[SERVER-15575] Cannot do cluster actions on mongos despite having clusterAdmin role. Created: 08/Oct/14  Updated: 25/Oct/14  Resolved: 09/Oct/14

Status: Closed
Project: Core Server
Component/s: Security
Affects Version/s: None
Fix Version/s: 2.7.8

Type: Bug Priority: Major - P3
Reporter: Timothy Olsen (Inactive) Assignee: Andreas Nilsson
Resolution: Done Votes: 0
Labels: None
Remaining Estimate: Not Specified
Time Spent: Not Specified
Original Estimate: Not Specified

Backwards Compatibility: Fully Compatible
Operating System: ALL
Steps To Reproduce:

Set up a sharded cluster with auth.

Add a user with clusterAdmin role.

Login to the mongos as the user and try cluster actions such as getCmdLineOpts or "show dbs"

Participants:

 Description   

I am unable to execute commands on the cluster resource despite having the clusterAdmin role.

This is with master git commit 51aebc9b94c272eb251ff94d28be0c6fdd180de8 (binary downloaded from MCI)

mongos> db.version()
2.7.8-pre-
mongos> db.serverBuildInfo()
{
	"version" : "2.7.8-pre-",
	"gitVersion" : "51aebc9b94c272eb251ff94d28be0c6fdd180de8",
	"OpenSSLVersion" : "",
	"sysInfo" : "Darwin mci-osx108-2.build.10gen.cc 12.3.0 Darwin Kernel Version 12.3.0: Sun Jan  6 22:37:10 PST 2013; root:xnu-2050.22.13~1/RELEASE_X86_64 x86_64 BOOST_LIB_VERSION=1_49",
	"loaderFlags" : "-fPIC -pthread -Wl,-bind_at_load -mmacosx-version-min=10.6",
	"compilerFlags" : "-Wnon-virtual-dtor -Woverloaded-virtual -fPIC -fno-strict-aliasing -ggdb -pthread -Wall -Wsign-compare -Wno-unknown-pragmas -Winvalid-pch -pipe -Werror -O3 -Wno-unused-function -Wno-deprecated-declarations -mmacosx-version-min=10.6",
	"allocator" : "system",
	"versionArray" : [
		2,
		7,
		8,
		-100
	],
	"javascriptEngine" : "V8",
	"bits" : 64,
	"debug" : false,
	"maxBsonObjectSize" : 16777216,
	"ok" : 1
}
mongos> use admin
switched to db admin
mongos> db.auth('testuser', 'testpwd')
1
mongos> db.getUser('testuser')
{
	"_id" : "admin.testuser",
	"user" : "testuser",
	"db" : "admin",
	"roles" : [
		{
			"role" : "clusterAdmin",
			"db" : "admin"
		},
		{
			"role" : "dbAdminAnyDatabase",
			"db" : "admin"
		},
		{
			"role" : "readWriteAnyDatabase",
			"db" : "admin"
		},
		{
			"role" : "userAdminAnyDatabase",
			"db" : "admin"
		}
	]
}
mongos> db.runCommand({getCmdLineOpts: 1})
{
	"ok" : 0,
	"errmsg" : "not authorized on admin to execute command { getCmdLineOpts: 1.0 }",
	"code" : 13
}
mongos> show dbs
2014-10-08T18:33:52.465-0400 listDatabases failed:{
	"ok" : 0,
	"errmsg" : "not authorized on admin to execute command { listDatabases: 1.0 }",
	"code" : 13
} at src/mongo/shell/mongo.js:47
mongos> 

This does not happen with 2.7.7. I don't believe this happens with a replica set without sharding.

Assigning to andreas.nilsson@10gen.com on suggestion from spencer



 Comments   
Comment by Githook User [ 09/Oct/14 ]

Author:

{u'username': u'agralius', u'name': u'Andreas Nilsson', u'email': u'andreas.nilsson@10gen.com'}

Message: SERVER-15575 Re-add the closeAllDatabases action type

The closeAllDatabases action type was removed in
486862465517d1bf25e07dbb2c3cfc990fb08c80 but is needed
for backwards compatibility.
Branch: master
https://github.com/mongodb/mongo/commit/8ef589d359bcb57db83c5d53f1608afbf5b79a01

Comment by Timothy Olsen (Inactive) [ 09/Oct/14 ]

andreas.nilsson@10gen.com The patch fixed it!

Comment by Timothy Olsen (Inactive) [ 09/Oct/14 ]

Other privileges work fine. I was able to insert a document into a collection without any problem.

Another thing I just realized which may be a factor here (apologies for not realizing this earlier). The cluster in question is mostly 2.6.4. It is in the middle of upgrading and has only upgraded the first mongos to 2.7.8-pre. Only the first mongos shows this problem. The second mongos (still on 2.6.4) does not have this problem.

Comment by Timothy Olsen (Inactive) [ 09/Oct/14 ]

I just tried git commit 19142324b23e417093ae05a622babae3d31140b4 and it still happens with that commit. 19142324b23e417093ae05a622babae3d31140b4 is before (time-wise) 51aebc9b94c272eb251ff94d28be0c6fdd180de8 (the original git commit I reported) if it helps you narrow it down any.

Comment by Spencer Brody (Inactive) [ 09/Oct/14 ]

One thing that was interesting when I was looking at this with Tim was that we ran connectionStatus with the showPrivileges argument, and I didn't see any privileges corresponding to the cluster resource.

Comment by Timothy Olsen (Inactive) [ 09/Oct/14 ]

Correct

Generated at Thu Feb 08 03:38:24 UTC 2024 using Jira 9.7.1#970001-sha1:2222b88b221c4928ef0de3161136cc90c8356a66.