[SERVER-14170] Cannot read from secondary if both audit and auth are enabled in a sharded cluster Created: 05/Jun/14 Updated: 11/Mar/15 Resolved: 17/Jun/14 |
|
| Status: | Closed |
| Project: | Core Server |
| Component/s: | Security |
| Affects Version/s: | 2.6.0, 2.6.2 |
| Fix Version/s: | 2.6.4, 2.7.2 |
| Type: | Bug | Priority: | Critical - P2 |
| Reporter: | Linda Qin | Assignee: | Andy Schwerin |
| Resolution: | Done | Votes: | 0 |
| Labels: | None | ||
| Remaining Estimate: | Not Specified | ||
| Time Spent: | Not Specified | ||
| Original Estimate: | Not Specified | ||
| Issue Links: |
|
||||||||||||
| Backwards Compatibility: | Fully Compatible | ||||||||||||
| Operating System: | ALL | ||||||||||||
| Backport Completed: | |||||||||||||
| Participants: | |||||||||||||
| Description |
| Comments |
| Comment by Githook User [ 17/Jun/14 ] | |||||||||||||||||||||||||
|
Author: {u'username': u'andy10gen', u'name': u'Andy Schwerin', u'email': u'schwerin@mongodb.com'}Message: JS Regression test of | |||||||||||||||||||||||||
| Comment by Githook User [ 17/Jun/14 ] | |||||||||||||||||||||||||
|
Author: {u'username': u'andy10gen', u'name': u'Andy Schwerin', u'email': u'schwerin@mongodb.com'}Message: The test audit_read_from_sharded_secondaries.js inserts a document into a collection, | |||||||||||||||||||||||||
| Comment by Githook User [ 17/Jun/14 ] | |||||||||||||||||||||||||
|
Author: {u'username': u'andy10gen', u'name': u'Andy Schwerin', u'email': u'schwerin@mongodb.com'}Message: Executing this hook leads to commands that cannot be run by unauthenticated users, | |||||||||||||||||||||||||
| Comment by Andy Schwerin [ 17/Jun/14 ] | |||||||||||||||||||||||||
|
Reopening because of test failure due to insufficient write concern. CR forthcoming. | |||||||||||||||||||||||||
| Comment by Githook User [ 10/Jun/14 ] | |||||||||||||||||||||||||
|
Author: {u'username': u'andy10gen', u'name': u'Andy Schwerin', u'email': u'schwerin@mongodb.com'}Message: JS Regression test of | |||||||||||||||||||||||||
| Comment by Githook User [ 10/Jun/14 ] | |||||||||||||||||||||||||
|
Author: {u'username': u'andy10gen', u'name': u'Andy Schwerin', u'email': u'schwerin@mongodb.com'}Message: Executing this hook leads to commands that cannot be run by unauthenticated users, | |||||||||||||||||||||||||
| Comment by Andy Schwerin [ 06/Jun/14 ] | |||||||||||||||||||||||||
|
The proximate symptom is that mongos is sending the impersonatedUsers argument on getnonce and the other three authentication commands, when it talks to secondaries. I suspect it also sends it on ismaster to secondaries. The root cause has to do with when we set the hook on connections to add the impersonatedUsers field, in relation to when we authenticate connections. milkie is thinking about possible solutions. | |||||||||||||||||||||||||
| Comment by Matt Dannenberg [ 05/Jun/14 ] | |||||||||||||||||||||||||
|
Sharding appears to be a necessary condition. I did the above steps without any mongos or configdb and did not come up against the problem. | |||||||||||||||||||||||||
| Comment by Matt Dannenberg [ 05/Jun/14 ] | |||||||||||||||||||||||||
|
reproed:
| |||||||||||||||||||||||||
| Comment by Eric Milkie [ 05/Jun/14 ] | |||||||||||||||||||||||||
|
Hi Linda. |