[SERVER-19324] Restricted user, can see / modify in every database Created: 08/Jul/15 Updated: 03/Apr/23 Resolved: 08/Jul/15 |
|
| Status: | Closed |
| Project: | Core Server |
| Component/s: | Security |
| Affects Version/s: | 3.0.4 |
| Fix Version/s: | None |
| Type: | Bug | Priority: | Critical - P2 |
| Reporter: | Dennis Hoefakker | Assignee: | Unassigned |
| Resolution: | Done | Votes: | 0 |
| Labels: | None | ||
| Remaining Estimate: | Not Specified | ||
| Time Spent: | Not Specified | ||
| Original Estimate: | Not Specified | ||
| Backwards Compatibility: | Fully Compatible |
| Operating System: | ALL |
| Steps To Reproduce: | 1. Create a user in a database (db.createUser( {user: "youruser",pwd: "securepassword", roles: [ "read"]})) |
| Sprint: | Security 6 07/17/15 |
| Participants: |
| Description |
|
I'm running MongoDB 3.0, used the upgrade document (http://docs.mongodb.org/manual/release-notes/3.0-upgrade/) and upgraded the storage engine to WiredTiger. I created a user in 1 of the databases with the read role. When I connect to the database and select another database it gives me the "Authentication Failed" message. That is ok. When i connect to the database i created the user in, it connects... But then i can : use <databaseX> and do a show collections. It displays everything from that database (where the user shouldn't have access to), i can even show and modify documents. Is this a bug, or is there something missing in the migration manual? |
| Comments |
| Comment by Andreas Nilsson [ 08/Jul/15 ] |
|
HoefMeistert thanks for your report (and your solution). The authenticate command currently does not return any state info about the server. We will consider what options might be available to issue a warning. Regards, |
| Comment by Dennis Hoefakker [ 08/Jul/15 ] |
|
issue can be closed... Was a misconfiguration which i had completly missed... But maybe there can be some kind of information/messaging somewhere that you authenticate to a server which doesn't require authentication ? |