Uploaded image for project: 'Python Driver'
  1. Python Driver
  2. PYTHON-458

PyMongo doesn't correctly reauthenticate to non-admin databases when user has read-only access to admin

    • Type: Icon: Bug Bug
    • Resolution: Done
    • Priority: Icon: Critical - P2 Critical - P2
    • 2.4.2
    • Affects Version/s: None
    • Component/s: None
    • None

      The admin database is unique. Users with normal access to the admin database have read and write access to all databases. Users with read only access to the admin database have read only access to all databases.

      Pymongo mongo_client does this:

              # Once logged into the admin database we can access anything.
              if "admin" in authset:
                  return
      
              if "admin" in self.__auth_credentials:
                  username, password = self.__auth_credentials["admin"]
                  self.__auth(sock_info, 'admin', username, password)
                  authset.add('admin')
              else:
                  for db_name in names - authset:
                      user, pwd = self.__auth_credentials[db_name]
                      self.__auth(sock_info, db_name, user, pwd)
                      authset.add(db_name)
      

      It seems to make the assumption that auth'ing to the admin database is sufficient. This is incorrect in the case where the user has write access to a single database, and read access to all other databases.

      The code above should probably just be replaced with:

              for db_name in names - authset:
                  user, pwd = self.__auth_credentials[db_name]
                  self.__auth(sock_info, db_name, user, pwd)
                  authset.add(db_name)
      

            Assignee:
            bernie@mongodb.com Bernie Hackett
            Reporter:
            jblackburn James Blackburn
            Votes:
            0 Vote for this issue
            Watchers:
            3 Start watching this issue

              Created:
              Updated:
              Resolved: