<!-- 
RSS generated by JIRA (9.7.1#970001-sha1:2222b88b221c4928ef0de3161136cc90c8356a66) at Thu Feb 08 03:30:47 UTC 2024

It is possible to restrict the fields that are returned in this document by specifying the 'field' parameter in your request.
For example, to request only the issue key and summary append 'field=key&field=summary' to the URL of your request.
-->
<rss version="0.92" >
<channel>
    <title>MongoDB Jira</title>
    <link>https://jira.mongodb.org</link>
    <description>This file is an XML representation of an issue</description>
    <language>en-us</language>    <build-info>
        <version>9.7.1</version>
        <build-number>970001</build-number>
        <build-date>13-04-2023</build-date>
    </build-info>


<item>
            <title>[SERVER-13148] Authentication still holds after user removed</title>
                <link>https://jira.mongodb.org/browse/SERVER-13148</link>
                <project id="10000" key="SERVER">Core Server</project>
                    <description>&lt;p&gt;We have database called &quot;try&quot; and a user with &quot;userAdmin&quot; privilege on that database named &quot;userA&quot;.&lt;/p&gt;

&lt;p&gt;First we authenticate userA using&lt;br/&gt;
db.auth(&quot;userA&quot;,&quot;a&quot;)&lt;br/&gt;
Then, we remove userA using&lt;br/&gt;
db.removeUser(&quot;userA&quot;)&lt;br/&gt;
Then, we try to add a user on database &quot;try&quot;&lt;br/&gt;
db.addUser(&lt;/p&gt;
{user:&quot;userB&quot;,pwd:&quot;b&quot;,roles:[&quot;read&quot;]}
&lt;p&gt;)&lt;br/&gt;
It still works!&lt;br/&gt;
Now we authenticate B&lt;br/&gt;
db.auth(&quot;userB&quot;)&lt;br/&gt;
And see the content of Database&lt;br/&gt;
db.customers.find()&lt;br/&gt;
This shows the documents.&lt;/p&gt;

&lt;p&gt;The problem is, the user authentication seems to be still there even after the user itself being removed. The removeUser() implementation should call db.runCommand(&lt;/p&gt;
{logout:1}
&lt;p&gt;) if the current authenticated user is the user being removed.&lt;/p&gt;

&lt;p&gt;For note, I tried it in an --auth enabled environment.&lt;/p&gt;</description>
                <environment></environment>
        <key id="119580">SERVER-13148</key>
            <summary>Authentication still holds after user removed</summary>
                <type id="1" iconUrl="https://jira.mongodb.org/secure/viewavatar?size=xsmall&amp;avatarId=14703&amp;avatarType=issuetype">Bug</type>
                                            <priority id="4" iconUrl="https://jira.mongodb.org/images/icons/priorities/minor.svg">Minor - P4</priority>
                        <status id="6" iconUrl="https://jira.mongodb.org/images/icons/statuses/closed.png" description="The issue is considered finished, the resolution is correct. Issues which are closed can be reopened.">Closed</status>
                    <statusCategory id="3" key="done" colorName="success"/>
                                    <resolution id="3">Duplicate</resolution>
                                        <assignee username="andreas.nilsson">Andreas Nilsson</assignee>
                                    <reporter username="wongsolo">yudho ahmad diponegoro</reporter>
                        <labels>
                            <label>authentication</label>
                            <label>authorization</label>
                            <label>security</label>
                    </labels>
                <created>Wed, 12 Mar 2014 09:03:47 +0000</created>
                <updated>Wed, 10 Dec 2014 23:07:12 +0000</updated>
                            <resolved>Thu, 13 Mar 2014 15:29:47 +0000</resolved>
                                                                    <component>Security</component>
                                        <votes>0</votes>
                                    <watches>7</watches>
                                                                                                                <comments>
                            <comment id="515885" author="wongsolo" created="Fri, 14 Mar 2014 02:37:01 +0000"  >&lt;p&gt;Good, I am relief that this has been known and will be fixed. All the best for mongodb.&lt;/p&gt;</comment>
                            <comment id="515222" author="spencer" created="Thu, 13 Mar 2014 15:26:42 +0000"  >&lt;p&gt;Hi Yudho,&lt;br/&gt;
Sorry about the confusion, this is actually a known issue in 2.4 and prior: &lt;a href=&quot;https://jira.mongodb.org/browse/SERVER-6620&quot; title=&quot;Auth credentials should be invalidated when user is removed&quot; class=&quot;issue-link&quot; data-issue-key=&quot;SERVER-6620&quot;&gt;&lt;del&gt;SERVER-6620&lt;/del&gt;&lt;/a&gt;.  Privileges in 2.4 and prior are acquired at authentication time and then never revoked unless the connection closes or the logout command is run.  This will be fixed in the upcoming 2.6 release.  In 2.6, any changes made to a user (including dropping that user) will be immediately reflected on all logged in connections to a mongod.  In a sharded system, the mongos that made the change will see it immediately on all connections, but the other mongoses in the system will have a delay for the change to propagate, which defaults to 10 minutes but can be tuned down at the cost of extra load on the config servers.&lt;/p&gt;</comment>
                            <comment id="514958" author="wongsolo" created="Thu, 13 Mar 2014 02:39:06 +0000"  >&lt;p&gt;The database version is 2.4.9. Below is the clearer version of the test. The problem persists even after logging out explicitly before creating new user. Please use this instead of the one in my previous comment (Update: I have deleted my previous comment). Thanks.&lt;/p&gt;


