<!-- 
RSS generated by JIRA (9.7.1#970001-sha1:2222b88b221c4928ef0de3161136cc90c8356a66) at Thu Feb 08 04:07:34 UTC 2024

It is possible to restrict the fields that are returned in this document by specifying the 'field' parameter in your request.
For example, to request only the issue key and summary append 'field=key&field=summary' to the URL of your request.
-->
<rss version="0.92" >
<channel>
    <title>MongoDB Jira</title>
    <link>https://jira.mongodb.org</link>
    <description>This file is an XML representation of an issue</description>
    <language>en-us</language>    <build-info>
        <version>9.7.1</version>
        <build-number>970001</build-number>
        <build-date>13-04-2023</build-date>
    </build-info>


<item>
            <title>[SERVER-24847] Authentication on multiple databases provides collective permissions</title>
                <link>https://jira.mongodb.org/browse/SERVER-24847</link>
                <project id="10000" key="SERVER">Core Server</project>
                    <description>&lt;p&gt;I have two users on Mongo DB 3.2.7, a user with root role and another user with read only role on the database. When I login as root then switch to read only user without exiting the shell, MongoDB allows me to run and execute root level commands even though I am logged in as the read only user. To reproduce the problem do the following.&lt;/p&gt;

&lt;p&gt;I logged in as the user with root access using&lt;/p&gt;

&lt;p&gt;use admin&lt;br/&gt;
db.auth(&quot;rootUser&quot;,&quot;Password&quot;)&lt;br/&gt;
run commands like show databases, show collections everything works find.&lt;/p&gt;

&lt;p&gt;Then without exiting the shell, I now logged in as the read only user&lt;/p&gt;

&lt;p&gt;use dbabc&lt;br/&gt;
db.auth(&quot;readOnlyUser&quot;,&quot;Password&quot;)&lt;br/&gt;
Now logged in as this user, I can drop, list db and perform all other root operation. I think this is very dangerous. I tried to reproduce the problem several times and it works.&lt;/p&gt;

&lt;p&gt;The only time the read only user works as expected is when I exit the shell then login again as the read only user. See the execution of commands below.&lt;/p&gt;
</description>
                <environment></environment>
        <key id="297638">SERVER-24847</key>
            <summary>Authentication on multiple databases provides collective permissions</summary>
                <type id="1" iconUrl="https://jira.mongodb.org/secure/viewavatar?size=xsmall&amp;avatarId=14703&amp;avatarType=issuetype">Bug</type>
                                            <priority id="3" iconUrl="https://jira.mongodb.org/images/icons/priorities/major.svg">Major - P3</priority>
                        <status id="6" iconUrl="https://jira.mongodb.org/images/icons/statuses/closed.png" description="The issue is considered finished, the resolution is correct. Issues which are closed can be reopened.">Closed</status>
                    <statusCategory id="3" key="done" colorName="success"/>
                                    <resolution id="9">Done</resolution>
                                        <assignee username="kelsey.schubert@mongodb.com">Kelsey Schubert</assignee>
                                    <reporter username="sneceesay77">SC</reporter>
                        <labels>
                    </labels>
                <created>Thu, 30 Jun 2016 11:39:02 +0000</created>
                <updated>Fri, 9 Sep 2016 21:04:00 +0000</updated>
                            <resolved>Thu, 30 Jun 2016 15:57:53 +0000</resolved>
                                                                    <component>Security</component>
                                        <votes>0</votes>
                                    <watches>9</watches>
                                                                                                                <comments>
                            <comment id="1359191" author="thomas.schubert" created="Wed, 17 Aug 2016 03:35:52 +0000"  >&lt;p&gt;Hi &lt;a href=&quot;https://jira.mongodb.org/secure/ViewProfile.jspa?name=sneceesay77&quot; class=&quot;user-hover&quot; rel=&quot;sneceesay77&quot;&gt;sneceesay77&lt;/a&gt;,&lt;/p&gt;

&lt;p&gt;To address some of your concerns, I&apos;ve opened a ticket to improve our documentation around this behavior. Please feel free to vote for &lt;a href=&quot;https://jira.mongodb.org/browse/DOCS-8620&quot; title=&quot;Clarify that authentication on multiple databases will provide collective permissions&quot; class=&quot;issue-link&quot; data-issue-key=&quot;DOCS-8620&quot;&gt;&lt;del&gt;DOCS-8620&lt;/del&gt;&lt;/a&gt; and watch it for updates.&lt;/p&gt;

