[SERVER-4275] in sharded cluster, authentication not enforced from localhost even with admin user set Created: 14/Nov/11 Updated: 10/Dec/14 Resolved: 18/Apr/13 |
|
| Status: | Closed |
| Project: | Core Server |
| Component/s: | Security |
| Affects Version/s: | None |
| Fix Version/s: | None |
| Type: | Question | Priority: | Major - P3 |
| Reporter: | Antoine Girbal | Assignee: | Unassigned |
| Resolution: | Done | Votes: | 2 |
| Labels: | None | ||
| Remaining Estimate: | Not Specified | ||
| Time Spent: | Not Specified | ||
| Original Estimate: | Not Specified | ||
| Participants: |
| Description |
|
If a mongod has authentication on but no admin user, then connections are allowed from localhost, on purpose. But if you have a sharded environment, the admin user is stored in the config db. |
| Comments |
| Comment by Andy Schwerin [ 18/Apr/13 ] |
|
Replicasets representing shards in a sharded cluster maintain their own authentication information, rather than using the cluster data. Every replicaset has its own admin database, plus the cluster has one (stored in the config servers). In this sense, the admin user isn't really "set" on the replicasets. Changing the design so that shard servers use the cluster-wide auth data depends at least on |
| Comment by Andy Schwerin [ 18/Apr/13 ] |
|
Beginning in 2.4, the DBA may disable the localhost exception at startup. |
| Comment by Antoine Girbal [ 14/Nov/11 ] |
|
yes disabling if --keyFile is on may be better, as long as it does not apply to mongos also. |
| Comment by Kristina Chodorow (Inactive) [ 14/Nov/11 ] |
|
For now, tests might be able to get around this by adding an admin user on each shard (hacky, but it would probably work). I'd rather not have local access be a function of --shardsvr, as it would make security dependent on people getting their flags right (as --shardsvr isn't required, it would be easy for someone to accidentally have half their set secure and half wide-open). A similar idea: we could disallow local access if the server was started with --keyFile. I think (eventually) getting rid of localhost access altogether is a good idea. |
| Comment by Antoine Girbal [ 14/Nov/11 ] |
|
One easy fix that retains original intent, is to remove the auth localhost bypass if --shardsvr is on. |