Critical - P2 Issue Status as of Jul 18, 2014
ISSUE SUMMARY
When both audit and authentication are enabled in a sharded cluster it is not possible to read from secondaries.
USER IMPACT
Attempts to read from a secondary fail with an error.
WORKAROUNDS
Users can read from primary nodes instead.
AFFECTED VERSIONS
MongoDB production releases in the 2.6 series up to 2.6.3 (inclusive) are affected by this issue.
FIX VERSION
The fix is included in the 2.6.4 production release.
RESOLUTION DETAILS
Do not invoke the runCommand hook when executing authentication commands. Executing this hook leads to commands that cannot be run by unauthenticated users, which prevents authentication of connections when auditing is enabled.
Original description
- Start a sharded cluster with audit and authentication enabled using MongoDB 2.6 enterprise.
- Create a user in the admin database with root role.
- Authenticate with this user.
- Insert a document to test database.
- Set read preference to secondary and it will fail to query the document.
- Set read preference to primary and it will return the document.
mongos> db.auth("root","root") 1 mongos> use test switched to db test mongos> db.docs.insert({x:1}) WriteResult({ "nInserted" : 1 }) mongos> db.getMongo().setReadPref('secondary' ); mongos> db.docs.findOne() 2014-06-04T22:26:36.647-0400 error: { "$err" : "not authorized for query on test.docs", "code" : 13 } at src/mongo/shell/query.js:131 mongos> db.getMongo().setReadPref('primary' ); mongos> db.docs.findOne() { "_id" : ObjectId("538fd55871f795733df60f5d"), "x" : 1 }