&lt;p&gt;$ mongo&lt;br/&gt;
MongoDB shell version: 2.4.9&lt;br/&gt;
connecting to: test&lt;br/&gt;
&amp;gt; use admin&lt;br/&gt;
switched to db admin&lt;br/&gt;
&amp;gt; db.runCommand(&lt;/p&gt;
{logout:1}
&lt;p&gt;) //ensuring no user is authenticated&lt;/p&gt;
{ &quot;ok&quot; : 1 }
&lt;p&gt;&amp;gt; db.system.users.find()&lt;br/&gt;
error: &lt;/p&gt;
{ &quot;$err&quot; : &quot;not authorized for query on admin.system.users&quot;, &quot;code&quot; : 16550 }
&lt;p&gt;&amp;gt; db.auth(&quot;a&quot;,&quot;a&quot;)&lt;br/&gt;
1&lt;br/&gt;
&amp;gt; db.system.users.find()&lt;/p&gt;
{ &quot;_id&quot; : ObjectId(&quot;5320e2f23f9774ccf2c3fec8&quot;), &quot;user&quot; : &quot;a&quot;, &quot;pwd&quot; : &quot;5b4670e18ca64d7351f100f99fc5d0ba&quot;, &quot;roles&quot; : [  &quot;userAdminAnyDatabase&quot; ] }
&lt;p&gt;&amp;gt; //only user a as super user&lt;br/&gt;
&amp;gt; use auth_try&lt;br/&gt;
switched to db auth_try&lt;br/&gt;
&amp;gt; db.system.users.find()&lt;br/&gt;
&amp;gt; //db auth_try doesnt have any user&lt;br/&gt;
&amp;gt; //creating a user admin for auth_try database&lt;br/&gt;
&amp;gt; db.addUser(&lt;/p&gt;
{user:&quot;b&quot;,pwd:&quot;b&quot;,roles:[&quot;userAdmin&quot;]}
&lt;p&gt;)&lt;/p&gt;
{
        &quot;user&quot; : &quot;b&quot;,
        &quot;pwd&quot; : &quot;6656024ee11c4a6ad77ea80e32248a6a&quot;,
        &quot;roles&quot; : [
                &quot;userAdmin&quot;
        ],
        &quot;_id&quot; : ObjectId(&quot;532117db7d9c5f7aa7b8c2f4&quot;)
}
&amp;gt; db.system.users.find()
{ &quot;_id&quot; : ObjectId(&quot;532117db7d9c5f7aa7b8c2f4&quot;), &quot;user&quot; : &quot;b&quot;, &quot;pwd&quot; : &quot;6656024ee11c4a6ad77ea80e32248a6a&quot;, &quot;roles&quot; : [  &quot;userAdmin&quot; ] }
&lt;p&gt;&amp;gt; //now logout from both auth_try db and admin db&lt;br/&gt;
&amp;gt; db.runCommand(&lt;/p&gt;
{logout:1}
&lt;p&gt;)&lt;/p&gt;
{ &quot;ok&quot; : 1 }
&lt;p&gt;&amp;gt; use admin&lt;br/&gt;
switched to db admin&lt;br/&gt;
&amp;gt; db.runCommand(&lt;/p&gt;
{logout:1}
&lt;p&gt;)&lt;/p&gt;
{ &quot;ok&quot; : 1 }
&lt;p&gt; //now there is no active / authenticated user&lt;br/&gt;
&amp;gt; use auth_try&lt;br/&gt;
switched to db auth_try&lt;br/&gt;
&amp;gt; //try to add user with no login&lt;br/&gt;
&amp;gt; db.addUser(&lt;/p&gt;
{user:&quot;c&quot;,pwd:&quot;c&quot;,roles:[&quot;read&quot;]}
&lt;p&gt;)&lt;br/&gt;
{&lt;br/&gt;
        &quot;user&quot; : &quot;c&quot;,&lt;br/&gt;
        &quot;pwd&quot; : &quot;7f0b49c365b73d574004631740ced692&quot;,&lt;br/&gt;
        &quot;roles&quot; : [&lt;br/&gt;
                &quot;read&quot;&lt;br/&gt;
        ],&lt;br/&gt;
        &quot;_id&quot; : ObjectId(&quot;532118337d9c5f7aa7b8c2f5&quot;)&lt;br/&gt;
}&lt;br/&gt;
Thu Mar 13 09:30:11.572 couldn&apos;t add user: not authorized for insert on auth_try.system.users at src/mongo/shell/db.js:128&lt;br/&gt;
&amp;gt; //user cannot be added&lt;br/&gt;
&amp;gt; //login as user admin &quot;b&quot;&lt;br/&gt;
