[SERVER-2415] simplify security fir serverStatus() WAS: REST API - serverStatus is missing memory data Created: 27/Jan/11  Updated: 12/Jul/16  Resolved: 27/Jan/11

Status: Closed
Project: Core Server
Component/s: Tools
Affects Version/s: 1.7.5
Fix Version/s: 1.7.6

Type: Bug Priority: Minor - P4
Reporter: Ryan Nitz Assignee: Eliot Horowitz (Inactive)
Resolution: Done Votes: 0
Labels: None
Remaining Estimate: Not Specified
Time Spent: Not Specified
Original Estimate: Not Specified

Operating System: ALL
Participants:

 Description   

It's missing this :

"mem" :

{ "bits" : 64, "resident" : 20, "virtual" : 2484, "supported" : true, "mapped" : 80 }

,

Actual:

{ "host" : "computer:27018", "version" : "1.7.5-pre-", "uptime" : 2947, "uptimeEstimate" : 2904, "localTime" :

{ "$date" : 1296100898236 }

, "globalLock" : { "totalTime" : 2946382204, "lockTime" : 30079, "ratio" : 1.020879095697932e-05, "currentQueue" :

{ "total" : 0, "readers" : 0, "writers" : 0 }

, "activeClients" :

{ "total" : 0, "readers" : 0, "writers" : 0 }

}, "connections" :

{ "current" : 1, "available" : 9999 }

, "indexCounters" : { "btree" :

{ "accesses" : 0, "hits" : 0, "misses" : 0, "resets" : 0, "missRatio" : 0 }

}, "backgroundFlushing" : { "flushes" : 49, "total_ms" : 829, "average_ms" : 16.91836734693878, "last_ms" : 16, "last_finished" :

{ "$date" : 1296100891798 }

}, "cursors" :

{ "totalOpen" : 0, "clientCursors_size" : 0, "timedOut" : 0 }

, "network" :

{ "bytesIn" : 1504, "bytesOut" : 3766, "numRequests" : 21 }

, "opcounters" :

{ "insert" : 0, "query" : 8, "update" : 0, "delete" : 0, "getmore" : 0, "command" : 15 }

, "asserts" :

{ "regular" : 0, "warning" : 0, "msg" : 0, "user" : 1, "rollovers" : 0 }

, "writeBacksQueued" : false, "note" : "run against admin for more info" }



 Comments   
Comment by auto [ 27/Jan/11 ]

Author:

{u'login': u'erh', u'name': u'Eliot Horowitz', u'email': u'eliot@10gen.com'}

Message: "mem" has same permissions as other fields SERVER-2415
https://github.com/mongodb/mongo/commit/4eb5359825ca6d7133d09a7fbf0360f51b72d876

Comment by Eliot Horowitz (Inactive) [ 27/Jan/11 ]

"mem" can be seen without special auth

Comment by Ryan Nitz [ 27/Jan/11 ]

Same result with digest (i.e., missing).

Why is this one metric more secure than the rest? It seems like the rest are in tact.

Request headers:

Request URL:http://192.168.0.55:28019/serverStatus
Request Method:GET
Status Code:200 OK
Request Headers
Accept:application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,/;q=0.5
Accept-Charset:UTF-8,*;q=0.5
Accept-Encoding:gzip,deflate,sdch
Accept-Language:en-US,en;q=0.8
Authorization:Digest username="admin", realm="mongo", nonce="abc", uri="/serverStatus", algorithm=MD5, response="7f923e29ed7c6555ff68de6bcebb036b", qop=auth, nc=00000003, cnonce="864d20a44917ac2b"
Cache-Control:max-age=0
Connection:keep-alive
Host:192.168.0.55:28019
Referer:http://192.168.0.55:28019/serverStatus
User-Agent:Mozilla/5.0 (Macintosh; U; Intel Mac OS X 10_6_6; en-US) AppleWebKit/534.13 (KHTML, like Gecko) Chrome/9.0.597.19 Safari/534.13

Comment by Eliot Horowitz (Inactive) [ 27/Jan/11 ]

Its a security issue.
Access is limited over http.
I think if you use http digest it might work.

Comment by Ryan Nitz [ 27/Jan/11 ]

Yes... running with auth.

Comment by Eliot Horowitz (Inactive) [ 27/Jan/11 ]

Working for me..
Are you runnign with auth?

Comment by Ryan Nitz [ 27/Jan/11 ]

It's actually on 1.7.5-pre

http://localhost:28017/serverStatus

Comment by Eliot Horowitz (Inactive) [ 27/Jan/11 ]

Which url are you hitting?

Generated at Thu Feb 08 02:59:54 UTC 2024 using Jira 9.7.1#970001-sha1:2222b88b221c4928ef0de3161136cc90c8356a66.