-
Type: Task
-
Resolution: Done
-
Priority: Major - P3
-
None
-
Component/s: None
-
None
Most drivers that provide an addUser helper also support updating users through that helper. With MongoDB 2.6 the usersInfo command is used to determine if the addUser helper should call createUser or updateUser when passed a given username. Starting with MongoDB 2.7.0 the scope of the localhost exception for authentication was dramatically narrowed. It is no longer possible to call the userInfo command unauthenticated, even when the localhost exception is in effect. Any driver that calls usersInfo in its addUser helper can no longer be used to add the first admin user while the localhost exception is in effect:
>>> c = pymongo.MongoClient() >>> try: ... c.admin.add_user('admin', 'pass', roles=['root']) ... except Exception as exc: ... print exc.details ... {u'code': 13, u'ok': 0.0, u'errmsg': u'not authorized on admin to execute command { usersInfo: "admin" }'} >>> >>> c.admin.command('createUser', 'admin', pwd='pass', roles=['root']) {u'ok': 1.0} >>> c.admin.authenticate('admin', 'pass') True >>> c.server_info()['version'] u'2.7.2'
A workaround for this issue is to catch the exception and call createUser if the error code is 13 (Unauthorized). Any exception from the createUser call should propagate to the user application.
https://github.com/mongodb/mongo/blob/master/src/mongo/base/error_codes.err
- depends on
-
CDRIVER-642 Work around localhost exception issues in add_user when connected to MongoDB >= 2.7.1
- Closed
-
CXX-178 Add Security Helper Methods
- Closed
-
CSHARP-1090 Work around localhost exception issues in addUser helpers
- Closed
-
PYTHON-714 Work around localhost exception issues in add_user when connected to MongoDB >= 2.7.1
- Closed
-
RUBY-782 Change add_user helper command to work with narrowed localhost exception.
- Closed
-
JAVA-1528 Work around localhost exception issues in addUser helpers
- Closed
- is related to
-
DRIVERS-127 Deprecate "addUser" helpers in favor of "createUser" and "updateUser" helpers
- Closed
-
DRIVERS-162 Work around reduction of localhost exception permissions in MongoDB >= 2.7.1
- Closed
-
SERVER-12621 Reduce localhost exception permissions
- Closed