&lt;p&gt;Best regards,&lt;br/&gt;
Thomas&lt;/p&gt;</comment>
                            <comment id="1310954" author="sneceesay77" created="Thu, 30 Jun 2016 16:37:39 +0000"  >&lt;p&gt;Hi Thomas, &lt;/p&gt;

&lt;p&gt;Thank you for the reply, but is this behaviour safe?&lt;/p&gt;

&lt;p&gt;What if someone runs db.coll.drop() on a production db thinking he was logged in as a limited user.  &lt;/p&gt;

&lt;p&gt;Thanks. &lt;br/&gt;
SC.&lt;/p&gt;</comment>
                            <comment id="1310897" author="thomas.schubert" created="Thu, 30 Jun 2016 15:57:43 +0000"  >&lt;p&gt;Hi &lt;a href=&quot;https://jira.mongodb.org/secure/ViewProfile.jspa?name=sneceesay77&quot; class=&quot;user-hover&quot; rel=&quot;sneceesay77&quot;&gt;sneceesay77&lt;/a&gt;,&lt;/p&gt;

&lt;p&gt;Thank you for the report. This is expected behavior. You can be logged in on different databases with several users concurrently in the shell. In this case, you will have the collective permissions of all authenticated users.&lt;/p&gt;

&lt;p&gt;If you do not want to be authenticated on a particular database you can execute &lt;a href=&quot;https://docs.mongodb.com/manual/reference/method/db.logout/&quot; class=&quot;external-link&quot; target=&quot;_blank&quot; rel=&quot;nofollow noopener&quot;&gt;db.logout()&lt;/a&gt; on the same database.&lt;/p&gt;

&lt;p&gt;Kind regards,&lt;br/&gt;
Thomas&lt;/p&gt;</comment>
                    </comments>
                <issuelinks>
                            <issuelinktype id="10012">
                    <name>Related</name>
                                            <outwardlinks description="related to">
                                        <issuelink>
            <issuekey id="309536">DOCS-8620</issuekey>
        </issuelink>
                            </outwardlinks>
                                                        </issuelinktype>
                    </issuelinks>
                <attachments>
                    </attachments>
                <subtasks>
                    </subtasks>
                <customfields>
                                                <customfield id="customfield_10050" key="com.atlassian.jira.toolkit:comments">
                        <customfieldname># Replies</customfieldname>
                        <customfieldvalues>
                            <customfieldvalue>3.0</customfieldvalue>
                        </customfieldvalues>
                    </customfield>
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                <customfield id="customfield_10055" key="com.atlassian.jira.ext.charting:firstresponsedate">
                        <customfieldname>Date of 1st Reply</customfieldname>
                        <customfieldvalues>
                            <customfieldvalue>Thu, 30 Jun 2016 13:19:35 +0000</customfieldvalue>

                        </customfieldvalues>
                    </customfield>
                                                                <customfield id="customfield_10052" key="com.atlassian.jira.toolkit:dayslastcommented">
                        <customfieldname>Days since reply</customfieldname>
                        <customfieldvalues>
                                        7 years, 26 weeks, 1 day ago
    
                        </customfieldvalues>
                    </customfield>
                                                                <customfield id="customfield_18254" key="com.onresolve.jira.groovy.groovyrunner:scripted-field">
                        <customfieldname>Dependencies</customfieldname>
                        <customfieldvalues>
                            <customfieldvalue><![CDATA[]]></customfieldvalue>


                        </customfieldvalues>
                    </customfield>
                                                                <customfield id="customfield_15850" key="com.atlassian.jira.plugins.jira-development-integration-plugin:devsummary">
                        <customfieldname>Development</customfieldname>
                        <customfieldvalues>
                            
                        </customfieldvalues>
                    </customfield>
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                    <customfield id="customfield_10057" key="com.atlassian.jira.toolkit:lastusercommented">
                        <customfieldname>Last comment by Customer</customfieldname>
                        <customfieldvalues>
                            <customfieldvalue>true</customfieldvalue>
                        </customfieldvalues>
                    </customfield>
                                                                                            <customfield id="customfield_10056" key="com.atlassian.jira.toolkit:lastupdaterorcommenter">
                        <customfieldname>Last commenter</customfieldname>
                        <customfieldvalues>
                            <customfieldvalue>kelsey.schubert@mongodb.com</customfieldvalue>

