Subject: [mongodb-user] Difference in
enableLocalhostAuthBypass between 2.6->3.4
mongo



Hello devs,
I have a question, regarding enableLocalhostAuthBypass behavior on a recent mongodb-org-server-3.4.7 version.
Here is a preface, there is a code, that leverages puppetlabs-mongodb manifests with 2.6 mongo. Basically what it does: - install mongo - setup .mongorc - create replicaset - create admin_user
I'm trying to execute the same logic, but for 3.4x mongo, and it's failing on the "create replicaset" step.
Puppet provider tries to run this command:/usr/bin/mongo admin --host 127.0.0.1:27017 --eval "load('/root/.mongorc.js'); printjson(rs.conf())"
And it's failing with:MongoDB shell version v3.4.7connecting to: mongodb://127.0.0.1:27017/adminMongoDB server version: 3.4.7Error: Authentication failed.2017-08-09T22:24:00.155+0000 E QUERY    [thread1] Error: Could not retrieve replica set config: {        "ok" : 0,        "errmsg" : "not authorized on admin to execute command { replSetGetConfig: 1.0 }",        "code" : 13,        "codeName" : "Unauthorized"} :[email protected]/mongo/shell/utils.js:1276:11@(shell eval):1:38

Here is tracing through code
src/mongo/db/commands.cpp:
static Status _checkAuthorizationImpl
  Status status = c->checkAuthForOperation
     checkAuthForCommand
           if (AuthorizationSession::get(client)->isAuthorizedForPrivileges(privileges))
             src/mongo/db/auth/authorization_session.cppbool AuthorizationSession::isAuthorizedForPrivileges(const vector<Privilege>& privileges) {    if (_externalState->shouldIgnoreAuthChecks())        return true;
    for (size_t i = 0; i < privileges.size(); ++i) {        if (!_isAuthorizedForPrivilege(privileges[i]))            return false;    }
    return true;}
And here is tricky part starts:shouldIgnoreAuthChecks returns true if:
bool AuthzSessionExternalStateMongod::shouldIgnoreAuthChecks() const {    // TODO(spencer): get "isInDirectClient" from OperationContext    return cc().isInDirectClient() ||        AuthzSessionExternalStateServerCommon::shouldIgnoreAuthChecks();}
shouldIgnoreAuthChecks - just checks if auth is enabled - and it's not our case.(return !_authzManager->isAuthEnabled();)isInDirectClient - is more harder, but basically it initialied before .startRequest(), and set to true, getClient()->setInDirectClient(true) in constructor. So, I don't understand why _externalState->shouldIgnoreAuthChecks returns false.


The second part _isAuthorizedForPrivilege() ends up in src/mongo/db/auth/authorization_session.cpp:PrivilegeVector AuthorizationSession::getDefaultPrivileges() {    PrivilegeVector defaultPrivileges;
Where only small scope of privileges is allowed, and that scope doesn't have replSetGetConfig, that rs.conf() invokes under the hood.This is actually new code, and mongo 2.6 doesn't have it, so rs.conf() works there without auth on empty database.  
So, my questions are:Does rs.conf() suppose to work with enableLocalhostAuthBypass: 1 on empty db - as it was on mongo 2.6 ?Why shouldIgnoreAuthChecks() doesn't handle localhost/unixsocket connections, it's a bug or feature?


Here is mongo config:# mongod.conf

# where to write logging data.systemLog:  destination: file  logAppend: true  path: /var/log/mongodb/mongod.log  verbosity: 3
# network interfacesnet:  port: 27017  bindIp: 127.0.0.1security.authorization: enabled
security.keyFile: /etc/mongodb.key
#replication:replication.replSetName: ceilometersetParameter:
    enableLocalhostAuthBypass: 1
And here are logs when trying to execute command:/usr/bin/mongo admin --host 127.0.0.1:27017 --eval "load('/root/.mongorc.js'); printjson(rs.conf())"

