Uploaded image for project: 'Core Server'
  1. Core Server
  2. SERVER-16668

SASL PLAIN authentication mechanism is inconsistent between community and enterprise

    XMLWordPrintable

    Details

    • Type: Bug
    • Status: Closed
    • Priority: Major - P3
    • Resolution: Fixed
    • Affects Version/s: None
    • Fix Version/s: 3.3.11
    • Component/s: Security
    • Backwards Compatibility:
      Fully Compatible
    • Operating System:
      ALL
    • Steps To Reproduce:
      Hide

      Create a user

      > db.createUser({user: "sajack", pwd: "secret", roles: ["readWrite"]})
      Successfully added user: { "user" : "sajack", "roles" : [ "readWrite" ] }
       
      Activate a community server, using PLAIN
      sajack@linux-p7yj /home/sajack/mongo git master () % ./mongod --dbpath db1 --auth --setParameter authenticationMechanisms=PLAIN                                                                                                   2 :(
      2014-12-24T15:09:54.585-0500 I CONTROL  [initandlisten] MongoDB starting : pid=13909 port=27017 dbpath=db1 64-bit host=linux-p7yj.site
      2014-12-24T15:09:54.585-0500 I CONTROL  [initandlisten] _DEBUG build (which is slower)
      2014-12-24T15:09:54.585-0500 I CONTROL  [initandlisten] 
      2014-12-24T15:09:54.585-0500 I CONTROL  [initandlisten] ** WARNING: /sys/kernel/mm/transparent_hugepage/enabled is 'always'.
      2014-12-24T15:09:54.585-0500 I CONTROL  [initandlisten] **        We suggest setting it to 'never'
      2014-12-24T15:09:54.585-0500 I CONTROL  [initandlisten] 
      2014-12-24T15:09:54.585-0500 I CONTROL  [initandlisten] db version v2.8.0-rc5-pre-
      2014-12-24T15:09:54.585-0500 I CONTROL  [initandlisten] git version: 8e8ecc54d3e63be0c2d19463031432f1308bcb7c
      2014-12-24T15:09:54.585-0500 I CONTROL  [initandlisten] OpenSSL version: OpenSSL 1.0.1j 15 Oct 2014
      2014-12-24T15:09:54.585-0500 I CONTROL  [initandlisten] build info: Linux linux-p7yj.site 3.17.4-2.g2d23787-desktop #1 SMP PREEMPT Tue Nov 25 20:17:30 UTC 2014 (2d23787) x86_64 BOOST_LIB_VERSION=1_49
      2014-12-24T15:09:54.585-0500 I CONTROL  [initandlisten] allocator: tcmalloc
      2014-12-24T15:09:54.586-0500 I CONTROL  [initandlisten] options: { security: { authorization: "enabled" }, setParameter: { authenticationMechanisms: "PLAIN" }, storage: { dbPath: "db1" } }
      2014-12-24T15:09:54.599-0500 I JOURNAL  [initandlisten] journal dir=db1/journal
      2014-12-24T15:09:54.600-0500 I JOURNAL  [initandlisten] recover : no journal files present, no recovery needed
      2014-12-24T15:09:55.215-0500 I JOURNAL  [initandlisten] preallocateIsFaster=true 4.48
      2014-12-24T15:09:55.458-0500 I JOURNAL  [initandlisten] preallocateIsFaster=true 2.28
      2014-12-24T15:09:56.674-0500 I NETWORK  [initandlisten] waiting for connections on port 27017
      2014-12-24T15:09:58.676-0500 I NETWORK  [initandlisten] connection accepted from 127.0.0.1:45690 #1 (1 connection now open)
      2014-12-24T15:09:58.689-0500 I ACCESS   [conn1] Unauthorized not authorized on admin to execute command { getLog: "startupWarnings" }
      2014-12-24T15:09:58.696-0500 I ACCESS   [conn1] Unauthorized not authorized on admin to execute command { replSetGetStatus: 1.0, forShell: 1.0 }
      2014-12-24T15:10:00.169-0500 I ACCESS   [conn1] Successfully authenticated as principal sajack on test
      2014-12-24T15:10:03.552-0500 I NETWORK  [conn1] end connection 127.0.0.1:45690 (0 connections now open)
       
      Log in using PLAIN
      > db.runCommand({saslStart:1, mechanism: "PLAIN", payload: "c2FqYWNrAHNhamFjawBzZWNyZXQ="})
      { "conversationId" : 1, "done" : true, "payload" : "", "ok" : 1 }
       
      Restart server with the enterprise module.
       
      Attempt to log in again:
      > db.runCommand({saslStart:1, mechanism: "PLAIN", payload: "c2FqYWNrAHNhamFjawBzZWNyZXQ="})
      { "ok" : 0, "code" : 18, "errmsg" : "Authentication failed." }
      

      Show
      Create a user > db.createUser({user: "sajack", pwd: "secret", roles: ["readWrite"]}) Successfully added user: { "user" : "sajack", "roles" : [ "readWrite" ] }   Activate a community server, using PLAIN sajack@linux-p7yj /home/sajack/mongo git master () % ./mongod --dbpath db1 --auth --setParameter authenticationMechanisms=PLAIN 2 :( 2014-12-24T15:09:54.585-0500 I CONTROL [initandlisten] MongoDB starting : pid=13909 port=27017 dbpath=db1 64-bit host=linux-p7yj.site 2014-12-24T15:09:54.585-0500 I CONTROL [initandlisten] _DEBUG build (which is slower) 2014-12-24T15:09:54.585-0500 I CONTROL [initandlisten] 2014-12-24T15:09:54.585-0500 I CONTROL [initandlisten] ** WARNING: /sys/kernel/mm/transparent_hugepage/enabled is 'always'. 2014-12-24T15:09:54.585-0500 I CONTROL [initandlisten] ** We suggest setting it to 'never' 2014-12-24T15:09:54.585-0500 I CONTROL [initandlisten] 2014-12-24T15:09:54.585-0500 I CONTROL [initandlisten] db version v2.8.0-rc5-pre- 2014-12-24T15:09:54.585-0500 I CONTROL [initandlisten] git version: 8e8ecc54d3e63be0c2d19463031432f1308bcb7c 2014-12-24T15:09:54.585-0500 I CONTROL [initandlisten] OpenSSL version: OpenSSL 1.0.1j 15 Oct 2014 2014-12-24T15:09:54.585-0500 I CONTROL [initandlisten] build info: Linux linux-p7yj.site 3.17.4-2.g2d23787-desktop #1 SMP PREEMPT Tue Nov 25 20:17:30 UTC 2014 (2d23787) x86_64 BOOST_LIB_VERSION=1_49 2014-12-24T15:09:54.585-0500 I CONTROL [initandlisten] allocator: tcmalloc 2014-12-24T15:09:54.586-0500 I CONTROL [initandlisten] options: { security: { authorization: "enabled" }, setParameter: { authenticationMechanisms: "PLAIN" }, storage: { dbPath: "db1" } } 2014-12-24T15:09:54.599-0500 I JOURNAL [initandlisten] journal dir=db1/journal 2014-12-24T15:09:54.600-0500 I JOURNAL [initandlisten] recover : no journal files present, no recovery needed 2014-12-24T15:09:55.215-0500 I JOURNAL [initandlisten] preallocateIsFaster=true 4.48 2014-12-24T15:09:55.458-0500 I JOURNAL [initandlisten] preallocateIsFaster=true 2.28 2014-12-24T15:09:56.674-0500 I NETWORK [initandlisten] waiting for connections on port 27017 2014-12-24T15:09:58.676-0500 I NETWORK [initandlisten] connection accepted from 127.0.0.1:45690 #1 (1 connection now open) 2014-12-24T15:09:58.689-0500 I ACCESS [conn1] Unauthorized not authorized on admin to execute command { getLog: "startupWarnings" } 2014-12-24T15:09:58.696-0500 I ACCESS [conn1] Unauthorized not authorized on admin to execute command { replSetGetStatus: 1.0, forShell: 1.0 } 2014-12-24T15:10:00.169-0500 I ACCESS [conn1] Successfully authenticated as principal sajack on test 2014-12-24T15:10:03.552-0500 I NETWORK [conn1] end connection 127.0.0.1:45690 (0 connections now open)   Log in using PLAIN > db.runCommand({saslStart:1, mechanism: "PLAIN", payload: "c2FqYWNrAHNhamFjawBzZWNyZXQ="}) { "conversationId" : 1, "done" : true, "payload" : "", "ok" : 1 }   Restart server with the enterprise module.   Attempt to log in again: > db.runCommand({saslStart:1, mechanism: "PLAIN", payload: "c2FqYWNrAHNhamFjawBzZWNyZXQ="}) { "ok" : 0, "code" : 18, "errmsg" : "Authentication failed." }
    • Sprint:
      Security 16 (06/24/16), Security 17 (07/15/16), Security (08/08/16)

      Description

      On a community server, it is possible to use the PLAIN mechanism to authenticate against a local database user. The enterprise server does not support this through Cyrus SASL.

        Attachments

          Activity

            People

            Assignee:
            andreas.nilsson Andreas Nilsson
            Reporter:
            spencer.jackson Spencer Jackson
            Participants:
            Votes:
            0 Vote for this issue
            Watchers:
            11 Start watching this issue

              Dates

              Created:
              Updated:
              Resolved: