[SERVER-17686] Access to http interface when authentication is enabled Created: 23/Mar/15 Updated: 12/May/15 Resolved: 12/May/15 |
|
| Status: | Closed |
| Project: | Core Server |
| Component/s: | HTTP Console, Security |
| Affects Version/s: | 2.6.3 |
| Fix Version/s: | None |
| Type: | Question | Priority: | Minor - P4 |
| Reporter: | ananth | Assignee: | Unassigned |
| Resolution: | Duplicate | Votes: | 0 |
| Labels: | None | ||
| Remaining Estimate: | Not Specified | ||
| Time Spent: | Not Specified | ||
| Original Estimate: | Not Specified | ||
| Issue Links: |
|
||||||||
| Participants: | |||||||||
| Description |
|
http://localhost:28017 access is possible without username/password when security is enabled (user exists in db). Shell access and host:28017 is not possible without user name password when security is enabled and user exists. Is this expected behavior ? |
| Comments |
| Comment by Spencer Brody (Inactive) [ 12/May/15 ] |
|
Hi franky, yes you are correct, I believe you are encountering |
| Comment by Fanky [ 28/Apr/15 ] |
|
Is the username/password requirement forced in Mongo 3.0 when accessing http status interface from localhost? I've tested version 2.4, mongod started with --auth parameter, from localhost, I could go to http://127.0.0.1:28017/ without username/password. |
| Comment by Andreas Nilsson [ 27/Apr/15 ] |
|
franky thanks for your report. This looks like a docs typo to me. Authentication is always required if there are users in the database. The localhost exception only applies if there are no users. Regards, |
| Comment by Fanky [ 27/Apr/15 ] |
|
Hi, net: There're users in db (auth version is: 3.0). I don't know why authentication is always required when accessing http://localhost:28017 or http://my_ip:28017 from local machine or another machine? |
| Comment by ananth [ 24/Mar/15 ] |
|
It does ask for username/password when we go through hostname:port. It won't ask for username/password when we go through localhost. If both ways, it does not ask for password then it is consistent with documentation. Reason I asked it here not in stackover flow is because, I felt this is something mongo internals. |
| Comment by Ramon Fernandez Marina [ 23/Mar/15 ] |
|
Yes ananth12, this is expected. Please see the documentation on the HTTP interface, and specially the security implications of enabling the REST API. Please note that the SERVER project is for reporting bugs or feature suggestions for the MongoDB server. For MongoDB-related support discussion please post on the mongodb-user group or Stack Overflow with the mongodb tag, where your question will reach a larger audience. A question like this involving more discussion would be best posted on the mongodb-user group. Regards, |