&amp;gt; db.auth(&quot;b&quot;,&quot;b&quot;) // b must be the only one authenticated user currently&lt;br/&gt;
1&lt;br/&gt;
&amp;gt; //create &quot;c&quot;&lt;br/&gt;
&amp;gt; db.addUser(&lt;/p&gt;
{user:&quot;c&quot;,pwd:&quot;c&quot;,roles:[&quot;read&quot;]}
&lt;p&gt;)&lt;/p&gt;
{
        &quot;user&quot; : &quot;c&quot;,
        &quot;pwd&quot; : &quot;7f0b49c365b73d574004631740ced692&quot;,
        &quot;roles&quot; : [
                &quot;read&quot;
        ],
        &quot;_id&quot; : ObjectId(&quot;5321186c7d9c5f7aa7b8c2f6&quot;)
}
&amp;gt; db.system.users.find()
{ &quot;_id&quot; : ObjectId(&quot;532117db7d9c5f7aa7b8c2f4&quot;), &quot;user&quot; : &quot;b&quot;, &quot;pwd&quot; : &quot;6656024ee11c4a6ad77ea80e32248a6a&quot;, &quot;roles&quot; : [  &quot;userAdmin&quot; ] }
{ &quot;_id&quot; : ObjectId(&quot;5321186c7d9c5f7aa7b8c2f6&quot;), &quot;user&quot; : &quot;c&quot;, &quot;pwd&quot; : &quot;7f0b49c365b73d574004631740ced692&quot;, &quot;roles&quot; : [  &quot;read&quot; ] }
&lt;p&gt;&amp;gt; //now remove &quot;b&quot;&lt;br/&gt;
&amp;gt; db.removeUser(&quot;b&quot;)&lt;br/&gt;
&amp;gt; //try to make user &quot;d&quot;, it is supposed to fail since &quot;b&quot; has just been removed&lt;br/&gt;
&amp;gt; db.addUser(&lt;/p&gt;
{user:&quot;d&quot;,pwd:&quot;d&quot;,roles:[&quot;read&quot;]}
&lt;p&gt;)&lt;/p&gt;
{
        &quot;user&quot; : &quot;d&quot;,
        &quot;pwd&quot; : &quot;82927a83e3fce00ad0c7d08825093339&quot;,
        &quot;roles&quot; : [
                &quot;read&quot;
        ],
        &quot;_id&quot; : ObjectId(&quot;532118bf7d9c5f7aa7b8c2f7&quot;)
}
&amp;gt; //it is added!!
&amp;gt; db.system.users.find()
{ &quot;_id&quot; : ObjectId(&quot;5321186c7d9c5f7aa7b8c2f6&quot;), &quot;user&quot; : &quot;c&quot;, &quot;pwd&quot; : &quot;7f0b49c365b73d574004631740ced692&quot;, &quot;roles&quot; : [  &quot;read&quot; ] }
{ &quot;_id&quot; : ObjectId(&quot;532118bf7d9c5f7aa7b8c2f7&quot;), &quot;user&quot; : &quot;d&quot;, &quot;pwd&quot; : &quot;82927a83e3fce00ad0c7d08825093339&quot;, &quot;roles&quot; : [  &quot;read&quot; ] }
&lt;p&gt;&amp;gt; //and just now we could access system.users too using a user that has just been removed&lt;br/&gt;
&amp;gt; db.runCommand(&lt;/p&gt;
{logout:1}
&lt;p&gt;)&lt;/p&gt;
{ &quot;ok&quot; : 1 }
&lt;p&gt;&amp;gt; db.system.users.find()&lt;br/&gt;
error: {&lt;br/&gt;
        &quot;$err&quot; : &quot;not authorized for query on auth_try.system.users&quot;,&lt;br/&gt;
        &quot;code&quot; : 16550&lt;br/&gt;
}&lt;br/&gt;
&amp;gt; //only now, after logout, authentication works again.&lt;br/&gt;
&amp;gt;&lt;/p&gt;</comment>
                            <comment id="514151" author="andreas.nilsson@10gen.com" created="Wed, 12 Mar 2014 14:44:51 +0000"  >&lt;p&gt;So I believe what is happening here is that the &amp;lt;superuser&amp;gt; is still logged on when you attempt to create user B. &lt;/p&gt;

