[SERVER-13057] Writes throw sometimes in shell (authz error) Created: 05/Mar/14  Updated: 11/Jul/16  Resolved: 19/Mar/14

Status: Closed
Project: Core Server
Component/s: Shell, Write Ops
Affects Version/s: None
Fix Version/s: 2.6.0-rc2

Type: Bug Priority: Critical - P2
Reporter: Andreas Nilsson Assignee: Greg Studer
Resolution: Done Votes: 0
Labels: 26qa, bulk_api
Remaining Estimate: Not Specified
Time Spent: Not Specified
Original Estimate: Not Specified

Attachments: File bulk_api_authz_failure.js    
Issue Links:
Related
Backwards Compatibility: Major Change
Operating System: ALL
Steps To Reproduce:

./mongo bulk_api_authz_failure.js

or

python buildscripts/smoke.py --mode=files --use-write-commands bulk_api_authz_failure.js

Participants:

 Description   

An authz error for a batch in a bulk operation will make the whole batch fail and throw an exception if using write commands.

The expected behavior is to report the error correctly and finish execution as is done for write or writeConcern errors.

Problem number 2 is that unordered operations behaves like ordered and not all permitted actions are actually being executed. In the example below we do the following with permissions to do insert but not remove.

insert({a:1})
insert({a:2})
remove({a:1})
insert({a:3})

but only the two first inserts are being acknowledged.

Please note that this only occurs if the shell is run in --write-mode commands or equivalently smoke.py is invoked with --use-write-commands. The actual shell error is

2014-03-05T15:32:06.976-0500 Error: batch failed, cannot aggregate results: not authorized on test to execute command { delete: "bulk_api_auth_failure_cases", deletes: [ { q: { a: 1.0 }, limit: 1.0 } ], ordered: false, writeConcern: { w: 1.0 } } at src/mongo/shell/bulk_api.js:696

Note: Previously users were required to call getLastError to check and there was no exception generated. In most other languages this is not the same behavior because getLastError was not suggested since writes took a write-concern (either via a default set at the client/db/collection level).



 Comments   
Comment by Githook User [ 18/Mar/14 ]

Author:

{u'username': u'gregstuder', u'name': u'Greg Studer', u'email': u'greg@10gen.com'}

Message: SERVER-13057 push shell write errors more in line with other drivers
(cherry picked from commit 6ee3a36bdb672e0e7b893a77334e932d8d1eab8c)
Branch: v2.6
https://github.com/mongodb/mongo/commit/43be3d5a87c70a82a36f4116b733d35a514564ae

Comment by Githook User [ 18/Mar/14 ]

Author:

{u'username': u'gregstuder', u'name': u'Greg Studer', u'email': u'greg@10gen.com'}

Message: SERVER-13057 push shell write errors more in line with other drivers
Branch: master
https://github.com/mongodb/mongo/commit/6ee3a36bdb672e0e7b893a77334e932d8d1eab8c

Comment by Greg Studer [ 10/Mar/14 ]

Discussed - think the agreed behavior change was that insert/update/delete should only throw when getLastError would not return a value. The bulk api throws typed objects.

Comment by Scott Hernandez (Inactive) [ 07/Mar/14 ]

Greg, parking with you while you think about it, and until we can come to a conclusion about changes.

Comment by Scott Hernandez (Inactive) [ 05/Mar/14 ]

This is backwards breaking for scripts, which is not good.

Comment by Andreas Nilsson [ 05/Mar/14 ]

The issue is actually more generic then described above. A simple insert or remove will use the bulk write API and hence throw an exception if the authz check fails.

In the enclosed JS file adding:

authColl.insert({a:1});
authColl.remove({a:1}); 

will exhibit the same behavior.

Generated at Thu Feb 08 03:30:30 UTC 2024 using Jira 9.7.1#970001-sha1:2222b88b221c4928ef0de3161136cc90c8356a66.