[SERVER-5985] It sound a loophole on MongoDB Shard Authentication Created: 01/Jun/12 Updated: 15/Aug/12 Resolved: 09/Aug/12 |
|
| Status: | Closed |
| Project: | Core Server |
| Component/s: | Security, Stability |
| Affects Version/s: | 2.0.5 |
| Fix Version/s: | None |
| Type: | Question | Priority: | Critical - P2 |
| Reporter: | swordsman | Assignee: | Spencer Brody (Inactive) |
| Resolution: | Duplicate | Votes: | 0 |
| Labels: | None | ||
| Remaining Estimate: | Not Specified | ||
| Time Spent: | Not Specified | ||
| Original Estimate: | Not Specified | ||
| Environment: |
Centos 5.8, MongoDB 2.0.5, php 5.3.11, php mongo driver 1.3 and rockmongo v1.1.1; |
||
| Attachments: |
|
||||
| Issue Links: |
|
||||
| Participants: | |||||
| Description |
|
i use 2 server for setup mongodb. Server A: Server B: As usual, i use rockmongo to connect to mongodb cluster. I have created a database with 1 normal user and 1 readonly user. When i first connect to mongodb cluster, it is normal and correct which just show 1 database. However, when i try to click on the database (refresh) a lot of times, it suddenly list all the database include admin, and the worst you can add admin user. Is that anything wrong, it a bugs or setup problem? |
| Comments |
| Comment by Spencer Brody (Inactive) [ 09/Aug/12 ] | ||||||||||||||||||||||||
|
Resolving as a duplicate of PHP-315 | ||||||||||||||||||||||||
| Comment by Jeremy Mikola [ 11/Jun/12 ] | ||||||||||||||||||||||||
|
Apologies for the delayed response. There are already some issues tracking sharding and authentication, so the engineering team is aware; however, I think your problem is specific to the PHP driver's connection re-use. Please follow up once Derick's rewrite is released (and the problem persists). | ||||||||||||||||||||||||
| Comment by swordsman [ 06/Jun/12 ] | ||||||||||||||||||||||||
|
Thanks for replying... I will take Derick advice on creating Mongodb connection at the moment, and look forward for newer PHP Mongo Driver. About the readonly access thru mongos, after clean all the 'lock file', problem still appear. Should i report it as bugs? or MongoDB Development team was aware on this issue. | ||||||||||||||||||||||||
| Comment by Derick Rethans [ 05/Jun/12 ] | ||||||||||||||||||||||||
|
Just a quick note; we're working on re-doing the connection handling code- including making sure the driver doesn't re-use a connection with a different user. I would however suggest that you don't use
Use:
The new driver code will only allow authentication through this as well. | ||||||||||||||||||||||||
| Comment by Jeremy Mikola [ 05/Jun/12 ] | ||||||||||||||||||||||||
|
The first issue definitely looks like a connection caching issue. The extension is re-using connections that it should not. I'd wager it doesn't appear until after you've connected with the admin user at least once through PHP. If you're using lighttpd, are you also using PHP FPM? The cached connections hang around in shared memory for the PHP worker process. Restarting Apache with mod_php would flush that, but I'd expect restarting PHP FPM alone would do the same for something like lighttpd/nginx, since PHP isn't so closely tied to the web server. Regarding your section question, the two console commands actually differ a bit in their code. You can view the JS on the console by accessing the function itself (without invoking it):
Arguably, I think the two should be consistent, but this explains why only db.serverStatus() requires auth credentials. For your last question, is there any chance you have a stale lock file on disk, which might be retaining lesser auth credentials? See http://stackoverflow.com/questions/9297544/mongo-commandline-admin-auth-fails. Otherwise, that sounds like a bug. | ||||||||||||||||||||||||
| Comment by swordsman [ 05/Jun/12 ] | ||||||||||||||||||||||||
Thru PHP
Others questions: ); It should be same behavior rite? db.runCommand( { serverStatus : 1 } ); 2nd) When i connect to mongos, i found that readonly user not working even in command-line interface. What i expect is readonly to particular database, but it totally cannot read at all. It that the features not ready yet in mongos? > db.test.find(); | ||||||||||||||||||||||||
| Comment by Jeremy Mikola [ 01/Jun/12 ] | ||||||||||||||||||||||||
|
I'm going to try to reproduce this locally. In the meantime, can you answer the following?
|