[SERVER-57648] When converting a single instance to arbiter warn if there are users on admin.system.users Created: 11/Jun/21  Updated: 06/Dec/22

Status: Backlog
Project: Core Server
Component/s: None
Affects Version/s: 4.2.13
Fix Version/s: None

Type: Improvement Priority: Minor - P4
Reporter: Adamo Tonete (Inactive) Assignee: Backlog - Security Team
Resolution: Unresolved Votes: 0
Labels: former-quick-wins
Remaining Estimate: Not Specified
Time Spent: Not Specified
Original Estimate: Not Specified

Assigned Teams:
Server Security
Participants:
Case:

 Description   

When converting a single instance previously configured with users into an arbiter we should warn the user that the target instance does contain users.

This behaviour can mislead the user as the arbiters should not hold any data and therefore should not be able to perform authorization. Also, those users are not in sync with the rest of the cluster.

Here are the steps to reproduce the issue:

Bash:

rm -rf pem.pemecho "ABCDEFGHIJKLMNOPQABCDEFGHIJKLMNOPQABCDEFGHIJKLMNOPQ" > pem.pem
chmod 500 pem.pem
killall mongod
sleep 5
rm -rf data2 data1
mkdir data1 data2
mongod --dbpath ./data1 --fork --logpath ./data1/log --replSet foo --auth --keyFile pem.pem
sleep 10
mongo localhost/admin --eval 'rs.initiate(); sleep(400); db.createUser({user: "admin", pwd : "123", roles : ["root"]})'
sleep 5
rm -rf ./data2/
mkdir data2
mongod --dbpath ./data2 --fork --logpath ./data2/log --auth --port 27018
sleep 10
mongo localhost:27018/admin --eval 'db.createUser({user: "admin_arb", pwd : "123", roles : ["root"]})'
ps -ef | grep data2 | grep -v color | grep -v data1 | awk {'print $2'} | xargs kill
sleep 5
mongod --dbpath ./data2 --fork --logpath ./data2/log --auth --keyFile pem.pem --replSet foo --port 27018
sleep 5
mongo localhost --port 27017 -uadmin -p123 --authenticationDatabase admin --eval 'rs.addArb("localhost:27018")'
 
sleep 3
# This is not expected:
mongo localhost --port 27018 -uadmin_arb -p123 --authenticationDatabase admin

At the end of the process we are able to login on arbiter with the user admin_arb which is not expected.

 


Generated at Thu Feb 08 05:42:25 UTC 2024 using Jira 9.7.1#970001-sha1:2222b88b221c4928ef0de3161136cc90c8356a66.