[SERVER-12693] Inserting an invalid doc into new_users and setting authSchemaVersion to 2 makes auth fail after authSchemaUpgrade Created: 12/Feb/14 Updated: 10/Dec/14 Resolved: 26/Feb/14 |
|
| Status: | Closed |
| Project: | Core Server |
| Component/s: | Security |
| Affects Version/s: | None |
| Fix Version/s: | None |
| Type: | Bug | Priority: | Minor - P4 |
| Reporter: | Valeri Karpov | Assignee: | Andy Schwerin |
| Resolution: | Won't Fix | Votes: | 0 |
| Labels: | None | ||
| Remaining Estimate: | Not Specified | ||
| Time Spent: | Not Specified | ||
| Original Estimate: | Not Specified | ||
| Operating System: | ALL |
| Steps To Reproduce: | See above. Code available at https://github.com/10gen/QA/blob/master/QA-424/sharded_upgrade_invalid_new_users.js |
| Participants: |
| Description |
|
See https://github.com/10gen/QA/blob/master/QA-424/sharded_upgrade_invalid_new_users.js Essentially what this test does is: 1) Set up a 2.4 sharded cluster with 2 users What ends up happening is that the auth schema version is 3, but I'm unable to log in after the upgrade. Any ideas what's going on here? |
| Comments |
| Comment by Valeri Karpov [ 26/Feb/14 ] |
|
Hi schwerin Sorry it took me so long to get back to you. At a glance, it looks like everything works just fine if you omit step 4 above. I don't see this as a huge issue because it requires a concerted effort at breaking things, but it may be worth taking a look at. |
| Comment by Andy Schwerin [ 19/Feb/14 ] |
|
If you'd skipped step 4, valeri.karpov, would you have been able to log in after step 5? |
| Comment by Spencer Brody (Inactive) [ 19/Feb/14 ] |
|
Assigning to Andy for triage |
| Comment by Valeri Karpov [ 14/Feb/14 ] |
|
schwerin I'm not logging in after setting currentVersion to 2, I'm logging in after running authSchemaUpgrade with the currentVersion set to 2 with invalid new_users. Do you think its worth adding some validation to scrap invalid new_users? Also, perhaps its worth adding some validation to make sure that all criteria for being in authSchemaVersion=2 are met if you're running an authSchemaUpgradeStep and you see that authSchemaVersion is 2? |
| Comment by Andy Schwerin [ 12/Feb/14 ] |
|
There's no validation of documents in admin.system.new_users when transferring them to admin.system.users. I'm surprised you were able to log in after you set currentVersion to 2, since when currentVersion is 2, the contents of new_users are used for access control and authentication. |