[SERVER-4933] auth not working at all Created: 10/Feb/12 Updated: 30/Mar/12 Resolved: 15/Feb/12 |
|
| Status: | Closed |
| Project: | Core Server |
| Component/s: | Security |
| Affects Version/s: | 2.1.0 |
| Fix Version/s: | None |
| Type: | Bug | Priority: | Major - P3 |
| Reporter: | Chris Westin | Assignee: | Randolph Tan |
| Resolution: | Done | Votes: | 0 |
| Labels: | None | ||
| Remaining Estimate: | Not Specified | ||
| Time Spent: | Not Specified | ||
| Original Estimate: | Not Specified | ||
| Operating System: | ALL |
| Participants: |
| Description |
|
According to http://www.mongodb.org/display/DOCS/Security+and+Authentication, if you run with --auth, you can still do anything to a db until the first user for that db is created. However, I just did an experiment to verify this, and found that even after I created a user for a db, I was able to do anything without having to authenticate. $ ./mongo ); ); > db.addUser("scott", "tiger", false); { "user" : "scott", "readOnly" : false, "pwd" : "0cbd24414b7e463fdaaec5ec64f3982f", "_id" : ObjectId("4f35a87acf5576708e221735") } { "n" : 0, "connectionId" : 1, "err" : null, "ok" : 1 }> db.foob.insert( {blah:3}); > db.auth("scott", "tiger"); > exit Given this, I stopped my server to make sure I was really running with --auth. It was in my config file, so I started again: $ ./mongo > db.system.users.find(); { "_id" : ObjectId("4f35a87acf5576708e221735"), "user" : "scott", "readOnly" : f alse, "pwd" : "0cbd24414b7e463fdaaec5ec64f3982f" }> db.runCommand( {getCmdLineOpts:1}); { "errmsg" : "access denied; use admin db", "ok" : 0 }> use admin ); , I used getCmdLineOpts to verify that auth is indeed on. But you can see that I can still insert and query against this database without authenticating. |
| Comments |
| Comment by Randolph Tan [ 15/Feb/12 ] |
|
Auth will only work if you have at least one user in the admin database. |
| Comment by Randolph Tan [ 15/Feb/12 ] |
|
I added the following note just right after the "or add the first user from the localhost interface" to make it clearer what it means: (you cannot add the first user from a connection that is not local with respect to mongod) |
| Comment by Randolph Tan [ 13/Feb/12 ] |
|
As I read the docs again entirely, it did mention that you have to have an admin user (with the must in bold "You must either have added a user to the admin db before starting the server with authentication, or add the first user from the localhost interface." The phrase "the first user from the localhost interface" was not clear to me at first and I have to ask Mathias what it really means. |
| Comment by Chris Westin [ 13/Feb/12 ] |
|
No, I didn't create an admin user. The screen cap above shows everything I did. If having an admin user is required, perhaps the docs need to be fixed. |
| Comment by Randolph Tan [ 13/Feb/12 ] |
|
Hi Chris, Did you have an admin user when you tried doing this? I was able to reproduce this only when I don't have an admin user. The docs didn't mention explicitly that you need to have an admin user to have authentication activated but I was told before that you need to do so. I am not sure if that is by design since this was not mentioned in the docs at all (the creation of admin user was, however, included in the step-by-step tutorial). |