1

I had to create a new user in a MongoDB Server and grant it read-only permissions to a single database. Note that I am not the administrator here.

I connected with my user and executed the following code:

db.createUser({user: "newuser", pwd: "mypassword", roles: [{role: "read", db: "mydatabase"}]})

Then I started testing and I found that

  1. I can connect with this newly created newuser user both with Robo3T and Mongo Shell (mongo command).
  2. I can read the mydatabase database
  3. I can still WRITE (insert, update etc) freely in this database
  4. I can read anything from other databases in the server (I didnt try to write).
  5. I can connect with this database without passing username and password, with Robo3t AND Mongo Shell
  6. I can force a bad authentication by providing wrong username and passwords (when passed)

When I execute db.runCommand({connectionStatus : 1}), I get this output:

{
    "authInfo" : {
        "authenticatedUsers" : [
            {
                "user" : "newuser",
                "db" : "mydatabase"
            }
        ],
        "authenticatedUserRoles" : [
            {
                "role" : "read",
                "db" : "mydatabase"
            }
        ]
    },
    "ok" : 1,
    ...
}

With Mongo Shell I connect with this command (but also passing --authenticationDatabase):

mongo --host mongodb://servers:ports/mydatabase?replicaSet=myreplicaset --username newuser --password mypassword

So my questions are very basic, I guess.

  • Why can I connect without authenticating?
  • Why can I still write with this read-only user?
  • Why can I still access other databases with this user?

Thanks in advance!

@edit:

I wonder if it`s something related to this:

https://docs.mongodb.com/manual/tutorial/enable-authentication/

I ve seen some people (check this out) saying that forgot to enable access control. Since I am not the administrator of this database, I am still confused (i`m not a very experienced user)

Victor Ferreira
  • 6,151
  • 13
  • 64
  • 120

1 Answers1

0

Why can I connect without authenticating?

You are correct with access control. What you have described is a little strange however, according to Mongo basic security, it is the job of the DBA to create users; so as you are not an administrator, you should not really be creating users?

Nonetheless, mongod (the mongo daemon) is the process responsible for running MongoDB. When this initially started, it probably didn't have authentication enabled in the configuration, the process needs restarting with it enabled. This is access control.

This is why you can authenticate as any user, and maybe the same reason that you can create users despite not being an admin?

Why can I still write with this read-only user?

Probably the same reason as above, if true then users can just do whatever they like as there is no authorisation for a users actions.

Another common reason is authenticating with a new user without dropping your previous user. If you re-auth with someone else the wrong way, you may end up having the current session with more permissions than intended.

Why can I still access other databases with this user?

Again, most likely the same as above. No authentication is taking place.

NOTE: https://docs.mongodb.com/manual/core/authentication/

When access control, i.e. authorization, is enabled, MongoDB requires all clients to authenticate themselves in order to determine their access.

james
  • 859
  • 8
  • 22