<!-- 
RSS generated by JIRA (9.7.1#970001-sha1:2222b88b221c4928ef0de3161136cc90c8356a66) at Thu Feb 08 03:05:31 UTC 2024

It is possible to restrict the fields that are returned in this document by specifying the 'field' parameter in your request.
For example, to request only the issue key and summary append 'field=key&field=summary' to the URL of your request.
-->
<rss version="0.92" >
<channel>
    <title>MongoDB Jira</title>
    <link>https://jira.mongodb.org</link>
    <description>This file is an XML representation of an issue</description>
    <language>en-us</language>    <build-info>
        <version>9.7.1</version>
        <build-number>970001</build-number>
        <build-date>13-04-2023</build-date>
    </build-info>


<item>
            <title>[SERVER-4275] in sharded cluster, authentication not enforced from localhost even with admin user set</title>
                <link>https://jira.mongodb.org/browse/SERVER-4275</link>
                <project id="10000" key="SERVER">Core Server</project>
                    <description>&lt;p&gt;If a mongod has authentication on but no admin user, then connections are allowed from localhost, on purpose.&lt;br/&gt;
Sun Nov 13 17:04:47 &lt;span class=&quot;error&quot;&gt;&amp;#91;conn1&amp;#93;&lt;/span&gt; note: no users configured in admin.system.users, allowing localhost access&lt;/p&gt;

&lt;p&gt;But if you have a sharded environment, the admin user is stored in the config db.&lt;br/&gt;
So even if there is an admin user, individual mongod dont know about it and let you query from localhost.&lt;br/&gt;
This seems like a security hole, do we need to allow free localhost access in any circumstance?&lt;br/&gt;
Also it means that a lot of our tests using authentication pass even though they shouldnt, because authentication is not really enforced (e.g. sharded map/reduce)&lt;/p&gt;</description>
                <environment></environment>
        <key id="24885">SERVER-4275</key>
            <summary>in sharded cluster, authentication not enforced from localhost even with admin user set</summary>
                <type id="6" iconUrl="https://jira.mongodb.org/secure/viewavatar?size=xsmall&amp;avatarId=14720&amp;avatarType=issuetype">Question</type>
                                            <priority id="3" iconUrl="https://jira.mongodb.org/images/icons/priorities/major.svg">Major - P3</priority>
                        <status id="6" iconUrl="https://jira.mongodb.org/images/icons/statuses/closed.png" description="The issue is considered finished, the resolution is correct. Issues which are closed can be reopened.">Closed</status>
                    <statusCategory id="3" key="done" colorName="success"/>
                                    <resolution id="9">Done</resolution>
                                        <assignee username="-1">Unassigned</assignee>
                                    <reporter username="antoine">Antoine Girbal</reporter>
                        <labels>
                    </labels>
                <created>Mon, 14 Nov 2011 17:11:51 +0000</created>
                <updated>Wed, 10 Dec 2014 23:10:56 +0000</updated>
                            <resolved>Thu, 18 Apr 2013 20:24:05 +0000</resolved>
                                                                    <component>Security</component>
                                        <votes>2</votes>
                                    <watches>6</watches>
                                                                                                                <comments>
                            <comment id="316554" author="schwerin" created="Thu, 18 Apr 2013 20:24:05 +0000"  >&lt;p&gt;Replicasets representing shards in a sharded cluster maintain their own authentication information, rather than using the cluster data.  Every replicaset has its own admin database, plus the cluster has one (stored in the config servers).  In this sense, the admin user isn&apos;t really &quot;set&quot; on the replicasets.&lt;/p&gt;

&lt;p&gt;Changing the design so that shard servers use the cluster-wide auth data depends at least on &lt;a href=&quot;https://jira.mongodb.org/browse/SERVER-8509&quot; title=&quot;add startup parameter to mongod to specify config servers&quot; class=&quot;issue-link&quot; data-issue-key=&quot;SERVER-8509&quot;&gt;&lt;del&gt;SERVER-8509&lt;/del&gt;&lt;/a&gt;.&lt;/p&gt;</comment>
                            <comment id="316548" author="schwerin" created="Thu, 18 Apr 2013 20:19:16 +0000"  >&lt;p&gt;Beginning in 2.4, the DBA may disable the localhost exception at startup.&lt;br/&gt;
&lt;a href=&quot;http://docs.mongodb.org/manual/reference/parameters/#param.enableLocalhostAuthBypass&quot; class=&quot;external-link&quot; target=&quot;_blank&quot; rel=&quot;nofollow noopener&quot;&gt;http://docs.mongodb.org/manual/reference/parameters/#param.enableLocalhostAuthBypass&lt;/a&gt;&lt;/p&gt;</comment>
                            <comment id="66639" author="antoine" created="Mon, 14 Nov 2011 20:12:45 +0000"  >&lt;p&gt;yes disabling if --keyFile is on may be better, as long as it does not apply to mongos also.&lt;br/&gt;
Either way it&apos;s a simple fix, it seems important for security and would fix our auth testing.. can we implement soon?&lt;/p&gt;</comment>
                            <comment id="66626" author="kristina" created="Mon, 14 Nov 2011 19:09:28 +0000"  >&lt;p&gt;For now, tests might be able to get around this by adding an admin user on each shard (hacky, but it would probably work).&lt;/p&gt;

&lt;p&gt;I&apos;d rather not have local access be a function of --shardsvr, as it would make security dependent on people getting their flags right (as --shardsvr isn&apos;t required, it would be easy for someone to accidentally have half their set secure and half wide-open).&lt;/p&gt;

&lt;p&gt;A similar idea: we could disallow local access if the server was started with --keyFile.  &lt;/p&gt;

&lt;p&gt;I think (eventually) getting rid of localhost access altogether is a good idea.&lt;/p&gt;</comment>
                            <comment id="66590" author="antoine" created="Mon, 14 Nov 2011 17:36:55 +0000"  >&lt;p&gt;One easy fix that retains original intent, is to remove the auth localhost bypass if --shardsvr is on.&lt;br/&gt;
All admin should be done through mongos anyway, which will have same behavior as single mongod server.&lt;/p&gt;</comment>
                    </comments>
                    <attachments>
                    </attachments>
                <subtasks>
                    </subtasks>
                <customfields>
                                                <customfield id="customfield_10050" key="com.atlassian.jira.toolkit:comments">
                        <customfieldname># Replies</customfieldname>
                        <customfieldvalues>
                            <customfieldvalue>5.0</customfieldvalue>
                        </customfieldvalues>
                    </customfield>
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                <customfield id="customfield_10055" key="com.atlassian.jira.ext.charting:firstresponsedate">
                        <customfieldname>Date of 1st Reply</customfieldname>
                        <customfieldvalues>
                            <customfieldvalue>Mon, 14 Nov 2011 19:09:28 +0000</customfieldvalue>

                        </customfieldvalues>
                    </customfield>
                                                                <customfield id="customfield_10052" key="com.atlassian.jira.toolkit:dayslastcommented">
                        <customfieldname>Days since reply</customfieldname>
                        <customfieldvalues>
                                        10 years, 43 weeks, 6 days ago
    
                        </customfieldvalues>
                    </customfield>
                                                                <customfield id="customfield_18254" key="com.onresolve.jira.groovy.groovyrunner:scripted-field">
                        <customfieldname>Dependencies</customfieldname>
                        <customfieldvalues>
                            <customfieldvalue><![CDATA[]]></customfieldvalue>


                        </customfieldvalues>
                    </customfield>
                                                                <customfield id="customfield_15850" key="com.atlassian.jira.plugins.jira-development-integration-plugin:devsummary">
                        <customfieldname>Development</customfieldname>
                        <customfieldvalues>
                            