&lt;p&gt;Can you try to log out the super user from the admin DB before attempting to create user B. Also which version of the database are you using?&lt;/p&gt;

&lt;p&gt;Thanks. &lt;/p&gt;</comment>
                    </comments>
                <issuelinks>
                            <issuelinktype id="10010">
                    <name>Duplicate</name>
                                            <outwardlinks description="duplicates">
                                        <issuelink>
            <issuekey id="45607">SERVER-6620</issuekey>
        </issuelink>
                            </outwardlinks>
                                                        </issuelinktype>
                    </issuelinks>
                <attachments>
                    </attachments>
                <subtasks>
                    </subtasks>
                <customfields>
                                                <customfield id="customfield_10050" key="com.atlassian.jira.toolkit:comments">
                        <customfieldname># Replies</customfieldname>
                        <customfieldvalues>
                            <customfieldvalue>4.0</customfieldvalue>
                        </customfieldvalues>
                    </customfield>
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                <customfield id="customfield_10055" key="com.atlassian.jira.ext.charting:firstresponsedate">
                        <customfieldname>Date of 1st Reply</customfieldname>
                        <customfieldvalues>
                            <customfieldvalue>Wed, 12 Mar 2014 14:44:51 +0000</customfieldvalue>

                        </customfieldvalues>
                    </customfield>
                                                                <customfield id="customfield_10052" key="com.atlassian.jira.toolkit:dayslastcommented">
                        <customfieldname>Days since reply</customfieldname>
                        <customfieldvalues>
                                        9 years, 48 weeks, 6 days ago
    
                        </customfieldvalues>
                    </customfield>
                                                                <customfield id="customfield_18254" key="com.onresolve.jira.groovy.groovyrunner:scripted-field">
                        <customfieldname>Dependencies</customfieldname>
                        <customfieldvalues>
                            <customfieldvalue><![CDATA[]]></customfieldvalue>


                        </customfieldvalues>
                    </customfield>
                                                                <customfield id="customfield_15850" key="com.atlassian.jira.plugins.jira-development-integration-plugin:devsummary">
                        <customfieldname>Development</customfieldname>
                        <customfieldvalues>
                            
                        </customfieldvalues>
                    </customfield>
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                    <customfield id="customfield_10057" key="com.atlassian.jira.toolkit:lastusercommented">
                        <customfieldname>Last comment by Customer</customfieldname>
                        <customfieldvalues>
                            <customfieldvalue>true</customfieldvalue>
                        </customfieldvalues>
                    </customfield>
                                                                                            <customfield id="customfield_10056" key="com.atlassian.jira.toolkit:lastupdaterorcommenter">
                        <customfieldname>Last commenter</customfieldname>
                        <customfieldvalues>
                            <customfieldvalue>ramon.fernandez@mongodb.com</customfieldvalue>

                        </customfieldvalues>
                    </customfield>
                                                                <customfield id="customfield_11151" key="com.atlassian.jira.toolkit:LastCommentDate">
                        <customfieldname>Last public comment date</customfieldname>
                        <customfieldvalues>
                            9 years, 48 weeks, 6 days ago
                        </customfieldvalues>
                    </customfield>
                                                                                                                        <customfield id="customfield_10000" key="com.atlassian.jira.plugin.system.customfieldtypes:radiobuttons">
                        <customfieldname>Old_Backport</customfieldname>
                        <customfieldvalues>
                                <customfieldvalue key="10000"><![CDATA[No]]></customfieldvalue>

