[SERVER-8798] Shell doesn't invalidate cached credentials at db.logout() Created: 01/Mar/13  Updated: 11/Jul/16  Resolved: 23/May/13

Status: Closed
Project: Core Server
Component/s: Security, Shell
Affects Version/s: 2.4.0-rc1
Fix Version/s: 2.5.1

Type: Task Priority: Major - P3
Reporter: J Rassi Assignee: Andreas Nilsson
Resolution: Done Votes: 0
Labels: None
Remaining Estimate: Not Specified
Time Spent: Not Specified
Original Estimate: Not Specified

Issue Links:
Related
Participants:

 Description   

The shell doesn't invalidate cached database credentials when db.logout() is run. Thus, db.logout() will be "undone" if there is a connection reset.

// insert data as topsecretuser, who has r/w to testDb
testDb.auth('topsecretuser','p')
testDb.secrets.insert({data:"secret"})
 
// log out as topsecretuser
testDb.logout()
testDb.secrets.findOne() // returns error, as expected
 
// log in as clusteruser, who has clusterAdmin
// use stepdown to force database reconnection (can also cycle mongod, etc)
adminDb.auth('clusteruser','p')
adminDb.runCommand({ replSetStepDown: 60 })
 
// topsecretuser gets logged in again
testDb.setSlaveOk()
testDb.secrets.findOne() // returns success, unexpected



 Comments   
Comment by auto [ 23/May/13 ]

Author:

{u'username': u'agralius', u'name': u'Andreas Nilsson', u'email': u'andreas.nilsson@10gen.com'}

Message: SERVER-8798 Removing user credentials from auth cache on logout
Branch: master
https://github.com/mongodb/mongo/commit/6938769d485509434aacf5241b9a4cc14ebdf025

Generated at Thu Feb 08 03:18:29 UTC 2024 using Jira 9.7.1#970001-sha1:2222b88b221c4928ef0de3161136cc90c8356a66.