                        </customfieldvalues>
                    </customfield>
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                            <customfield id="customfield_10057" key="com.atlassian.jira.toolkit:lastusercommented">
                        <customfieldname>Last comment by Customer</customfieldname>
                        <customfieldvalues>
                            <customfieldvalue>false</customfieldvalue>
                        </customfieldvalues>
                    </customfield>
                                                                                            <customfield id="customfield_10056" key="com.atlassian.jira.toolkit:lastupdaterorcommenter">
                        <customfieldname>Last commenter</customfieldname>
                        <customfieldvalues>
                            <customfieldvalue>ramon.fernandez@mongodb.com</customfieldvalue>

                        </customfieldvalues>
                    </customfield>
                                                                <customfield id="customfield_11151" key="com.atlassian.jira.toolkit:LastCommentDate">
                        <customfieldname>Last public comment date</customfieldname>
                        <customfieldvalues>
                            10 years, 43 weeks, 6 days ago
                        </customfieldvalues>
                    </customfield>
                                                                                                                        <customfield id="customfield_10000" key="com.atlassian.jira.plugin.system.customfieldtypes:radiobuttons">
                        <customfieldname>Old_Backport</customfieldname>
                        <customfieldvalues>
                                <customfieldvalue key="10000"><![CDATA[No]]></customfieldvalue>

                        </customfieldvalues>
                    </customfield>
                                                                                                                                                                                <customfield id="customfield_10051" key="com.atlassian.jira.toolkit:participants">
                        <customfieldname>Participants</customfieldname>
                        <customfieldvalues>
                                        <customfieldvalue>schwerin@mongodb.com</customfieldvalue>
            <customfieldvalue>antoine</customfieldvalue>
            <customfieldvalue>kristina</customfieldvalue>
    
                        </customfieldvalues>
                    </customfield>
                                                                                                                                                                                                                                        <customfield id="customfield_14254" key="com.pyxis.greenhopper.jira:gh-lexo-rank">
                        <customfieldname>Product Rank</customfieldname>
                        <customfieldvalues>
                            <customfieldvalue>1|hrolov:</customfieldvalue>

                        </customfieldvalues>
                    </customfield>
                                                                                                                                                                                <customfield id="customfield_12550" key="com.pyxis.greenhopper.jira:gh-lexo-rank">
                        <customfieldname>Rank</customfieldname>
                        <customfieldvalues>
                            <customfieldvalue>2|hrg2zb:</customfieldvalue>

                        </customfieldvalues>
                    </customfield>
                                                                <customfield id="customfield_10558" key="com.pyxis.greenhopper.jira:gh-global-rank">
                        <customfieldname>Rank (Obsolete)</customfieldname>
                        <customfieldvalues>
                            <customfieldvalue>7385</customfieldvalue>
                        </customfieldvalues>
                    </customfield>
                                                                                            <customfield id="customfield_23361" key="com.onresolve.jira.groovy.groovyrunner:scripted-field">
                        <customfieldname>Requested By</customfieldname>
                        <customfieldvalues>
                                

                        </customfieldvalues>
                    </customfield>
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                <customfield id="customfield_10053" key="com.atlassian.jira.ext.charting:timeinstatus">
                        <customfieldname>Time In Status</customfieldname>
                        <customfieldvalues>
                            
                        </customfieldvalues>
                    </customfield>
                                                                                                                                                                                                                                                                                                                                                                                                                                                                        <customfield id="customfield_22870" key="com.onresolve.jira.groovy.groovyrunner:scripted-field">
                        <customfieldname>Triagers</customfieldname>
                        <customfieldvalues>
                                

                        </customfieldvalues>
                    </customfield>
                                                                                                                                                                                                                                                                                                                                                                                    <customfield id="customfield_14350" key="com.pyxis.greenhopper.jira:gh-lexo-rank">
                        <customfieldname>serverRank</customfieldname>
                        <customfieldvalues>
                            <customfieldvalue>1|ht03p3:</customfieldvalue>

                        </customfieldvalues>
                    </customfield>
                                    </customfields>
    </item>
</channel>
</rss>