                        </customfieldvalues>
                    </customfield>
                                                                <customfield id="customfield_10032" key="com.atlassian.jira.plugin.system.customfieldtypes:select">
                        <customfieldname>Operating System</customfieldname>
                        <customfieldvalues>
                                <customfieldvalue key="10026"><![CDATA[ALL]]></customfieldvalue>

                        </customfieldvalues>
                    </customfield>
                                                                                                                                                                                <customfield id="customfield_10051" key="com.atlassian.jira.toolkit:participants">
                        <customfieldname>Participants</customfieldname>
                        <customfieldvalues>
                                        <customfieldvalue>andreas.nilsson</customfieldvalue>
            <customfieldvalue>spencer@mongodb.com</customfieldvalue>
            <customfieldvalue>wongsolo</customfieldvalue>
    
                        </customfieldvalues>
                    </customfield>
                                                                                                                                                                                                                                        <customfield id="customfield_14254" key="com.pyxis.greenhopper.jira:gh-lexo-rank">
                        <customfieldname>Product Rank</customfieldname>
                        <customfieldvalues>
                            <customfieldvalue>1|hrlz7r:</customfieldvalue>

                        </customfieldvalues>
                    </customfield>
                                                                                                                                                                                <customfield id="customfield_12550" key="com.pyxis.greenhopper.jira:gh-lexo-rank">
                        <customfieldname>Rank</customfieldname>
                        <customfieldvalues>
                            <customfieldvalue>2|hrwotz:</customfieldvalue>

                        </customfieldvalues>
                    </customfield>
                                                                <customfield id="customfield_10558" key="com.pyxis.greenhopper.jira:gh-global-rank">
                        <customfieldname>Rank (Obsolete)</customfieldname>
                        <customfieldvalues>
                            <customfieldvalue>104813</customfieldvalue>
                        </customfieldvalues>
                    </customfield>
                                                                                            <customfield id="customfield_23361" key="com.onresolve.jira.groovy.groovyrunner:scripted-field">
                        <customfieldname>Requested By</customfieldname>
                        <customfieldvalues>
                                

                        </customfieldvalues>
                    </customfield>
                                                                                                                                                                                                                                                                                                                            <customfield id="customfield_10750" key="com.atlassian.jira.plugin.system.customfieldtypes:textarea">
                        <customfieldname>Steps To Reproduce</customfieldname>
                        <customfieldvalues>
                            <customfieldvalue>&lt;p&gt;Ensure there is already an user with userAdminAnyDatabase privilege.&lt;br/&gt;
Run mongod with --auth option&lt;br/&gt;
Open mongo shell&lt;br/&gt;
use admin&lt;br/&gt;
db.auth(&amp;lt;superusername&amp;gt;,&amp;lt;superuserpw&amp;gt;)&lt;br/&gt;
use try&lt;br/&gt;
db.addUser(&lt;/p&gt;
{user:&quot;a&quot;,pwd:&quot;a&quot;,roles:[&quot;userAdmin&quot;]}
&lt;p&gt;)&lt;br/&gt;
db.auth(&quot;a&quot;,&quot;a&quot;)&lt;br/&gt;
db.removeUser(&quot;a&quot;)&lt;br/&gt;
db.addUser(&lt;/p&gt;
{user:&quot;a&quot;,pwd:&quot;b&quot;,roles:[&quot;read&quot;]}
&lt;p&gt;)&lt;br/&gt;
Check whether user b is added&lt;/p&gt;</customfieldvalue>

                        </customfieldvalues>
                    </customfield>
                                                                                                                                                                                                                                                                    <customfield id="customfield_10053" key="com.atlassian.jira.ext.charting:timeinstatus">
                        <customfieldname>Time In Status</customfieldname>
                        <customfieldvalues>
                            
                        </customfieldvalues>
                    </customfield>
                                                                                                                                                                                                                                                                                                                                                                                                                                                                        <customfield id="customfield_22870" key="com.onresolve.jira.groovy.groovyrunner:scripted-field">
                        <customfieldname>Triagers</customfieldname>
                        <customfieldvalues>
                                

                        </customfieldvalues>
                    </customfield>
                                                                                                                                                                                                                                                                                                                                                                                    <customfield id="customfield_14350" key="com.pyxis.greenhopper.jira:gh-lexo-rank">
                        <customfieldname>serverRank</customfieldname>
                        <customfieldvalues>
                            <customfieldvalue>1|hs9ysv:</customfieldvalue>

                        </customfieldvalues>
                    </customfield>
                                    </customfields>
    </item>
</channel>
</rss>