-
Type: Bug
-
Resolution: Done
-
Priority: Critical - P2
-
Affects Version/s: None
-
Component/s: None
-
None
The admin database is unique. Users with normal access to the admin database have read and write access to all databases. Users with read only access to the admin database have read only access to all databases.
Pymongo mongo_client does this:
# Once logged into the admin database we can access anything. if "admin" in authset: return if "admin" in self.__auth_credentials: username, password = self.__auth_credentials["admin"] self.__auth(sock_info, 'admin', username, password) authset.add('admin') else: for db_name in names - authset: user, pwd = self.__auth_credentials[db_name] self.__auth(sock_info, db_name, user, pwd) authset.add(db_name)
It seems to make the assumption that auth'ing to the admin database is sufficient. This is incorrect in the case where the user has write access to a single database, and read access to all other databases.
The code above should probably just be replaced with:
for db_name in names - authset:
user, pwd = self.__auth_credentials[db_name]
self.__auth(sock_info, db_name, user, pwd)
authset.add(db_name)
- is depended on by
-
DRIVERS-69 Support greedy authentication
- Closed