Uploaded image for project: 'Core Server'
  1. Core Server
  2. SERVER-17459

Users can't authenticate with authenticationMechanisms=MONGODB-CR

    Details

    • Type: Bug
    • Status: Closed
    • Priority: Critical - P2
    • Resolution: Works as Designed
    • Affects Version/s: 3.0.0
    • Fix Version/s: None
    • Component/s: Security
    • Labels:
      None
    • Operating System:
      ALL

      Description

      Hi all,

      Starting a server (from scracth) in 3.0 and authenticationMechanisms=MONGODB-CR and auth enabled makes impossible to login with that mechanism.

      I've traced it a little bit: when users are created (even with this auth mechanism) the credentials created are only for "SCRAM-SHA-1".
      see Sample:

      {
              "_id" : "admin.admin",
              "user" : "admin",
              "db" : "admin",
              "credentials" : {
                      "SCRAM-SHA-1" : {
                              "iterationCount" : 10000,
                              "salt" : "FPnmqmCI04KHJVZunfaI2Q==",
                              "storedKey" : "i+jvORcFsnx6CXt0Bd924e2f804=",
                              "serverKey" : "PQHG8nYYcJTjFEClqjFRZ8PTLTA="
                      }
              },
              "roles" : [
                      {
                              "role" : "userAdminAnyDatabase",
                              "db" : "admin"
                      },
                      {
                              "role" : "root",
                              "db" : "admin"
                      }
              ]
      }

      But if I go to a 2.6 server create the same credentials, then update the 3.0 server user document credentials with the MONGODB-CR it can successfully log in.

      {
              "_id" : "admin.admin",
              "user" : "admin",
              "db" : "admin",
              "credentials" : {
                      "SCRAM-SHA-1" : {
                              "iterationCount" : 10000,
                              "salt" : "FPnmqmCI04KHJVZunfaI2Q==",
                              "storedKey" : "i+jvORcFsnx6CXt0Bd924e2f804=",
                              "serverKey" : "PQHG8nYYcJTjFEClqjFRZ8PTLTA="
                      },
                      "MONGODB-CR" : "8aab8902fd862afad8064b73bd149d00"
              },
              "roles" : [
                      {
                              "role" : "userAdminAnyDatabase",
                              "db" : "admin"
                      },
                      {
                              "role" : "root",
                              "db" : "admin"
                      }
              ]
      }

      There's still a lot of code/programs (as admin UIs robomongo, nosqlmanager and so on) that still is not ready to the new auth schema and makes impossible to login, even if I specify the MONGODB-CR auth.

      I think that the credentials created for a new user need to include also the auth mechanism enabled, this will possible a softer transition, for us right now means a lot of user collection manual hack or don't upgrade.

      Thanks!

        Attachments

          Activity

            People

            • Votes:
              1 Vote for this issue
              Watchers:
              20 Start watching this issue

              Dates

              • Created:
                Updated:
                Resolved: