Loading...

XML

Word

Printable

JSON

Type: Task
Resolution: Done
Priority: Major - P3
Fix Version/s: 3.5.4
Affects Version/s: 3.5.1
Component/s: Sharding
Labels:
None

Backwards Compatibility:
Fully Compatible
Sprint:
Sharding 2017-03-06
Linked BF Score:
0
Confidence Status:
None
Work Order:
3
CAR Domain/s:
None

Aha! Reference:
None
Tracking Level:
None
Risk Status:
None
Exec Notes:
None
Goal Name(s):
None
Goal Link:
None

The key that the mongos and mongod will use to verify the clusterTime will be generated by the config server primary during transition to primary. It will be stored in the admin.system.keys with the following format:

{
    _id: 'clusterTimeKey',
    key: <20 byte key generated with secure PRNG in BinData>
}

The mongos or mongod would need to extract this key auth so it would be able to sign or verify the logicalTime metadata when it interacts with the client.

// POC for TimeProofService that will be owned by LogicalClock to sign and verify signatures.
namespace mongo {
class TimeProofService {
public:
    using TimeProof = SHA1Hash;

    TimeProof getProof(const LogicalTime& time) const {
        auto timeStr = time.toString();
        return hmacSha1(_key.c_str(), _key.size(), timeStr.c_str(), timeStr.length());
    }

    Status checkProof(const LogicalTime& time, const TimeProof& proof) const {
        auto myProof = getProof(time);
        if (myProof != proof) {
             return Error;
        }

        return Status::OK();
    }

private:
    std::string _key;
};
}

Accessing and storing the key on the config server will be addressed in ~~SERVER-28178~~

Assignee:: Jack Mulrow
Reporter:: Randolph Tan
Participants:: Githook User, Jack Mulrow, Randolph Tan
Votes:: 0 Vote for this issue
Watchers:: 2 Start watching this issue

Created:: Jan 20 2017 09:16:45 PM UTC
Updated:: Jul 13 2017 12:36:05 PM UTC
Resolved:: Mar 02 2017 06:55:31 PM UTC
Confidence Status Last Update:: 07/Feb/17 4:41 PM

Details

Description

Attachments

Forms

Activity

People

Dates