[SERVER-8626] User with read role can do fsync unlock in sharded cluster Created: 20/Feb/13  Updated: 20/Feb/13  Resolved: 20/Feb/13

Status: Closed
Project: Core Server
Component/s: Security, Sharding
Affects Version/s: 2.4.0-rc0
Fix Version/s: None

Type: Bug Priority: Major - P3
Reporter: Randolph Tan Assignee: Spencer Brody (Inactive)
Resolution: Done Votes: 0
Labels: None
Remaining Estimate: Not Specified
Time Spent: Not Specified
Original Estimate: Not Specified

Issue Links:
Depends
Operating System: ALL
Participants:

 Comments   
Comment by Randolph Tan [ 20/Feb/13 ]

Sorry, that was my mistake. My test script was only checking for

{ err: 'unauthorized' }

.

Comment by Spencer Brody (Inactive) [ 20/Feb/13 ]

When I try to run fsyncUnlock through mongos I get:

> db.fsyncUnlock()
{ "err": "can't do unlock through mongos" }

renctan, can you explain more the steps you took where you saw this?

Comment by Randolph Tan [ 20/Feb/13 ]

It also looks like any user can do fsyncUnlock, even for users with no role, in a sharded cluster.

Generated at Thu Feb 08 03:17:56 UTC 2024 using Jira 9.7.1#970001-sha1:2222b88b221c4928ef0de3161136cc90c8356a66.