[SERVER-21659] bypassDocumentValidation authentication error Created: 24/Nov/15 Updated: 25/Jan/17 Resolved: 30/Nov/15 |
|
| Status: | Closed |
| Project: | Core Server |
| Component/s: | Security |
| Affects Version/s: | 3.2.0-rc3 |
| Fix Version/s: | 3.2.0-rc5 |
| Type: | Bug | Priority: | Major - P3 |
| Reporter: | Hannes Magnusson | Assignee: | Spencer Brody (Inactive) |
| Resolution: | Done | Votes: | 0 |
| Labels: | None | ||
| Remaining Estimate: | Not Specified | ||
| Time Spent: | Not Specified | ||
| Original Estimate: | Not Specified | ||
| Issue Links: |
|
||||||||||||||||||||||||||||||||||
| Backwards Compatibility: | Minor Change | ||||||||||||||||||||||||||||||||||
| Operating System: | ALL | ||||||||||||||||||||||||||||||||||
| Steps To Reproduce: | On solaris-spawn evergreen spawnhost:
mongoc_run bypass.c |
||||||||||||||||||||||||||||||||||
| Sprint: | Sharding D (12/11/15) | ||||||||||||||||||||||||||||||||||
| Participants: | |||||||||||||||||||||||||||||||||||
| Description |
|
I can consistently reproduce the following:
Then. Using the latest master of mongo-c-driver:
Now, what happens depends on the following:
— |
| Comments |
| Comment by Githook User [ 30/Nov/15 ] | |||||||||||||||||||||||||||
|
Author: {u'username': u'stbrody', u'name': u'Spencer T Brody', u'email': u'spencer@mongodb.com'}Message: | |||||||||||||||||||||||||||
| Comment by Githook User [ 25/Nov/15 ] | |||||||||||||||||||||||||||
|
Author: {u'username': u'ajdavis', u'name': u'A. Jesse Jiryu Davis', u'email': u'jesse@mongodb.com'}Message: skip bypassValidation test with auth Until | |||||||||||||||||||||||||||
| Comment by Andy Schwerin [ 25/Nov/15 ] | |||||||||||||||||||||||||||
|
I'll bet it's this commit, which was intended to fix compatibility between 3.0 mongos and 3.2 mongod during upgrade. I believe the problem is that it conflates the use of AuthzManagerExternalStateLocal::getUserDescription for fetching a user description to transmit to mongos and the use of the same function to identify the privileges of a local connection. The reason that having the shell open changes behavior is that the shell authenticates using OP_COMMAND commands, which is the signal mongod is using to detect a 3.2 mongos. The user document is then cached, and so can be used by other (OP_QUERY command) connections. Anyhow, the problem is limited to document validation bypass, and only restricts privilege unnecessarily (does not escalate privileges in error). We can figure out a fix in time for 3.2.0. | |||||||||||||||||||||||||||
| Comment by Hannes Magnusson [ 24/Nov/15 ] | |||||||||||||||||||||||||||
https://github.com/mongodb/mongo/commit/874fc812768718f015e81d6ce7bd2dab9ce14128 | |||||||||||||||||||||||||||
| Comment by Hannes Magnusson [ 24/Nov/15 ] | |||||||||||||||||||||||||||
|
I have reproduced this locally now! EDIT: I fail at reading the download page. RC3 is NOT affected. The current nightly available on https://fastdl.mongodb.org/linux/mongodb-linux-x86_64-ubuntu1404-latest.tgz IS AFFECTED | |||||||||||||||||||||||||||
| Comment by A. Jesse Jiryu Davis [ 24/Nov/15 ] | |||||||||||||||||||||||||||
|
Yes, I just now see it here too: | |||||||||||||||||||||||||||
| Comment by Hannes Magnusson [ 24/Nov/15 ] | |||||||||||||||||||||||||||
|
I cannot reproduce this locally, but double checking evergreen it does appear to be failing on Ubuntu 12 and Ubuntu 15 too. See: https://evergreen.mongodb.com/version/mongo_c_driver_e8ac5e3447e4737dfec249eb5b8b8540707386d4 | |||||||||||||||||||||||||||
| Comment by Andy Schwerin [ 24/Nov/15 ] | |||||||||||||||||||||||||||
|
Can you reproduce this on other OSes? |