[SERVER-9698] mongostat exception with --discover on sharded cluster with kerberos Created: 15/May/13  Updated: 11/Jul/16  Resolved: 23/May/13

Status: Closed
Project: Core Server
Component/s: Security, Tools
Affects Version/s: 2.2.4, 2.4.3, 2.4.4
Fix Version/s: 2.5.1

Type: Bug Priority: Major - P3
Reporter: Michael Grundy Assignee: Andy Schwerin
Resolution: Done Votes: 0
Labels: None
Remaining Estimate: Not Specified
Time Spent: Not Specified
Original Estimate: Not Specified
Environment:

2.4.4-pre Enterprise Kerberos auth, cyrus sasl


Operating System: ALL
Steps To Reproduce:

In a sharded cluster with kerberos authentication, run mongostat --authenticationMechanism=GSSAPI --authenticationDatabase='$external' --username grund/admin@REALM99.10GEN.ME --host mongod1.realm99.10gen.me --discover

Multiple exceptions.
mongos start:
KRB5_KTNAME=/etc/${host}.keytab ./mongodb-linux-x86_64-subscription-rhel62-v2.4-2013-05-06/bin/mongos --keyFile /etc/db.key --setParameter authenticationMechanisms=GSSAPI --fork --logpath=/home/ec2-user/mongos.log

mongod (shard) start:
KRB5_KTNAME=/etc/${host}.keytab ./mongodb-linux-x86_64-subscription-rhel62-v2.4-2013-05-06/bin/mongos --keyFile /etc/db.key --setParameter authenticationMechanisms=GSSAPI --fork --logpath=/home/ec2-user/mongod.log" --shardsvr

mongod (config) start:
KRB5_KTNAME=/etc/${host}.keytab ./mongodb-linux-x86_64-subscription-rhel62-v2.4-2013-05-06/bin/mongod --keyFile /etc/db.key --auth --setParameter authenticationMechanisms=GSSAPI --dbpath /data/db --smallfiles --nojournal --fork --logpath=/home/ec2-user/mongod.log

Participants:

 Description   

Using the --discover flag on mongostat in a kerberos environment results in multiple exceptions:

[ec2-user@mongod1 ~]$ ./mongodb-linux-x86_64-subscription-rhel62-v2.4-2013-05-06/bin/mongostat --authenticationMechanism=GSSAPI --authenticationDatabase='$external' --username grund/admin@REALM99.10GEN.ME --host mongod1.realm99.10gen.me --discover 
connected to: mongod1.realm99.10gen.me
 
