[SERVER-8144] Authenticating as 2 users on the same database should cause the first user's privileges to be replaced by the second user's but doesn't Created: 10/Jan/13  Updated: 11/Jul/16  Resolved: 18/Jan/13

Status: Closed
Project: Core Server
Component/s: Security
Affects Version/s: 2.3.2
Fix Version/s: 2.4.0-rc0

Type: Bug Priority: Major - P3
Reporter: Spencer Brody (Inactive) Assignee: Andy Schwerin
Resolution: Done Votes: 0
Labels: None
Remaining Estimate: Not Specified
Time Spent: Not Specified
Original Estimate: Not Specified

Issue Links:
Related
is related to SERVER-8157 Server should allow multiple users st... Closed
Operating System: ALL
Participants:

 Description   

./mongo
Thu Jan 10 17:39:07.837 kern.sched unavailable
MongoDB shell version: 2.3.2-pre-
dconnecting to: test
Thu Jan 10 17:39:08.198 javascript execution failed src/mongo/shell/utils.js:1595 don't know how to show [startupWarnings]
throw "don't know how to show [" + what + "]";
                                        ^
 
test[17:39:8]> db.auth('bob','password')
1
test[17:39:14]> db.foo.find()
Fetched 0 record(s) in 2ms
test[17:39:16]> db.foo.insert({a:1})
not authorized for insert on test.foo
test[17:39:20]> db.foo.find()
Fetched 0 record(s) in 1ms
test[17:39:21]> db.logout()
{ "ok": 1 }
test[17:39:26]> db.foo.find()
error: {
        "$err": "not authorized for query on test.foo",
        "code": 16550
}
test[17:39:28]> db.auth('spencer','password')
1
test[17:39:33]> db.system.users.find()
{ "_id": ObjectId("50ef418c880af0f87bf98eb2"), "user": "spencer", "pwd": "22c83553ed7ce252d8b0c9f716cae4de", "roles": [ "readWrite", "dbAdmin", "userAdmin" ] }
{ "_id": ObjectId("50ef4197880af0f87bf98eb3"), "user": "bob", "pwd": "039ba486774a40d3e31be457098499fc", "roles": [ "read" ] }
Fetched 2 record(s) in 16ms
test[17:39:37]> db.foo.insert({a:1})
Inserted 1 record(s) in NaNms
test[17:39:42]> db.foo.find()
{ "_id": ObjectId("50ef432ead82c26214defead"), "a": 1 }
Fetched 1 record(s) in 2ms
test[17:39:44]> db.auth('bob','password')
1
test[17:39:49]> db.foo.insert({a:1}); // This should fail since bob is read-only, but will succeed
Inserted 1 record(s) in NaNms
test[17:40:6]> db.foo.find()
{ "_id": ObjectId("50ef432ead82c26214defead"), "a": 1 }
{ "_id": ObjectId("50ef4346ad82c26214defeae"), "a": 1 }
Fetched 2 record(s) in 3ms
 



 Comments   
Comment by auto [ 18/Jan/13 ]

Author:

{u'date': u'2013-01-18T20:52:52Z', u'email': u'schwerin@10gen.com', u'name': u'Andy Schwerin'}

Message: SERVER-8144 Authenticating 2 users on a db should replace the 1st's privileges with the 2nd's.
Branch: master
https://github.com/mongodb/mongo/commit/2860b2f11ce7692daa56bb16902f316874955ac2

Comment by Spencer Brody (Inactive) [ 17/Jan/13 ]

Assigning to Andy as I ran out of time to do this today and am on vacation tomorrow.

Generated at Thu Feb 08 03:16:40 UTC 2024 using Jira 9.7.1#970001-sha1:2222b88b221c4928ef0de3161136cc90c8356a66.