2017-08-09T23:04:26.113+0000 I NETWORK  [thread1] connection accepted from 127.0.0.1:57468 #1 (1 connection now open)2017-08-09T23:04:26.113+0000 I ACCESS   [conn1] note: no users configured in admin.system.users, allowing localhost access2017-08-09T23:04:26.113+0000 D COMMAND  [conn1] run command admin.$cmd { isMaster: 1, client: { application: { name: "MongoDB Shell" }, driver: { name: "MongoDB Internal Client", version: "3.4.7" }, os: { type: "Linux", name: "Ubuntu", architecture: "x86_64", version: "16.04" } } }2017-08-09T23:04:26.113+0000 I NETWORK  [conn1] received client metadata from 127.0.0.1:57468 conn1: { application: { name: "MongoDB Shell" }, driver: { name: "MongoDB Internal Client", version: "3.4.7" }, os: { type: "Linux", name: "Ubuntu", architecture: "x86_64", version: "16.04" } }2017-08-09T23:04:26.113+0000 D NETWORK  [conn1] Starting server-side compression negotiation2017-08-09T23:04:26.113+0000 I COMMAND  [conn1] command admin.$cmd appName: "MongoDB Shell" command: isMaster { isMaster: 1, client: { application: { name: "MongoDB Shell" }, driver: { name: "MongoDB Internal Client", version: "3.4.7" }, os: { type: "Linux", name: "Ubuntu", architecture: "x86_64", version: "16.04" } } } numYields:0 reslen:267 locks:{ Global: { acquireCount: { r: 4 } }, Database: { acquireCount: { r: 2 } }, Collection: { acquireCount: { r: 2 } } } protocol:op_query 0ms2017-08-09T23:04:26.113+0000 D COMMAND  [conn1] run command admin.$cmd { whatsmyuri: 1 }2017-08-09T23:04:26.113+0000 I COMMAND  [conn1] command admin.$cmd appName: "MongoDB Shell" command: whatsmyuri { whatsmyuri: 1 } numYields:0 reslen:47 locks:{ Global: { acquireCount: { r: 4 } }, Database: { acquireCount: { r: 2 } }, Collection: { acquireCount: { r: 2 } } } protocol:op_command 0ms2017-08-09T23:04:26.114+0000 D COMMAND  [conn1] run command admin.$cmd { buildinfo: 1.0 }2017-08-09T23:04:26.114+0000 I COMMAND  [conn1] command admin.$cmd appName: "MongoDB Shell" command: buildInfo { buildinfo: 1.0 } numYields:0 reslen:1249 locks:{ Global: { acquireCount: { r: 4 } }, Database: { acquireCount: { r: 2 } }, Collection: { acquireCount: { r: 2 } } } protocol:op_command 0ms2017-08-09T23:04:26.114+0000 D COMMAND  [conn1] run command admin.$cmd { getCmdLineOpts: 1.0 }2017-08-09T23:04:26.114+0000 I ACCESS   [conn1] Unauthorized: not authorized on admin to execute command { getCmdLineOpts: 1.0 }2017-08-09T23:04:26.114+0000 D -        [conn1] User Assertion: 13:not authorized on admin to execute command { getCmdLineOpts: 1.0 } src/mongo/db/commands/dbcommands.cpp 13442017-08-09T23:04:26.114+0000 D COMMAND  [conn1] assertion while executing command 'getCmdLineOpts' on database 'admin' with arguments '{ getCmdLineOpts: 1.0 }' and metadata '{}': 13 not authorized on admin to execute command { getCmdLineOpts: 1.0 }2017-08-09T23:04:26.114+0000 I COMMAND  [conn1] command admin.$cmd appName: "MongoDB Shell" command: getCmdLineOpts { getCmdLineOpts: 1.0 } exception: not authorized on admin to execute command { getCmdLineOpts: 1.0 } code:13 numYields:0 reslen:138 locks:{ Global: { acquireCount: { r: 4 } }, Database: { acquireCount: { r: 2 } }, Collection: { acquireCount: { r: 2 } } } protocol:op_command 0ms2017-08-09T23:04:26.114+0000 D COMMAND  [conn1] run command admin.$cmd { isMaster: 1.0 }2017-08-09T23:04:26.114+0000 D NETWORK  [conn1] Starting server-side compression negotiation2017-08-09T23:04:26.114+0000 I COMMAND  [conn1] command admin.$cmd appName: "MongoDB Shell" command: isMaster { isMaster: 1.0 } numYields:0 reslen:252 locks:{ Global: { acquireCount: { r: 4 } }, Database: { acquireCount: { r: 2 } }, Collection: { acquireCount: { r: 2 } } } protocol:op_command 0ms2017-08-09T23:04:26.115+0000 D COMMAND  [conn1] run command admin.