Uploaded image for project: 'Python Driver'
  1. Python Driver
  2. PYTHON-1613

Authentication fails when SCRAM-SHA-1 is used to authenticate users with only MONGODB-CR credentials

    • Type: Icon: Bug Bug
    • Resolution: Fixed
    • Priority: Icon: Major - P3 Major - P3
    • 3.7.1, 3.8
    • Affects Version/s: 3.7
    • Component/s: Auth
    • None

      When authenticate is attempted against MongoDB 3.0 through 3.6, and no authentication mechanism is specified by the application, PyMongo uses SCRAM-SHA-1 as the authentication mechanism. If the user to authenticate only has legacy MONGODB-CR credentials the server upgrades those credentials to SCRAM-SHA-1 on the fly and authentication succeeds. The server does not store the upgraded credentials, it just on the fly upgrades the MONGODB-CR credentials again on every authentication attempt. In PYTHON-1273 we implemented SCRAM key caching as a performance improvement. The implementation expected the SCRAM keys to be the same on every authentication attempt, but that's not the case with on the fly credential upgrades.

      Original bug report follows:

      I instantiate a MongoClient authenticated as a user with readWrite privilege. I drop a collection. Then, I call close() on the MongoClient instance. Finally, I try the collection drop operation again, and there is an "OperationFailure: Authentication failed." error raised. This is not the case in pymongo 3.6.1 (and lower) where, after closing a client, I can decide to re-use the instance without issue, as described in the documentation: "If this instance is used again it will be automatically re-opened and the threads restarted." In my code, I call close() as a good habit to clean-up client resources and disconnect from MongoDB, whether I end up needing to reopen the collection later or not. I do not want to have to re-authenticate.

            Assignee:
            bernie@mongodb.com Bernie Hackett
            Reporter:
            dwinston Donald Winston
            Votes:
            0 Vote for this issue
            Watchers:
            3 Start watching this issue

              Created:
              Updated:
              Resolved: