-
Type:
Bug
-
Resolution: Done
-
Priority:
Critical - P2
-
None
-
Affects Version/s: 3.0.0
-
Component/s: Security
-
Labels:None
-
ALL
Hi all,
Starting a server (from scracth) in 3.0 and authenticationMechanisms=MONGODB-CR and auth enabled makes impossible to login with that mechanism.
I've traced it a little bit: when users are created (even with this auth mechanism) the credentials created are only for "SCRAM-SHA-1".
see Sample:
{
"_id" : "admin.admin",
"user" : "admin",
"db" : "admin",
"credentials" : {
"SCRAM-SHA-1" : {
"iterationCount" : 10000,
"salt" : "FPnmqmCI04KHJVZunfaI2Q==",
"storedKey" : "i+jvORcFsnx6CXt0Bd924e2f804=",
"serverKey" : "PQHG8nYYcJTjFEClqjFRZ8PTLTA="
}
},
"roles" : [
{
"role" : "userAdminAnyDatabase",
"db" : "admin"
},
{
"role" : "root",
"db" : "admin"
}
]
}
But if I go to a 2.6 server create the same credentials, then update the 3.0 server user document credentials with the MONGODB-CR it can successfully log in.
{
"_id" : "admin.admin",
"user" : "admin",
"db" : "admin",
"credentials" : {
"SCRAM-SHA-1" : {
"iterationCount" : 10000,
"salt" : "FPnmqmCI04KHJVZunfaI2Q==",
"storedKey" : "i+jvORcFsnx6CXt0Bd924e2f804=",
"serverKey" : "PQHG8nYYcJTjFEClqjFRZ8PTLTA="
},
"MONGODB-CR" : "8aab8902fd862afad8064b73bd149d00"
},
"roles" : [
{
"role" : "userAdminAnyDatabase",
"db" : "admin"
},
{
"role" : "root",
"db" : "admin"
}
]
}
There's still a lot of code/programs (as admin UIs robomongo, nosqlmanager and so on) that still is not ready to the new auth schema and makes impossible to login, even if I specify the MONGODB-CR auth.
I think that the credentials created for a new user need to include also the auth mechanism enabled, this will possible a softer transition, for us right now means a lot of user collection manual hack or don't upgrade.
Thanks!