$cmd { saslStart: 1, mechanism: "SCRAM-SHA-1", payload: "xxx" }2017-08-09T23:04:26.115+0000 I ACCESS   [conn1] SCRAM-SHA-1 authentication failed for admin on admin from client 127.0.0.1:57468 ; UserNotFound: Could not find user [email protected]:04:26.115+0000 I COMMAND  [conn1] command admin.system.users appName: "MongoDB Shell" command: saslStart { saslStart: 1, mechanism: "SCRAM-SHA-1", payload: "xxx" } numYields:0 reslen:102 locks:{ Global: { acquireCount: { r: 6 } }, Database: { acquireCount: { r: 3 } }, Collection: { acquireCount: { r: 3 } } } protocol:op_command 0ms2017-08-09T23:04:26.116+0000 D COMMAND  [conn1] run command admin.$cmd { replSetGetConfig: 1.0 }2017-08-09T23:04:26.116+0000 I ACCESS   [conn1] Unauthorized: not authorized on admin to execute command { replSetGetConfig: 1.0 }2017-08-09T23:04:26.116+0000 D -        [conn1] User Assertion: 13:not authorized on admin to execute command { replSetGetConfig: 1.0 } src/mongo/db/commands/dbcommands.cpp 13442017-08-09T23:04:26.116+0000 D COMMAND  [conn1] assertion while executing command 'replSetGetConfig' on database 'admin' with arguments '{ replSetGetConfig: 1.0 }' and metadata '{ $ssm: { $secondaryOk: 1 } }': 13 not authorized on admin to execute command { replSetGetConfig: 1.0 }2017-08-09T23:04:26.116+0000 I COMMAND  [conn1] command admin.$cmd appName: "MongoDB Shell" command: replSetGetConfig { replSetGetConfig: 1.0 } exception: not authorized on admin to execute command { replSetGetConfig: 1.0 } code:13 numYields:0 reslen:140 locks:{ Global: { acquireCount: { r: 4 } }, Database: { acquireCount: { r: 2 } }, Collection: { acquireCount: { r: 2 } } } protocol:op_command 0ms2017-08-09T23:04:26.117+0000 D NETWORK  [conn1] Socket recv() conn closed? 127.0.0.1:574682017-08-09T23:04:26.117+0000 D NETWORK  [conn1] SocketException: remote: 127.0.0.1:57468 error: 9001 socket exception [CLOSED] server [127.0.0.1:57468]2017-08-09T23:04:26.117+0000 I -        [conn1] end connection 127.0.0.1:57468 (1 connection now open)
[email protected]:~/mongo# dpkg -l | grep mongo
ii  mongodb-org                        3.4.7                                      amd64        MongoDB open source document-oriented database system (metapackage)
ii  mongodb-org-mongos                 3.4.7                                      amd64        MongoDB sharded cluster query router
ii  mongodb-org-server                 3.4.7                                      amd64        MongoDB database server
ii  mongodb-org-shell                  3.4.7                                      amd64        MongoDB shell client
ii  mongodb-org-tools                  3.4.7                                      amd64        MongoDB tools


Thank you for reading 

--
You received this message because you are subscribed to the Google Groups "mongodb-user"
group.
 
For other MongoDB technical support options, see: https://docs.mongodb.com/manual/support/
---
You received this message because you are subscribed to the Google Groups "mongodb-user" group.
To unsubscribe from this group and stop receiving emails from it, send an email to [email protected].
To post to this group, send email to [email protected].
Visit this group at https://groups.google.com/group/mongodb-user.
To view this discussion on the web visit https://groups.google.com/d/msgid/mongodb-user/4a0aca67-6d6d-44f9-bca9-6a741d9d6522%40googlegroups.com.
For more options, visit https://groups.google.com/d/optout.



Programming list archiving by: Enterprise Git Hosting