                        	insert  query update delete getmore command  vsize    res faults  netIn netOut  conn repl       time
mongod1.realm99.10gen.me	     0      1      0      0       0       1   279m    11m      0   109b     1k     2  RTR   14:38:03
Wed May 15 14:38:03.370 Assertion: 13111:field not found, expected type 2
Wed May 15 14:38:03.370 Assertion: 13111:field not found, expected type 2
0xc1ba860xc1ba86  0xbe35d90xbe35d9  0xbe36fc0xbe36fc 0x7075d9  0x70c684 0x701add 0xc55a0c 0x7f720c86cc6b 0x7f720b5e95ed0x7075d9
0x70c684 0x701add 0xc55a0c 0x7f720c86cc6b 0x7f720b5e95ed
Wed May 15 14:38:03.372 Assertion: 13111:field not found, expected type 2
0xc1ba86 0xbe35d9 0xbe36fc 0x7075d9 0x70c684 0x701add 0xc55a0c 0x7f720c86cc6b 0x7f720b5e95ed
Wed May 15 14:38:03.372 Assertion: 13111:field not found, expected type 2
0xc1ba86 0xbe35d9 0xbe36fc 0x7075d9 0x70c684 0x701add 0xc55a0c 0x7f720c86cc6b 0x7f720b5e95ed
 ./mongodb-linux-x86_64-subscription-rhel62-v2.4-2013-05-06/bin/mongostat(_ZN5mongo15printStackTraceERSo+0x26) [0xc1ba86]
 ./mongodb-linux-x86_64-subscription-rhel62-v2.4-2013-05-06/bin/mongostat(_ZN5mongo11msgassertedEiPKc+0xa9) [0xbe35d9]
 ./mongodb-linux-x86_64-subscription-rhel62-v2.4-2013-05-06/bin/mongostat() [0xbe36fc]
 ./mongodb-linux-x86_64-subscription-rhel62-v2.4-2013-05-06/bin/mongostat(_ZNK5mongo11BSONElement6StringEv+0x129) [0x7075d9]
 ./mongodb-linux-x86_64-subscription-rhel62-v2.4-2013-05-06/bin/mongostat(_ZN5mongo4Stat12serverThreadEN5boost10shared_ptrINS0_11ServerStateEEEi+0x7a4) [0x70c684]
 ./mongodb-linux-x86_64-subscription-rhel62-v2.4-2013-05-06/bin/mongostat(_ZN5boost6detail11thread_dataINS_3_bi6bind_tIvPFvNS_10shared_ptrIN5mongo4Stat11ServerStateEEEiENS2_5list2INS2_5valueIS8_EENSC_IiEEEEEEE3runEv+0x3d) [0x701add]
 ./mongodb-linux-x86_64-subscription-rhel62-v2.4-2013-05-06/bin/mongostat() [0xc55a0c]
 /lib64/libpthread.so.0(+0x7c6b) [0x7f720c86cc6b]
 /lib64/libc.so.6(clone+0x6d) [0x7f720b5e95ed]
 ./mongodb-linux-x86_64-subscription-rhel62-v2.4-2013-05-06/bin/mongostat(_ZN5mongo15printStackTraceERSo+0x26) [0xc1ba86]
 ./mongodb-linux-x86_64-subscription-rhel62-v2.4-2013-05-06/bin/mongostat(_ZN5mongo11msgassertedEiPKc+0xa9) [0xbe35d9]
 ./mongodb-linux-x86_64-subscription-rhel62-v2.4-2013-05-06/bin/mongostat() [0xbe36fc]
 ./mongodb-linux-x86_64-subscription-rhel62-v2.4-2013-05-06/bin/mongostat(_ZNK5mongo11BSONElement6StringEv+0x129) [0x7075d9]
 ./mongodb-linux-x86_64-subscription-rhel62-v2.4-2013-05-06/bin/mongostat(_ZN5mongo4Stat12serverThreadEN5boost10shared_ptrINS0_11ServerStateEEEi+0x7a4) [0x70c684]
 ./mongodb-linux-x86_64-subscription-rhel62-v2.4-2013-05-06/bin/mongostat(_ZN5boost6detail11thread_dataINS_3_bi6bind_tIvPFvNS_10shared_ptrIN5mongo4Stat11ServerStateEEEiENS2_5list2INS2_5valueIS8_EENSC_IiEEEEEEE3runEv+0x3d) [0x701add]
 ./mongodb-linux-x86_64-subscription-rhel62-v2.4-2013-05-06/bin/mongostat() [0xc55a0c]
 /lib64/libpthread.so.0(+0x7c6b) [0x7f720c86cc6b]
 /lib64/libc.so.6(clone+0x6d) [0x7f720b5e95ed]
 ./mongodb-linux-x86_64-subscription-rhel62-v2.4-2013-05-06/bin/mongostat(_ZN5mongo15printStackTraceERSo+0x26) [0xc1ba86]
 ./mongodb-linux-x86_64-subscription-rhel62-v2.4-2013-05-06/bin/mongostat(_ZN5mongo11msgassertedEiPKc+0xa9) [0xbe35d9]
 ./mongodb-linux-x86_64-subscription-rhel62-v2.4-2013-05-06/bin/mongostat() [0xbe36fc]
 ./mongodb-linux-x86_64-subscription-rhel62-v2.4-2013-05-06/bin/mongostat(_ZNK5mongo11BSONElement6StringEv+0x129) [0x7075d9]
 ./mongodb-linux-x86_64-subscription-rhel62-v2.4-2013-05-06/bin/mongostat(_ZN5mongo4Stat12serverThreadEN5boost10shared_ptrINS0_11ServerStateEEEi+0x7a4) [0x70c684]
 ./mongodb-linux-x86_64-subscription-rhel62-v2.4-2013-05-06/bin/mongostat(_ZN5boost6detail11thread_dataINS_3_bi6bind_tIvPFvNS_10shared_ptrIN5mongo4Stat11ServerStateEEEiENS2_5list2INS2_5valueIS8_EENSC_IiEEEEEEE3runEv+0x3d) [0x701add]
 ./mongodb-linux-x86_64-subscription-rhel62-v2.4-2013-05-06/bin/mongostat() [0xc55a0c]
 /lib64/libpthread.so.0(+0x7c6b) [0x7f720c86cc6b]
 /lib64/libc.so.6(clone+0x6d) [0x7f720b5e95ed]
 ./mongodb-linux-x86_64-subscription-rhel62-v2.4-2013-05-06/bin/mongostat(_ZN5mongo15printStackTraceERSo+0x26) [0xc1ba86]
 ./mongodb-linux-x86_64-subscription-rhel62-v2.4-2013-05-06/bin/mongostat(_ZN5mongo11msgassertedEiPKc+0xa9) [0xbe35d9]
 ./mongodb-linux-x86_64-subscription-rhel62-v2.4-2013-05-06/bin/mongostat() [0xbe36fc]
 ./mongodb-linux-x86_64-subscription-rhel62-v2.4-2013-05-06/bin/mongostat(_ZNK5mongo11BSONElement6StringEv+0x129) [0x7075d9]
 ./mongodb-linux-x86_64-subscription-rhel62-v2.4-2013-05-06/bin/mongostat(_ZN5mongo4Stat12serverThreadEN5boost10shared_ptrINS0_11ServerStateEEEi+0x7a4) [0x70c684]
 ./mongodb-linux-x86_64-subscription-rhel62-v2.4-2013-05-06/bin/mongostat(_ZN5boost6detail11thread_dataINS_3_bi6bind_tIvPFvNS_10shared_ptrIN5mongo4Stat11ServerStateEEEiENS2_5list2INS2_5valueIS8_EENSC_IiEEEEEEE3runEv+0x3d) [0x701add]
 ./mongodb-linux-x86_64-subscription-rhel62-v2.4-2013-05-06/bin/mongostat() [0xc55a0c]
 /lib64/libpthread.so.0(+0x7c6b) [0x7f720c86cc6b]
 /lib64/libc.so.6(clone+0x6d) [0x7f720b5e95ed]



 Comments   
Comment by auto [ 23/May/13 ]

Author:

{u'username': u'andy10gen', u'name': u'Andy Schwerin', u'email': u'schwerin@10gen.com'}

Message: SERVER-9698 Improve error reporting in mongostat when run with insufficient privileges.

With this patch, a user running mongostat without sufficient privilege to
execute serverStatus on the targeted server will see the following message:

<hostname> serverStatus failed: unauthorized

The mongostat process will not terminate in this circumstance, nor did it
before this patch.

With this patch, a user running mongostat with sufficient privilege to run
serverStatus against an instance of mongos, but without sufficient privilege to
read from the cluster's config.shards collection will periodically see the
following output:

<hostname> nextSafe():

{ $err: "not authorized for query on config.shards", code: 16549 }

The mongostat process will not terminate in this circumstance. Previous
behavior was to print a stack trace and terminate.
Branch: master
https://github.com/mongodb/mongo/commit/2c26026c1b2554bc15a9745598d71a10a52b4d21

Comment by Andy Schwerin [ 17/May/13 ]

No regression (even from 2.2), no backport. It's not actually a GSSAPI bug, but bad behavior in mongostat when the authenticated user has insufficient privilege.

Comment by Andy Schwerin [ 17/May/13 ]

This is not a regression from 2.4.3 mongostat behavior, and likely not from 2.2.

Comment by Andy Schwerin [ 17/May/13 ]

In 2.4, mongostat --discover requires a user with "clusterAdmin" role on the "admin" database and "read" role on the "config" database, in order to be able to run serverStatus and read shard information from the config server.

Generated at Thu Feb 08 03:21:12 UTC 2024 using Jira 9.7.1#970001-sha1:2222b88b221c4928ef0de3161136cc90c8356a66.