[SERVER-4275] in sharded cluster, authentication not enforced from localhost even with admin user set Created: 14/Nov/11  Updated: 10/Dec/14  Resolved: 18/Apr/13

Status: Closed
Project: Core Server
Component/s: Security
Affects Version/s: None
Fix Version/s: None

Type: Question Priority: Major - P3
Reporter: Antoine Girbal Assignee: Unassigned
Resolution: Done Votes: 2
Labels: None
Remaining Estimate: Not Specified
Time Spent: Not Specified
Original Estimate: Not Specified

Participants:

 Description   

If a mongod has authentication on but no admin user, then connections are allowed from localhost, on purpose.
Sun Nov 13 17:04:47 [conn1] note: no users configured in admin.system.users, allowing localhost access

But if you have a sharded environment, the admin user is stored in the config db.
So even if there is an admin user, individual mongod dont know about it and let you query from localhost.
This seems like a security hole, do we need to allow free localhost access in any circumstance?
Also it means that a lot of our tests using authentication pass even though they shouldnt, because authentication is not really enforced (e.g. sharded map/reduce)



 Comments   
Comment by Andy Schwerin [ 18/Apr/13 ]

Replicasets representing shards in a sharded cluster maintain their own authentication information, rather than using the cluster data. Every replicaset has its own admin database, plus the cluster has one (stored in the config servers). In this sense, the admin user isn't really "set" on the replicasets.

Changing the design so that shard servers use the cluster-wide auth data depends at least on SERVER-8509.

Comment by Andy Schwerin [ 18/Apr/13 ]

Beginning in 2.4, the DBA may disable the localhost exception at startup.
http://docs.mongodb.org/manual/reference/parameters/#param.enableLocalhostAuthBypass

Comment by Antoine Girbal [ 14/Nov/11 ]

yes disabling if --keyFile is on may be better, as long as it does not apply to mongos also.
Either way it's a simple fix, it seems important for security and would fix our auth testing.. can we implement soon?

Comment by Kristina Chodorow (Inactive) [ 14/Nov/11 ]

For now, tests might be able to get around this by adding an admin user on each shard (hacky, but it would probably work).

I'd rather not have local access be a function of --shardsvr, as it would make security dependent on people getting their flags right (as --shardsvr isn't required, it would be easy for someone to accidentally have half their set secure and half wide-open).

A similar idea: we could disallow local access if the server was started with --keyFile.

I think (eventually) getting rid of localhost access altogether is a good idea.

Comment by Antoine Girbal [ 14/Nov/11 ]

One easy fix that retains original intent, is to remove the auth localhost bypass if --shardsvr is on.
All admin should be done through mongos anyway, which will have same behavior as single mongod server.

Generated at Thu Feb 08 03:05:30 UTC 2024 using Jira 9.7.1#970001-sha1:2222b88b221c4928ef0de3161136cc90c8356a66.