[SERVER-13148] Authentication still holds after user removed Created: 12/Mar/14 Updated: 10/Dec/14 Resolved: 13/Mar/14 |
|
| Status: | Closed |
| Project: | Core Server |
| Component/s: | Security |
| Affects Version/s: | None |
| Fix Version/s: | None |
| Type: | Bug | Priority: | Minor - P4 |
| Reporter: | yudho ahmad diponegoro | Assignee: | Andreas Nilsson |
| Resolution: | Duplicate | Votes: | 0 |
| Labels: | authentication, authorization, security | ||
| Remaining Estimate: | Not Specified | ||
| Time Spent: | Not Specified | ||
| Original Estimate: | Not Specified | ||
| Issue Links: |
|
||||||||
| Operating System: | ALL | ||||||||
| Steps To Reproduce: | Ensure there is already an user with userAdminAnyDatabase privilege. ) ) |
||||||||
| Participants: | |||||||||
| Description |
|
We have database called "try" and a user with "userAdmin" privilege on that database named "userA". First we authenticate userA using ) The problem is, the user authentication seems to be still there even after the user itself being removed. The removeUser() implementation should call db.runCommand( {logout:1}) if the current authenticated user is the user being removed. For note, I tried it in an --auth enabled environment. |
| Comments |
| Comment by yudho ahmad diponegoro [ 14/Mar/14 ] |
|
Good, I am relief that this has been known and will be fixed. All the best for mongodb. |
| Comment by Spencer Brody (Inactive) [ 13/Mar/14 ] |
|
Hi Yudho, |
| Comment by yudho ahmad diponegoro [ 13/Mar/14 ] |
|
The database version is 2.4.9. Below is the clearer version of the test. The problem persists even after logging out explicitly before creating new user. Please use this instead of the one in my previous comment (Update: I have deleted my previous comment). Thanks. $ mongo ) //ensuring no user is authenticated { "ok" : 1 }> db.system.users.find() > db.auth("a","a") > //only user a as super user ) { "user" : "b", "pwd" : "6656024ee11c4a6ad77ea80e32248a6a", "roles" : [ "userAdmin" ], "_id" : ObjectId("532117db7d9c5f7aa7b8c2f4") } > db.system.users.find() { "_id" : ObjectId("532117db7d9c5f7aa7b8c2f4"), "user" : "b", "pwd" : "6656024ee11c4a6ad77ea80e32248a6a", "roles" : [ "userAdmin" ] }> //now logout from both auth_try db and admin db ) { "ok" : 1 }> use admin ) { "ok" : 1 } //now there is no active / authenticated user ) ) { "user" : "c", "pwd" : "7f0b49c365b73d574004631740ced692", "roles" : [ "read" ], "_id" : ObjectId("5321186c7d9c5f7aa7b8c2f6") } > db.system.users.find() { "_id" : ObjectId("532117db7d9c5f7aa7b8c2f4"), "user" : "b", "pwd" : "6656024ee11c4a6ad77ea80e32248a6a", "roles" : [ "userAdmin" ] } { "_id" : ObjectId("5321186c7d9c5f7aa7b8c2f6"), "user" : "c", "pwd" : "7f0b49c365b73d574004631740ced692", "roles" : [ "read" ] }> //now remove "b" ) { "user" : "d", "pwd" : "82927a83e3fce00ad0c7d08825093339", "roles" : [ "read" ], "_id" : ObjectId("532118bf7d9c5f7aa7b8c2f7") } > //it is added!! > db.system.users.find() { "_id" : ObjectId("5321186c7d9c5f7aa7b8c2f6"), "user" : "c", "pwd" : "7f0b49c365b73d574004631740ced692", "roles" : [ "read" ] } { "_id" : ObjectId("532118bf7d9c5f7aa7b8c2f7"), "user" : "d", "pwd" : "82927a83e3fce00ad0c7d08825093339", "roles" : [ "read" ] }> //and just now we could access system.users too using a user that has just been removed ) { "ok" : 1 }> db.system.users.find() |
| Comment by Andreas Nilsson [ 12/Mar/14 ] |
|
So I believe what is happening here is that the <superuser> is still logged on when you attempt to create user B. Can you try to log out the super user from the admin DB before attempting to create user B. Also which version of the database are you using? Thanks. |