[SERVER-17686] Access to http interface when authentication is enabled Created: 23/Mar/15  Updated: 12/May/15  Resolved: 12/May/15

Status: Closed
Project: Core Server
Component/s: HTTP Console, Security
Affects Version/s: 2.6.3
Fix Version/s: None

Type: Question Priority: Minor - P4
Reporter: ananth Assignee: Unassigned
Resolution: Duplicate Votes: 0
Labels: None
Remaining Estimate: Not Specified
Time Spent: Not Specified
Original Estimate: Not Specified

Issue Links:
Duplicate
duplicates SERVER-17379 HTTP interface's localhost exception ... Closed
Participants:

 Description   

http://localhost:28017 access is possible without username/password when security is enabled (user exists in db). Shell access and host:28017 is not possible without user name password when security is enabled and user exists. Is this expected behavior ?



 Comments   
Comment by Spencer Brody (Inactive) [ 12/May/15 ]

Hi franky, yes you are correct, I believe you are encountering SERVER-17379 which has been fixed in 3.0.1 and newer releases. Sorry for the confusion.

Comment by Fanky [ 28/Apr/15 ]

Is the username/password requirement forced in Mongo 3.0 when accessing http status interface from localhost?

I've tested version 2.4, mongod started with --auth parameter, from localhost, I could go to http://127.0.0.1:28017/ without username/password.

Comment by Andreas Nilsson [ 27/Apr/15 ]

franky thanks for your report. This looks like a docs typo to me. Authentication is always required if there are users in the database.

The localhost exception only applies if there are no users.

Regards,
Andreas

Comment by Fanky [ 27/Apr/15 ]

Hi,
I have mongo 3.0 http status interface listening on port 28017. Here's my config:

net:
port: 27017
http:
enabled: true
RESTInterfaceEnabled: false
security:
authorization: "enabled"
keyFile: "..."

There're users in db (auth version is: 3.0).
According to the doc "If security is configured for a mongod instance, authentication is required for a client to access the http interface from another machine", the http interface should been accessible from local machine without username/password.

I don't know why authentication is always required when accessing http://localhost:28017 or http://my_ip:28017 from local machine or another machine?

Comment by ananth [ 24/Mar/15 ]

It does ask for username/password when we go through hostname:port. It won't ask for username/password when we go through localhost. If both ways, it does not ask for password then it is consistent with documentation. Reason I asked it here not in stackover flow is because, I felt this is something mongo internals.

Comment by Ramon Fernandez Marina [ 23/Mar/15 ]

Yes ananth12, this is expected. Please see the documentation on the HTTP interface, and specially the security implications of enabling the REST API.

Please note that the SERVER project is for reporting bugs or feature suggestions for the MongoDB server. For MongoDB-related support discussion please post on the mongodb-user group or Stack Overflow with the mongodb tag, where your question will reach a larger audience. A question like this involving more discussion would be best posted on the mongodb-user group.

Regards,
Ramón.

Generated at Thu Feb 08 03:45:16 UTC 2024 using Jira 9.7.1#970001-sha1:2222b88b221c4928ef0de3161136cc90c8356a66.