Uploaded image for project: 'Core Server'
  1. Core Server
  2. SERVER-20308

Unauthorized query generates partial log line in v3.0

XMLWordPrintableJSON

    • Type: Icon: Improvement Improvement
    • Resolution: Unresolved
    • Priority: Icon: Minor - P4 Minor - P4
    • None
    • Affects Version/s: 2.6.11, 3.0.6
    • Component/s: Logging, Querying
    • Environment:
      v3.0.6 sharded cluster
    • Query Execution

      1. Start up a 3.0.6 sharded cluster 
        mlaunch init --sharded 1 --single --auth --port 29070 --smallfiles --config 1
      2. Connect to the config server and authenticate
      3. Increase logLevel to 1
      4. Create a new user (modelled on the requirements for Cloud Manager monitoring) 
        db.createUser({user:"monitor", pwd:"monitor", roles:[{role:"clusterMonitor", db:"admin"}]})
      5. Authenticate as the monitor user and try a query on local.oplog.$main in the config server. It fails, but the log lines are strange 
        configsvr> db.oplog.$main.find().sort({$natural:1}).skip(0).limit(-1)
Error: error: { "$err" : "not authorized for query on local.oplog.$main", "code" : 13 }
configsvr> show log
...
2015-09-07T16:06:05.447+1000 [conn12] User Assertion: 13:not authorized for query on admin.oplog.$main
2015-09-07T16:06:05.448+1000 [conn12] assertion 13 not authorized for query on admin.oplog.$main ns:admin.oplog.$main query:{ query: {}, orderby: { $natural: 1.0 } }
2015-09-07T16:06:05.448+1000 [conn12]  ntoskip:0 ntoreturn:-1
2015-09-07T16:06:05.448+1000 [conn12] query  keyUpdates:0 exception: not authorized for query on admin.oplog.$main code:13 numYields:0  reslen:91 0ms

        specifically the last 2 lines, which look like normal query log lines, except without logging the actual query part

      6. Removing the limit(-1) makes the extra line go away 
        configsvr> db.oplog.$main.find().sort({$natural:1}).skip(0)
...
2015-09-07T16:06:49.905+1000 [conn12] User Assertion: 13:not authorized for query on admin.oplog.$main
2015-09-07T16:06:49.906+1000 [conn12] assertion 13 not authorized for query on admin.oplog.$main ns:admin.oplog.$main query:{ query: {}, orderby: { $natural: 1.0 } }
2015-09-07T16:06:49.906+1000 [conn12] query  keyUpdates:0 exception: not authorized for query on admin.oplog.$main code:13 numYields:0  reslen:91 0ms
      7. Auth as a user that does have permissions to read this collection, and run the original query 
        2015-09-07T15:56:47.909+1000 I QUERY    [conn9] query local.oplog.$main query: { query: {}, orderby: { $natural: 1.0 } } planSummary: COLLSCAN ntoskip:0 nscanned:0 nscannedObjects:1 keyUpdates:0 writeConflicts:0 numYields:0 nreturned:1 reslen:64 locks:{ Global: { acquireCount: { r: 2 } }, MMAPV1Journal: { acquireCount: { r: 1 } }, Database: { acquireCount: { r: 1 } }, Collection: { acquireCount: { R: 1 } } } 0ms

        ntoreturn is not logged.

            Assignee:
            backlog-query-execution [DO NOT USE] Backlog - Query Execution
            Reporter:
            joanna.cheng@mongodb.com Joanna Cheng
            Votes:
            0 Vote for this issue
            Watchers:
            10 Start watching this issue

              Created:
              Updated: