Uploaded image for project: 'Drivers'
  1. Drivers
  2. DRIVERS-188

Make copydb work with SASL (SCRAM)

XMLWordPrintableJSON

    • Type: Icon: Task Task
    • Resolution: Done
    • Priority: Icon: Major - P3 Major - P3
    • None
    • Component/s: None
    • Labels:
      None
    • $i18n.getText("admin.common.words.hide")
      Key Status/Resolution FixVersion
      MOTOR-54 Won't Fix 0.4
      PYTHON-777 Done 2.8
      RUBY-835 Done 1.12
      CXX-389 Done legacy-1.0.0-rc4
      $i18n.getText("admin.common.words.show")
      #scriptField, #scriptField *{ border: 1px solid black; } #scriptField{ border-collapse: collapse; } #scriptField td { text-align: center; /* Center-align text in table cells */ } #scriptField td.key { text-align: left; /* Left-align text in the Key column */ } #scriptField a { text-decoration: none; /* Remove underlines from links */ border: none; /* Remove border from links */ } /* Add green background color to cells with FixVersion */ #scriptField td.hasFixVersion { background-color: #00FF00; /* Green color code */ } /* Center-align the first row headers */ #scriptField th { text-align: center; } Key Status/Resolution FixVersion MOTOR-54 Won't Fix 0.4 PYTHON-777 Done 2.8 RUBY-835 Done 1.12 CXX-389 Done legacy-1.0.0-rc4

      See SERVER-15684 for a description of the protocol. I assume drivers' copy_database helper methods already accept five parameters named something like fromdb, todb, fromhost, username, and password.

      Drivers (PyMongo 2.8 and the next Ruby Driver 1.x release) should continue to support MONGODB-CR, and add support for SCRAM-SHA-1. No other SASL mechanisms should be supported (GSSAPI, CRAM-MD5, ...).

      Add SCRAM-SHA-1 support like so:

      1. Add a "mechanism" option to the copy_database helper method. For backwards compatibility, the user is not required to specify the mechanism. Allowed values are "MONGODB-CR" and "SCRAM-SHA-1". The default value is "DEFAULT" or null or some other special value.

      2. If the user has not specified a mechanism, choose based on the connected server's maxWireVersion: SCRAM-SHA-1 if maxWireVersion >= 3, otherwise MONGODB-CR. This is a heuristic, based on the assumption that people are likely to copy between mongods running the same version. We cannot tell what version fromhost is running. This heuristic fails if the connected server is modern but the fromhost mongod predates SCRAM-SHA-1. See step 4. (Note: copydb is impossible if the connected server predates SCRAM-SHA-1 and the fromhost mongod is modern and disables MONGODB-CR.)

      3. For SCRAM-SHA-1, begin with "copydbsaslstart" (all lowercase) instead of "copydbgetnonce".

      4. If the server's reply to "copydbsaslstart" has ok: 0, and the "errmsg" field contains the substring "no such cmd: saslStart", you know the fromhost predates SCRAM-SHA-1. Raise an informative error like "<fromhost> doesn't support SCRAM-SHA-1, pass mechanism='MONGODB-CR' to copy_database". Replace <fromhost> with the actual fromhost. Re-raise any other errors from "copydbsaslstart" normally. In particular, if the user explicitly sets mechanism to SCRAM-SHA-1 and the connected server is too old, you'll get a different error, "no such cmd: copydbsaslstart", which you should re-raise like any other command failure.

      5. If "copydbsaslstart" works correctly, call "copydb" repeatedly until you receive done: true, according to the protocol described in SERVER-15684.

            Assignee:
            barrie Barrie Segal
            Reporter:
            barrie Barrie Segal
            Votes:
            0 Vote for this issue
            Watchers:
            10 Start watching this issue

              Created:
              Updated:
              Resolved: