[SERVER-20460] listIndexes on 3.0 mongos with 2.6 mongods returns erroneous "not authorized" Created: 17/Sep/15  Updated: 07/Oct/15  Resolved: 23/Sep/15

Status: Closed
Project: Core Server
Component/s: Security, Sharding
Affects Version/s: 3.0.6
Fix Version/s: 3.0.7, 3.1.9

Type: Bug Priority: Major - P3
Reporter: Kevin Pulo Assignee: Andreas Nilsson
Resolution: Done Votes: 0
Labels: None
Remaining Estimate: Not Specified
Time Spent: Not Specified
Original Estimate: Not Specified

Issue Links:
Duplicate
is duplicated by SERVER-20482 Change of behaviour in db.system.user... Closed
Related
related to SERVER-20482 Change of behaviour in db.system.user... Closed
is related to SERVER-17529 Can't list collections when mongos is... Closed
Backwards Compatibility: Fully Compatible
Operating System: ALL
Backport Completed:
Steps To Reproduce:

With auth (fails):

$ mlaunch init --sharded 2 --replicaset --nodes 2 --arbiter --smallfiles --oplogSize 10 --binarypath /m/2.6.11/bin --port 24205 --auth
launching: /m/2.6.11/bin/mongod on port 24206
launching: /m/2.6.11/bin/mongod on port 24207
launching: /m/2.6.11/bin/mongod on port 24208
launching: /m/2.6.11/bin/mongod on port 24209
launching: /m/2.6.11/bin/mongod on port 24210
launching: /m/2.6.11/bin/mongod on port 24211
launching: config server on port 24212
replica set 'shard01' initialized.
replica set 'shard02' initialized.
launching: /m/2.6.11/bin/mongos on port 24205
adding shards. can take up to 30 seconds...
8 nodes stopped.
launching: /m/2.6.11/bin/mongod on port 24206
launching: /m/2.6.11/bin/mongod on port 24207
launching: /m/2.6.11/bin/mongod on port 24208
launching: /m/2.6.11/bin/mongod on port 24209
launching: /m/2.6.11/bin/mongod on port 24210
launching: /m/2.6.11/bin/mongod on port 24211
launching: config server on port 24212
launching: /m/2.6.11/bin/mongos on port 24205
$ /m/3.0.6/bin/mongo --port 24205 -u user -p password --authenticationDatabase admin --eval 'printjson(db.test.insert({}))'
MongoDB shell version: 3.0.6
connecting to: 127.0.0.1:24205/test
{ "nInserted" : 1 }
$ /m/3.0.6/bin/mongo --port 24205 -u user -p password --authenticationDatabase admin --eval 'printjson(db.test.ensureIndex({a:1}))'
MongoDB shell version: 3.0.6
connecting to: 127.0.0.1:24205/test
{
        "raw" : {
                "shard01/genique:24206,genique:24207" : {
                        "createdCollectionAutomatically" : false,
                        "numIndexesBefore" : 1,
                        "numIndexesAfter" : 2,
                        "ok" : 1,
                        "$gleStats" : {
                                "lastOpTime" : Timestamp(1442426511, 1),
                                "electionId" : ObjectId("55f9ac98c9c1eb9b892a11eb")
                        }
                }
        },
        "ok" : 1
}
$ /m/3.0.6/bin/mongo --port 24205 -u user -p password --authenticationDatabase admin --eval 'printjson(sh.stopBalancer())'
MongoDB shell version: 3.0.6
connecting to: 127.0.0.1:24205/test
Waiting for active hosts...
Waiting for the balancer lock...
Waiting again for active hosts after balancer is off...
undefined
$ mlaunch stop mongos
1 node stopped.
$ mlaunch start mongos --binarypath /m/3.0.6/bin --upgrade
launching: /m/3.0.6/bin/mongos on port 24205
$ mlaunch start mongos --binarypath /m/3.0.6/bin
launching: /m/3.0.6/bin/mongos on port 24205
**** $ /m/3.0.6/bin/mongo --port 24205 -u user -p password --authenticationDatabase admin --eval 'printjson(db.runCommand({listIndexes:"test"}))'
**** MongoDB shell version: 3.0.6
**** connecting to: 127.0.0.1:24205/test
**** {
****         "ok" : 0,
****         "errmsg" : "not authorized on test to execute command { listIndexes: \"test\" }",
****         "code" : 13
**** }
$ /m/3.0.6/bin/mongo --port 24206 -u user -p password --authenticationDatabase admin --eval 'printjson(db.runCommand({listIndexes:"test"}))'
MongoDB shell version: 3.0.6
connecting to: 127.0.0.1:24206/test
{
        "ok" : 0,
        "errmsg" : "no such cmd: listIndexes",
        "code" : 59,
        "bad cmd" : {
                "listIndexes" : "test"
        }
}
$ /m/3.0.6/bin/mongo --port 24205 -u user -p password --authenticationDatabase admin --eval 'printjson(db.system.indexes.find().toArray())'
MongoDB shell version: 3.0.6
connecting to: 127.0.0.1:24205/test
[
        {
                "v" : 1,
                "key" : {
                        "_id" : 1
                },
                "name" : "_id_",
                "ns" : "test.test"
        },
        {
                "v" : 1,
                "key" : {
                        "a" : 1
                },
                "name" : "a_1",
                "ns" : "test.test"
        }
]
$ /m/3.0.6/bin/mongo --port 24206 -u user -p password --authenticationDatabase admin --eval 'printjson(db.system.indexes.find().toArray())'
MongoDB shell version: 3.0.6
connecting to: 127.0.0.1:24206/test
[
        {
                "v" : 1,
                "key" : {
                        "_id" : 1
                },
                "name" : "_id_",
                "ns" : "test.test"
        },
        {
                "v" : 1,
                "key" : {
                        "a" : 1
                },
                "name" : "a_1",
                "ns" : "test.test"
        }
]
$ mlaunch stop
8 nodes stopped.
$ mlaunch start --binarypath /m/3.0.6/bin
launching: /m/3.0.6/bin/mongod on port 24206
launching: /m/3.0.6/bin/mongod on port 24207
launching: /m/3.0.6/bin/mongod on port 24208
launching: /m/3.0.6/bin/mongod on port 24209
launching: /m/3.0.6/bin/mongod on port 24210
launching: /m/3.0.6/bin/mongod on port 24211
launching: config server on port 24212
launching: /m/3.0.6/bin/mongos on port 24205
$ /m/3.0.6/bin/mongo --port 24205 -u user -p password --authenticationDatabase admin --eval 'printjson(db.runCommand({listIndexes:"test"}))'
MongoDB shell version: 3.0.6
connecting to: 127.0.0.1:24205/test
{
        "cursor" : {
                "id" : NumberLong(0),
                "ns" : "test.$cmd.listIndexes.test",
                "firstBatch" : [
                        {
                                "v" : 1,
                                "key" : {
                                        "_id" : 1
                                },
                                "name" : "_id_",
                                "ns" : "test.test"
                        },
                        {
                                "v" : 1,
                                "key" : {
                                        "a" : 1
                                },
                                "name" : "a_1",
                                "ns" : "test.test"
                        }
                ]
        },
        "ok" : 1,
        "$gleStats" : {
                "lastOpTime" : Timestamp(0, 0),
                "electionId" : ObjectId("55faf4ec6f07922dc310b0fd")
        }
}

Without auth (succeeds):

$ mlaunch kill
sent signal 15 to 8 processes.
$ rm -rf data
$ mlaunch init --sharded 2 --replicaset --nodes 2 --arbiter --smallfiles --oplogSize 10 --binarypath /m/2.6.11/bin --port 24205
launching: /m/2.6.11/bin/mongod on port 24206
launching: /m/2.6.11/bin/mongod on port 24207
launching: /m/2.6.11/bin/mongod on port 24208
launching: /m/2.6.11/bin/mongod on port 24209
launching: /m/2.6.11/bin/mongod on port 24210
launching: /m/2.6.11/bin/mongod on port 24211
launching: config server on port 24212
replica set 'shard01' initialized.
replica set 'shard02' initialized.
launching: /m/2.6.11/bin/mongos on port 24205
adding shards. can take up to 30 seconds...
$ /m/3.0.6/bin/mongo --port 24205 --eval 'printjson(db.test.insert({}))'
MongoDB shell version: 3.0.6
connecting to: 127.0.0.1:24205/test
{ "nInserted" : 1 }
$ /m/3.0.6/bin/mongo --port 24205 --eval 'printjson(db.test.ensureIndex({a:1}))'
MongoDB shell version: 3.0.6
connecting to: 127.0.0.1:24205/test
{
        "raw" : {
                "shard01/genique:24206,genique:24207" : {
                        "createdCollectionAutomatically" : false,
                        "numIndexesBefore" : 1,
                        "numIndexesAfter" : 2,
                        "ok" : 1
                }
        },
        "ok" : 1
}
$ /m/3.0.6/bin/mongo --port 24205 --eval 'printjson(sh.stopBalancer())'
MongoDB shell version: 3.0.6
connecting to: 127.0.0.1:24205/test
Waiting for active hosts...
Waiting for the balancer lock...
Waiting again for active hosts after balancer is off...
undefined
$ mlaunch stop mongos
1 node stopped.
$ mlaunch start mongos --binarypath /m/3.0.6/bin --upgrade
launching: /m/3.0.6/bin/mongos on port 24205
$ mlaunch start mongos --binarypath /m/3.0.6/bin
launching: /m/3.0.6/bin/mongos on port 24205
**** $ /m/3.0.6/bin/mongo --port 24205 --eval 'printjson(db.runCommand({listIndexes:"test"}))'
**** MongoDB shell version: 3.0.6
**** connecting to: 127.0.0.1:24205/test
**** {
****         "cursor" : {
****                 "id" : NumberLong(0),
****                 "ns" : "test.system.indexes",
****                 "firstBatch" : [
****                         {
****                                 "v" : 1,
****                                 "key" : {
****                                         "_id" : 1
****                                 },
****                                 "name" : "_id_",
****                                 "ns" : "test.test"
****                         },
****                         {
****                                 "v" : 1,
****                                 "key" : {
****                                         "a" : 1
****                                 },
****                                 "name" : "a_1",
****                                 "ns" : "test.test"
****                         }
****                 ]
****         },
****         "ok" : 1,
****         "$gleStats" : {
****                 "lastOpTime" : Timestamp(0, 0),
****                 "electionId" : ObjectId("55faf27148eb9e505441391c")
****         }
**** }
$ /m/3.0.6/bin/mongo --port 24206 --eval 'printjson(db.runCommand({listIndexes:"test"}))'
MongoDB shell version: 3.0.6
connecting to: 127.0.0.1:24206/test
{
        "ok" : 0,
        "errmsg" : "no such cmd: listIndexes",
        "code" : 59,
        "bad cmd" : {
                "listIndexes" : "test"
        }
}
$ /m/3.0.6/bin/mongo --port 24206 --eval 'printjson(db.system.indexes.find().toArray())'
MongoDB shell version: 3.0.6
connecting to: 127.0.0.1:24206/test
[
        {
                "v" : 1,
                "key" : {
                        "_id" : 1
                },
                "name" : "_id_",
                "ns" : "test.test"
        },
        {
                "v" : 1,
                "key" : {
                        "a" : 1
                },
                "name" : "a_1",
                "ns" : "test.test"
        }
]
$ /m/3.0.6/bin/mongo --port 24205 --eval 'printjson(db.system.indexes.find().toArray())'
MongoDB shell version: 3.0.6
connecting to: 127.0.0.1:24205/test
[
        {
                "v" : 1,
                "key" : {
                        "_id" : 1
                },
                "name" : "_id_",
                "ns" : "test.test"
        },
        {
                "v" : 1,
                "key" : {
                        "a" : 1
                },
                "name" : "a_1",
                "ns" : "test.test"
        }
]

Sprint: Security A 10/09/15
Participants:

 Description   

During the process of upgrading a 2.6 cluster (with auth) to 3.0, there is a period of time where the system is running with 3.0 mongoses and 2.6 shards.

While in this state, if the listIndexes (new in 3.0) command is sent to the mongos, then if auth is disabled it will return correct results, but if auth is on it will fail with "not authorized" (even though the authenticated user has the correct privs).

It seems that this is because the mongos is misinterpreting the "command not found" it is getting back from the shards when it runs listIndexes on them, and not realising that it needs to downconvert to querying system.indexes.



 Comments   
Comment by Githook User [ 23/Sep/15 ]

Author:

{u'username': u'agralius', u'name': u'Andreas Nilsson', u'email': u'andreas.nilsson@10gen.com'}

Message: SERVER-20460 Make listIndexes authz check backwards compat

(cherry picked with edits from commit fa24b6adab2f71a3c07d8810d04d5e0da4c5ac59)
Branch: v3.0
https://github.com/mongodb/mongo/commit/5da060573aebc32303b9ab72bbea7a552dcfcf06

Comment by Githook User [ 23/Sep/15 ]

Author:

{u'username': u'agralius', u'name': u'Andreas Nilsson', u'email': u'andreas.nilsson@10gen.com'}

Message: SERVER-20460 Make listIndexes authz check backwards compat
Branch: master
https://github.com/mongodb/mongo/commit/fa24b6adab2f71a3c07d8810d04d5e0da4c5ac59

Generated at Thu Feb 08 03:54:17 UTC 2024 using Jira 9.7.1#970001-sha1:2222b88b221c4928ef0de3161136cc90c8356a66.