[SERVER-17917] Config DB gets updated even though the user has no permissions Created: 07/Apr/15  Updated: 05/Jan/18  Resolved: 10/Apr/15

Status: Closed
Project: Core Server
Component/s: Security, Sharding
Affects Version/s: 3.0.1
Fix Version/s: 3.1.2

Type: Bug Priority: Major - P3
Reporter: Alex Lerner Assignee: Kaloian Manassiev
Resolution: Done Votes: 0
Labels: None
Remaining Estimate: Not Specified
Time Spent: Not Specified
Original Estimate: Not Specified

Issue Links:
Depends
depends on SERVER-17723 Sharding catalog cache Closed
Duplicate
is duplicated by SERVER-18139 Adding a $external user in cluster (v... Closed
is duplicated by SERVER-23562 cluster hung a moment when use '... Closed
Related
related to SERVER-25625 Regression: eval command on a non-exi... Closed
Backwards Compatibility: Minor Change
Operating System: ALL
Steps To Reproduce:

mongos> use admin
switched to db admin
 
mongos> db.createUser({user:"alex", pwd:"pass", roles:[{db:"whatever", role:"readWrite"}]})
Successfully added user: {
"user" : "alex",
"roles" : [
{
"db" : "whatever",
"role" : "readWrite"
}
]
}

Authenticating as the new user:

mongos> db.auth("alex", "pass")
1

Notice the misspelled database name:

mongos> use whatever3
switched to db whatever3

And, as expected, trying to access the misspelled database does not work:

mongos> db.coll.find()
Error: error: { "$err" : "not authorized for query on whatever3.coll", "code" : 13 }

Switch back to being admin user

mongos> use admin
switched to db admin
 
mongos> db.auth("admin", "pass")
1
 
mongos> sh.status()
--- Sharding Status --- 
 
  sharding version: {
 
"_id" : 1,
"minCompatibleVersion" : 5,
"currentVersion" : 6,
"clusterId" : ObjectId("552424ff8024973cf28217f2")
}
 
  shards:
{  "_id" : "shard0000",  "host" : "localhost:27019" }
  balancer:
Currently enabled:  yes
Currently running:  no
Failed balancer rounds in last 5 attempts:  0
 
Migration Results for the last 24 hours: 
No recent migrations
  databases:
{  "_id" : "admin",  "partitioned" : false,  "primary" : "config" }
{  "_id" : "whatever",  "partitioned" : false,  "primary" : "shard0000" }
{  "_id" : "whatever3",  "partitioned" : false,  "primary" : "shard0000" }

And notice in the above that although user alex did not have access to whatever3 database,whatever3 was still created in config database – definitely a source of confusion.

mongos> show dbs
admin   0.016GB
config  0.016GB
 
mongos> use config
switched to db config
 
 
mongos> db.databases.find()
{ "_id" : "admin", "partitioned" : false, "primary" : "config" }
{ "_id" : "whatever", "partitioned" : false, "primary" : "shard0000" }
{ "_id" : "whatever3", "partitioned" : false, "primary" : "shard0000" }

Participants:
Case:

 Description   

In a sharded environment with auth, a user can misspell a database name and although he does not have permissions to that db, an entry is still made in the config DB


Generated at Thu Feb 08 03:45:59 UTC 2024 using Jira 9.7.1#970001-sha1:2222b88b221c4928ef0de3161136cc90c8356a66.