[SERVER-4933] auth not working at all Created: 10/Feb/12  Updated: 30/Mar/12  Resolved: 15/Feb/12

Status: Closed
Project: Core Server
Component/s: Security
Affects Version/s: 2.1.0
Fix Version/s: None

Type: Bug Priority: Major - P3
Reporter: Chris Westin Assignee: Randolph Tan
Resolution: Done Votes: 0
Labels: None
Remaining Estimate: Not Specified
Time Spent: Not Specified
Original Estimate: Not Specified

Operating System: ALL
Participants:

 Description   

According to http://www.mongodb.org/display/DOCS/Security+and+Authentication, if you run with --auth, you can still do anything to a db until the first user for that db is created. However, I just did an experiment to verify this, and found that even after I created a user for a db, I was able to do anything without having to authenticate.

$ ./mongo
MongoDB shell version: 2.1.1-pre-
connecting to: test
>
> use bezos
switched to db bezos
> db.foob.insert(

{blah:1}

);
> db.foob.insert(

{blah:2}

);
> db.foob.find();

{ "_id" : ObjectId("4f35a84ccf5576708e221733"), "blah" : 1 } { "_id" : ObjectId("4f35a853cf5576708e221734"), "blah" : 2 }

> db.addUser("scott", "tiger", false);

{ "user" : "scott", "readOnly" : false, "pwd" : "0cbd24414b7e463fdaaec5ec64f3982f", "_id" : ObjectId("4f35a87acf5576708e221735") } { "n" : 0, "connectionId" : 1, "err" : null, "ok" : 1 }

> db.foob.insert(

{blah:3}

);
> db.foob.find();

{ "_id" : ObjectId("4f35a84ccf5576708e221733"), "blah" : 1 } { "_id" : ObjectId("4f35a853cf5576708e221734"), "blah" : 2 } { "_id" : ObjectId("4f35a888cf5576708e221736"), "blah" : 3 }

> db.auth("scott", "tiger");
1
> db.foob.find();

{ "_id" : ObjectId("4f35a84ccf5576708e221733"), "blah" : 1 } { "_id" : ObjectId("4f35a853cf5576708e221734"), "blah" : 2 } { "_id" : ObjectId("4f35a888cf5576708e221736"), "blah" : 3 }

> exit
bye

Given this, I stopped my server to make sure I was really running with --auth. It was in my config file, so I started again:

$ ./mongo
MongoDB shell version: 2.1.1-pre-
connecting to: test
> use bezos
switched to db bezos
> show collections
foob
system.indexes
system.users
> db.foob.find();

{ "_id" : ObjectId("4f35a84ccf5576708e221733"), "blah" : 1 } { "_id" : ObjectId("4f35a853cf5576708e221734"), "blah" : 2 } { "_id" : ObjectId("4f35a888cf5576708e221736"), "blah" : 3 }

> db.system.users.find();

{ "_id" : ObjectId("4f35a87acf5576708e221735"), "user" : "scott", "readOnly" : f alse, "pwd" : "0cbd24414b7e463fdaaec5ec64f3982f" }

> db.runCommand(

{getCmdLineOpts:1}

);

{ "errmsg" : "access denied; use admin db", "ok" : 0 }

> use admin
switched to db admin
> db.runCommand(

{getCmdLineOpts:1}

);
{
"argv" : [
"C:\\cygwin\\home\\cwestin\\mongo
mongod.exe",
"--config",
"../sandbox/mongodb.conf"
],
"parsed" :

{ "auth" : "true", "config" : "../sandbox/mongodb.conf", "dbpath" : "c:/cygwin/home/cwestin/sandbox/dbfiles", "directoryperdb" : "true", "logappend" : "true", "logpath" : "c:/cygwin/home/cwestin/sandbox/mongodb.log", "rest" : "true" }

,
"ok" : 1
}
>

I used getCmdLineOpts to verify that auth is indeed on. But you can see that I can still insert and query against this database without authenticating.



 Comments   
Comment by Randolph Tan [ 15/Feb/12 ]

Auth will only work if you have at least one user in the admin database.

Comment by Randolph Tan [ 15/Feb/12 ]

I added the following note just right after the "or add the first user from the localhost interface" to make it clearer what it means:

(you cannot add the first user from a connection that is not local with respect to mongod)

Comment by Randolph Tan [ 13/Feb/12 ]

As I read the docs again entirely, it did mention that you have to have an admin user (with the must in bold ):

"You must either have added a user to the admin db before starting the server with authentication, or add the first user from the localhost interface."

The phrase "the first user from the localhost interface" was not clear to me at first and I have to ask Mathias what it really means.

Comment by Chris Westin [ 13/Feb/12 ]

No, I didn't create an admin user. The screen cap above shows everything I did. If having an admin user is required, perhaps the docs need to be fixed.

Comment by Randolph Tan [ 13/Feb/12 ]

Hi Chris,

Did you have an admin user when you tried doing this? I was able to reproduce this only when I don't have an admin user. The docs didn't mention explicitly that you need to have an admin user to have authentication activated but I was told before that you need to do so. I am not sure if that is by design since this was not mentioned in the docs at all (the creation of admin user was, however, included in the step-by-step tutorial).

Generated at Thu Feb 08 03:07:23 UTC 2024 using Jira 9.7.1#970001-sha1:2222b88b221c4928ef0de3161136cc90c8356a66.