                        </customfieldvalues>
                    </customfield>
                                                                <customfield id="customfield_11151" key="com.atlassian.jira.toolkit:LastCommentDate">
                        <customfieldname>Last public comment date</customfieldname>
                        <customfieldvalues>
                            7 years, 26 weeks, 1 day ago
                        </customfieldvalues>
                    </customfield>
                                                                                                                                                    <customfield id="customfield_10032" key="com.atlassian.jira.plugin.system.customfieldtypes:select">
                        <customfieldname>Operating System</customfieldname>
                        <customfieldvalues>
                                <customfieldvalue key="10026"><![CDATA[ALL]]></customfieldvalue>

                        </customfieldvalues>
                    </customfield>
                                                                                                                                                                                <customfield id="customfield_10051" key="com.atlassian.jira.toolkit:participants">
                        <customfieldname>Participants</customfieldname>
                        <customfieldvalues>
                                        <customfieldvalue>kelsey.schubert@mongodb.com</customfieldvalue>
            <customfieldvalue>sneceesay77</customfieldvalue>
    
                        </customfieldvalues>
                    </customfield>
                                                                                                                                                                                                                                        <customfield id="customfield_14254" key="com.pyxis.greenhopper.jira:gh-lexo-rank">
                        <customfieldname>Product Rank</customfieldname>
                        <customfieldvalues>
                            <customfieldvalue>1|hrk3vz:</customfieldvalue>

                        </customfieldvalues>
                    </customfield>
                                                                                                                                                                                <customfield id="customfield_12550" key="com.pyxis.greenhopper.jira:gh-lexo-rank">
                        <customfieldname>Rank</customfieldname>
                        <customfieldvalues>
                            <customfieldvalue>2|hsn1nb:</customfieldvalue>

                        </customfieldvalues>
                    </customfield>
                                                                <customfield id="customfield_10558" key="com.pyxis.greenhopper.jira:gh-global-rank">
                        <customfieldname>Rank (Obsolete)</customfieldname>
                        <customfieldvalues>
                            <customfieldvalue>9223372036854775807</customfieldvalue>
                        </customfieldvalues>
                    </customfield>
                                                                                                                                                                                                                                                                                                                                                                                    <customfield id="customfield_10750" key="com.atlassian.jira.plugin.system.customfieldtypes:textarea">
                        <customfieldname>Steps To Reproduce</customfieldname>
                        <customfieldvalues>
                            <customfieldvalue>&lt;p&gt;&amp;gt; db.auth(&quot;admin&quot;,&quot;adminPassword&quot;)&lt;br/&gt;
&amp;gt; show databases&lt;br/&gt;
admin          0.000GB&lt;br/&gt;
main db       11.843GB&lt;br/&gt;
anotherdatab   9.025GB&lt;br/&gt;
anotherdata1   0.008GB&lt;br/&gt;
local          0.000GB&lt;br/&gt;
school         0.734GB&lt;br/&gt;
test           0.000GB&lt;br/&gt;
&amp;gt; use readonlydb&lt;br/&gt;
switched to db readonlydb&lt;br/&gt;
&amp;gt; db.auth(&quot;readonlyuser&quot;,&quot;readonlypass&quot;)&lt;br/&gt;
1&lt;br/&gt;
&amp;gt; show databases&lt;br/&gt;
admin          0.000GB&lt;br/&gt;
maindb        11.843GB&lt;br/&gt;
anotherdatab   9.025GB&lt;br/&gt;
anotherdata1   0.008GB&lt;br/&gt;
local          0.000GB&lt;br/&gt;
school         0.734GB&lt;br/&gt;
test           0.000GB&lt;/p&gt;</customfieldvalue>

                        </customfieldvalues>
                    </customfield>
                                                                                                                                                                                                                                                                    <customfield id="customfield_10053" key="com.atlassian.jira.ext.charting:timeinstatus">
                        <customfieldname>Time In Status</customfieldname>
                        <customfieldvalues>
                            
                        </customfieldvalues>
                    </customfield>
                                                                                                                                                                                                                                                                                                                                                                                                                                                                        <customfield id="customfield_22870" key="com.onresolve.jira.groovy.groovyrunner:scripted-field">
                        <customfieldname>Triagers</customfieldname>
                        <customfieldvalues>
                                    <customfieldvalue><![CDATA[kelsey.schubert@mongodb.com]]></customfieldvalue>
    

                        </customfieldvalues>
                    </customfield>
                                                                                                                                                                                                                                                                                                                                                                                    <customfield id="customfield_14350" key="com.pyxis.greenhopper.jira:gh-lexo-rank">
                        <customfieldname>serverRank</customfieldname>
                        <customfieldvalues>
                            <customfieldvalue>1|hsetnb:</customfieldvalue>

                        </customfieldvalues>
                    </customfield>
                                    </customfields>
    </item>
</channel>
</rss>