[SERVER-13148] Authentication still holds after user removed Created: 12/Mar/14  Updated: 10/Dec/14  Resolved: 13/Mar/14

Status: Closed
Project: Core Server
Component/s: Security
Affects Version/s: None
Fix Version/s: None

Type: Bug Priority: Minor - P4
Reporter: yudho ahmad diponegoro Assignee: Andreas Nilsson
Resolution: Duplicate Votes: 0
Labels: authentication, authorization, security
Remaining Estimate: Not Specified
Time Spent: Not Specified
Original Estimate: Not Specified

Issue Links:
Duplicate
duplicates SERVER-6620 Auth credentials should be invalidate... Closed
Operating System: ALL
Steps To Reproduce:

Ensure there is already an user with userAdminAnyDatabase privilege.
Run mongod with --auth option
Open mongo shell
use admin
db.auth(<superusername>,<superuserpw>)
use try
db.addUser(

{user:"a",pwd:"a",roles:["userAdmin"]}

)
db.auth("a","a")
db.removeUser("a")
db.addUser(

{user:"a",pwd:"b",roles:["read"]}

)
Check whether user b is added

Participants:

 Description   

We have database called "try" and a user with "userAdmin" privilege on that database named "userA".

First we authenticate userA using
db.auth("userA","a")
Then, we remove userA using
db.removeUser("userA")
Then, we try to add a user on database "try"
db.addUser(

{user:"userB",pwd:"b",roles:["read"]}

)
It still works!
Now we authenticate B
db.auth("userB")
And see the content of Database
db.customers.find()
This shows the documents.

The problem is, the user authentication seems to be still there even after the user itself being removed. The removeUser() implementation should call db.runCommand(

{logout:1}

) if the current authenticated user is the user being removed.

For note, I tried it in an --auth enabled environment.



 Comments   
Comment by yudho ahmad diponegoro [ 14/Mar/14 ]

Good, I am relief that this has been known and will be fixed. All the best for mongodb.

Comment by Spencer Brody (Inactive) [ 13/Mar/14 ]

Hi Yudho,
Sorry about the confusion, this is actually a known issue in 2.4 and prior: SERVER-6620. Privileges in 2.4 and prior are acquired at authentication time and then never revoked unless the connection closes or the logout command is run. This will be fixed in the upcoming 2.6 release. In 2.6, any changes made to a user (including dropping that user) will be immediately reflected on all logged in connections to a mongod. In a sharded system, the mongos that made the change will see it immediately on all connections, but the other mongoses in the system will have a delay for the change to propagate, which defaults to 10 minutes but can be tuned down at the cost of extra load on the config servers.

Comment by yudho ahmad diponegoro [ 13/Mar/14 ]

The database version is 2.4.9. Below is the clearer version of the test. The problem persists even after logging out explicitly before creating new user. Please use this instead of the one in my previous comment (Update: I have deleted my previous comment). Thanks.

$ mongo
MongoDB shell version: 2.4.9
connecting to: test
> use admin
switched to db admin
> db.runCommand(

{logout:1}

) //ensuring no user is authenticated

{ "ok" : 1 }

> db.system.users.find()
error:

{ "$err" : "not authorized for query on admin.system.users", "code" : 16550 }

> db.auth("a","a")
1
> db.system.users.find()

{ "_id" : ObjectId("5320e2f23f9774ccf2c3fec8"), "user" : "a", "pwd" : "5b4670e18ca64d7351f100f99fc5d0ba", "roles" : [ "userAdminAnyDatabase" ] }

> //only user a as super user
> use auth_try
switched to db auth_try
> db.system.users.find()
> //db auth_try doesnt have any user
> //creating a user admin for auth_try database
> db.addUser(

{user:"b",pwd:"b",roles:["userAdmin"]}

)

{ "user" : "b", "pwd" : "6656024ee11c4a6ad77ea80e32248a6a", "roles" : [ "userAdmin" ], "_id" : ObjectId("532117db7d9c5f7aa7b8c2f4") } > db.system.users.find() { "_id" : ObjectId("532117db7d9c5f7aa7b8c2f4"), "user" : "b", "pwd" : "6656024ee11c4a6ad77ea80e32248a6a", "roles" : [ "userAdmin" ] }

> //now logout from both auth_try db and admin db
> db.runCommand(

{logout:1}

)

{ "ok" : 1 }

> use admin
switched to db admin
> db.runCommand(

{logout:1}

)

{ "ok" : 1 }

//now there is no active / authenticated user
> use auth_try
switched to db auth_try
> //try to add user with no login
> db.addUser(

{user:"c",pwd:"c",roles:["read"]}

)
{
"user" : "c",
"pwd" : "7f0b49c365b73d574004631740ced692",
"roles" : [
"read"
],
"_id" : ObjectId("532118337d9c5f7aa7b8c2f5")
}
Thu Mar 13 09:30:11.572 couldn't add user: not authorized for insert on auth_try.system.users at src/mongo/shell/db.js:128
> //user cannot be added
> //login as user admin "b"
> db.auth("b","b") // b must be the only one authenticated user currently
1
> //create "c"
> db.addUser(

{user:"c",pwd:"c",roles:["read"]}

)

{ "user" : "c", "pwd" : "7f0b49c365b73d574004631740ced692", "roles" : [ "read" ], "_id" : ObjectId("5321186c7d9c5f7aa7b8c2f6") } > db.system.users.find() { "_id" : ObjectId("532117db7d9c5f7aa7b8c2f4"), "user" : "b", "pwd" : "6656024ee11c4a6ad77ea80e32248a6a", "roles" : [ "userAdmin" ] } { "_id" : ObjectId("5321186c7d9c5f7aa7b8c2f6"), "user" : "c", "pwd" : "7f0b49c365b73d574004631740ced692", "roles" : [ "read" ] }

> //now remove "b"
> db.removeUser("b")
> //try to make user "d", it is supposed to fail since "b" has just been removed
> db.addUser(

{user:"d",pwd:"d",roles:["read"]}

)

{ "user" : "d", "pwd" : "82927a83e3fce00ad0c7d08825093339", "roles" : [ "read" ], "_id" : ObjectId("532118bf7d9c5f7aa7b8c2f7") } > //it is added!! > db.system.users.find() { "_id" : ObjectId("5321186c7d9c5f7aa7b8c2f6"), "user" : "c", "pwd" : "7f0b49c365b73d574004631740ced692", "roles" : [ "read" ] } { "_id" : ObjectId("532118bf7d9c5f7aa7b8c2f7"), "user" : "d", "pwd" : "82927a83e3fce00ad0c7d08825093339", "roles" : [ "read" ] }

> //and just now we could access system.users too using a user that has just been removed
> db.runCommand(

{logout:1}

)

{ "ok" : 1 }

> db.system.users.find()
error: {
"$err" : "not authorized for query on auth_try.system.users",
"code" : 16550
}
> //only now, after logout, authentication works again.
>

Comment by Andreas Nilsson [ 12/Mar/14 ]

So I believe what is happening here is that the <superuser> is still logged on when you attempt to create user B.

Can you try to log out the super user from the admin DB before attempting to create user B. Also which version of the database are you using?

Thanks.

Generated at Thu Feb 08 03:30:47 UTC 2024 using Jira 9.7.1#970001-sha1:2222b88b221c4928ef0de3161136cc90c8356a66.