I have a test environment with two mongo v2.6.5 instances (#1, #2) and an arbiter instance in a replica set. I have a a common key file configured for all three instances. I have created an admin account on #1 which replicated automatically so that I could authenticate via the shell to #1 and #2.
The account is not valid on the arbiter, as the admin db doesn't replicate to it. Despite have a keyFile specified in config, I am still able to login to the arbiter apparently anonymously (albeit from localhost) and retrieve rs.status() information. Why is this?
If I try this on instances #1 or #2 it fails unless with a permissions error unless I login with credentials.
What is the correct security config for the arbiter?
Do I need to create an identical user account directly on it or is there a better way to configure it?
Update: relates to https://jira.mongodb.org/browse/SERVER-5479