[SERVER-3301] Allow admin user to login to any database Created: 20/Jun/11 Updated: 10/Dec/14 Resolved: 08/May/14 |
|
| Status: | Closed |
| Project: | Core Server |
| Component/s: | Admin |
| Affects Version/s: | None |
| Fix Version/s: | None |
| Type: | Improvement | Priority: | Minor - P4 |
| Reporter: | Ryan Nitz | Assignee: | Unassigned |
| Resolution: | Done | Votes: | 4 |
| Labels: | None | ||
| Remaining Estimate: | Not Specified | ||
| Time Spent: | Not Specified | ||
| Original Estimate: | Not Specified | ||
| Issue Links: |
|
||||||||
| Participants: | |||||||||
| Description |
|
Currently, in the shell if you created an admin user you need to login to the admin database first and then change databases. For example, this fails for an admin account: mongo -u test -p test localhost:27017/test This succeeds for an admin account: mongo -u test -p test localhost:27017/admin MySQL will let you connect to any database from the shell (with auth). This becomes an issue when you'are executing scripts from the shell. Currently, you have to login to admin and then issue a change database. This will/is confusing for users. |
| Comments |
| Comment by Spencer Brody (Inactive) [ 08/May/14 ] | ||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
|
It seems like there is some confusion here, let me see if I can help clarify the behavior. In version 2.4, we added the authenticationDatabase option to the shell, which I believe addresses the initial issue from this ticket, as now if you want the shell to connect to the "test" database but authenticate to the "admin" db you can do that by specifying "--authenticationDatabase admin". As to Rudi's question, while the system was changed to store user documents in the admin database, you are right that the core behavior is the same in that users are still scoped to specific databases, and you must specify the proper database when authenticating a user. The change in 2.6 was merely to centralize the storage of user information, not to change the fact that every user still has a "home" database they are associated with. You can think about the database component almost like a namespace, so user "bob" on the "test" database is a completely distinct user from user "bob" on the "foo" database, even though the user documents are all stored in the "admin" database. I filed Hopefully that helps clear things up. Please let us know if you have any further questions about this behavior. | ||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
| Comment by Rudi Wijaya [ 07/May/14 ] | ||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
|
ceefour tag | ||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
| Comment by Rudi Wijaya [ 07/May/14 ] | ||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
|
MongoDB 2.6.0 release notes (http://docs.mongodb.org/manual/release-notes/2.6/) mentioned:
According to the documentation it should be possible to login into any database just by creating the user in admin database. MongoDB behavior as of 2.6.1 seems to be similar to 2.4.x, i.e. it doesn't follow the 2.6 documentation. With the following user in admin database:
mongo shell test case:
Java test case:
loginViaAdmin and (surprisingly) loginViaNothing succeeds, while loginDirectlyToDatabase fails with:
| ||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
| Comment by Rudi Wijaya [ 07/May/14 ] | ||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
|
This real behavior (tested with mongos 2.6.1) is contrary to MongoDB Manual (http://docs.mongodb.org/manual/core/authentication/) which says: "MongoDB stores all user information, including credentials and authorization information, for a MongoDB instance in the system.users collection in the admin database." The manual confirms that user information for a particular database needs not be stored in that database as well, but only in the admin database. However, in reality that's not the case. | ||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
| Comment by Jake Justman [ 10/Apr/13 ] | ||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
|
I ran into this when trying to add users from the unix shell when trying to execute the below command. mongo -u mms_agent -p testpass --eval "db.addUser('tim', 'tim')" fun | ||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
| Comment by Ryan Nitz [ 20/Jun/11 ] | ||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
|
Just to clarify... if an admin logs in and the database isn't admin, the admin database auth credentials should be checked first (or of the auth fails... whichever works). |