-782 Change add_user helper command to wor... Closed
related to SERVER-13698 Add roles and privileges to connectio... Closed
is related to SERVER-11126 addUser does not work on mongos witho... Closed
is related to SERVER-11816 In sharded system with no shards, can... Closed
is related to JAVA-1528 Work around localhost exception issue... Closed
Backwards Compatibility: Fully Compatible
Participants:

 Description   

Currently the localhost exception gives full privileges to all operations and commands. The purpose is only to create the first admin DB user.

Hence it would make sense to limit the localhost exception exposure to give the createUser action type on the admin DB, or possibly the UserAdmin role id that is preferable from an implementation perspective.



 Comments   
Comment by Githook User [ 23/May/14 ]

Author:

{u'username': u'hawka', u'name': u'Amalia Hawkins', u'email': u'amalia.hawkins@10gen.com'}

Message: SERVER-12621 fix flaky auth_repl.js test
Branch: master
https://github.com/mongodb/mongo/commit/b804cb4dba4909e328611577bcd410712815aba8

Comment by Githook User [ 23/May/14 ]

Author:

{u'username': u'hawka', u'name': u'Amalia Hawkins', u'email': u'amalia.hawkins@10gen.com'}

Message: SERVER-12621 narrow the localhost exception when auth is enabled
Branch: master
https://github.com/mongodb/mongo/commit/1b4b52a9d413e145478a303b63ab760894938c80

Comment by Spencer Brody (Inactive) [ 23/Apr/14 ]

SERVER-11126 needs to be done before we can do this, or else we need to also allow the localhost exception to run addShard or there'd be no way to bootstrap a new sharded system with security enabled

Comment by Amalia Hawkins [ 22/Apr/14 ]

Switched to "Driver changes needed" because while the drivers themselves will not have to change, this will likely break a lot of their auth tests. (We tend to do a lot of "setup" on --auth databases without creating a user first, which will no longer work.)

Generated at Thu Feb 08 03:29:04 UTC 2024 using Jira 9.7.1#970001-sha1:2222b88b221c4928ef0de3161136cc90c8356a66.