Uploaded image for project: 'Core Server'
  1. Core Server
  2. SERVER-8144

Authenticating as 2 users on the same database should cause the first user's privileges to be replaced by the second user's but doesn't

    • Type: Icon: Bug Bug
    • Resolution: Done
    • Priority: Icon: Major - P3 Major - P3
    • 2.4.0-rc0
    • Affects Version/s: 2.3.2
    • Component/s: Security
    • None
    • ALL

      ./mongo
      Thu Jan 10 17:39:07.837 kern.sched unavailable
      MongoDB shell version: 2.3.2-pre-
      dconnecting to: test
      Thu Jan 10 17:39:08.198 javascript execution failed src/mongo/shell/utils.js:1595 don't know how to show [startupWarnings]
      throw "don't know how to show [" + what + "]";
                                              ^
      
      test[17:39:8]> db.auth('bob','password')
      1
      test[17:39:14]> db.foo.find()
      Fetched 0 record(s) in 2ms
      test[17:39:16]> db.foo.insert({a:1})
      not authorized for insert on test.foo
      test[17:39:20]> db.foo.find()
      Fetched 0 record(s) in 1ms
      test[17:39:21]> db.logout()
      { "ok": 1 }
      test[17:39:26]> db.foo.find()
      error: {
              "$err": "not authorized for query on test.foo",
              "code": 16550
      }
      test[17:39:28]> db.auth('spencer','password')
      1
      test[17:39:33]> db.system.users.find()
      { "_id": ObjectId("50ef418c880af0f87bf98eb2"), "user": "spencer", "pwd": "22c83553ed7ce252d8b0c9f716cae4de", "roles": [ "readWrite", "dbAdmin", "userAdmin" ] }
      { "_id": ObjectId("50ef4197880af0f87bf98eb3"), "user": "bob", "pwd": "039ba486774a40d3e31be457098499fc", "roles": [ "read" ] }
      Fetched 2 record(s) in 16ms
      test[17:39:37]> db.foo.insert({a:1})
      Inserted 1 record(s) in NaNms
      test[17:39:42]> db.foo.find()
      { "_id": ObjectId("50ef432ead82c26214defead"), "a": 1 }
      Fetched 1 record(s) in 2ms
      test[17:39:44]> db.auth('bob','password')
      1
      test[17:39:49]> db.foo.insert({a:1}); // This should fail since bob is read-only, but will succeed
      Inserted 1 record(s) in NaNms
      test[17:40:6]> db.foo.find()
      { "_id": ObjectId("50ef432ead82c26214defead"), "a": 1 }
      { "_id": ObjectId("50ef4346ad82c26214defeae"), "a": 1 }
      Fetched 2 record(s) in 3ms
      
      

            Assignee:
            schwerin@mongodb.com Andy Schwerin
            Reporter:
            spencer@mongodb.com Spencer Brody (Inactive)
            Votes:
            0 Vote for this issue
            Watchers:
            3 Start watching this issue

              Created:
              Updated:
              Resolved: