[SERVER-4601] The mongo console requires authentication even if mongod is not started with --auth Created: 03/Jan/12  Updated: 17/Feb/17  Resolved: 17/Feb/17

Status: Closed
Project: Core Server
Component/s: HTTP Console
Affects Version/s: 2.0.2
Fix Version/s: None

Type: Bug Priority: Major - P3
Reporter: Barrie Segal Assignee: DO NOT USE - Backlog - Platform Team
Resolution: Won't Fix Votes: 0
Labels: None
Remaining Estimate: Not Specified
Time Spent: Not Specified
Original Estimate: Not Specified

Issue Links:
Duplicate
is duplicated by SERVER-4682 web panel prompts for auth even if au... Closed
Backwards Compatibility: Fully Compatible
Operating System: ALL
Participants:

 Description   

To reproduce:

Start up mongod with no flags

In a local mongo JS shell remove any user credentials from all dbs, including admin

> use admin
> db.system.users.remove()

With another computer on the network (or a VM) open a browser and go to the mongo console of the machine that is running mongod

http://x.x.x.x:28017/

You should be able to access the console.

Now, clear the browser history and close the browser in the second computer or VM

In the JS console of the machine running mongod, create a new user in the admin database.

> use admin
> db.addUser("admin","adminpword")

Go back to the second computer or VM, and try to access the console. Notice that an "authentication" window pops up.

The HTTP interface documentation states that, "If security is configured for a mongod instance, authentication is required for a client to access the http interface from another machine."

http://www.mongodb.org/display/DOCS/Http+Interface#HttpInterface-HTTPConsoleSecurity

If this behavior is by design, the documentation should be changed to reflect that authentication will be required even if mongod is not started with the --auth flag.



 Comments   
Comment by Mira Carey [ 17/Feb/17 ]

The HTTP interface has been deprecated for several releases (as of 3.2) and we're not planning any further development

Generated at Thu Feb 08 03:06:28 UTC 2024 using Jira 9.7.1#970001-sha1:2222b88b221c4928ef0de3161136cc90c8356a66.