Uploaded image for project: 'Core Server'
  1. Core Server
  2. SERVER-55273

ReplSetTest and ShardingTest objects does not support x509 authentication

    • Replication
    • ALL
    • Hide

      1. Run the attached script with on the ssl suite.

      Show
      1. Run the attached script with on the ssl suite.

      The following snippet results in a JavaScript error when initializing a cluster:

      'use strict';
      
      var x509_options = {
          sslMode: "requireSSL",
          sslPEMKeyFile: "jstests/libs/server.pem",
          sslCAFile: "jstests/libs/ca.pem",
          sslClusterFile: "jstests/libs/cluster_cert.pem",
          sslAllowInvalidHostnames: "",
          clusterAuthMode: "x509"
      };
      
      var st = new ShardingTest({
          shards: 2,
          mongos: 1,
          other: {
              enableBalancer: true,
              configOptions: x509_options,
              mongosOptions: x509_options,
              rsOptions: x509_options,
              shardOptions: x509_options
          }
      });
      
      st.stop();
      

      With the following backtrace:

      assert: command failed: {
      	"ok" : 0,
      	"errmsg" : "not authorized on admin to execute command { serverStatus: 1.0, lsid: { id: UUID(\"aeb11c69-c642-4f3b-8910-915161999c85\") }, $db: \"admin\" }",
      	"code" : 13,
      	"codeName" : "Unauthorized"
      } with original command request: {
      	"serverStatus" : 1,
      	"lsid" : {
      		"id" : UUID("aeb11c69-c642-4f3b-8910-915161999c85")
      	}
      } on connection: connection to ip-10-122-78-134.ec2.internal:20520
      _getErrorWithCode@src/mongo/shell/utils.js:25:13
      doassert@src/mongo/shell/assert.js:18:14
      _assertCommandWorked@src/mongo/shell/assert.js:719:17
      assert.commandWorked@src/mongo/shell/assert.js:811:16
      _isRunningWithoutJournaling/result<@src/mongo/shell/replsettest.js:214:32
      asCluster@src/mongo/shell/replsettest.js:203:20
      _isRunningWithoutJournaling@src/mongo/shell/replsettest.js:213:22
      ReplSetTest/this._updateConfigIfNotDurable@src/mongo/shell/replsettest.js:1167:13
      ReplSetTest/this._setDefaultConfigOptions@src/mongo/shell/replsettest.js:1176:9
      ReplSetTest/this.initiateWithAnyNodeAsPrimary@src/mongo/shell/replsettest.js:1318:9
      initiateReplicaSet@src/mongo/shell/shardingtest.js:1634:9
      ShardingTest@src/mongo/shell/shardingtest.js:1709:13
      @jstests/ssl/sharding_with_x509.js:20:10
      @jstests/ssl/sharding_with_x509.js:3:2
      

      The cause of this seems to be that when initializing a shard as a replica set a server status command is being executed but the only authentication method available is by using a keyFile, so there is no way of using x509. There is an old ticket proposing a refactor of ShardingTest and ReplSetTest. Until this is fixed, tests like sharding_with_x509.js or speculative-auth-sharding.js must be blacklisted.

            Assignee:
            backlog-server-repl [DO NOT USE] Backlog - Replication Team
            Reporter:
            marcos.grillo@mongodb.com Marcos José Grillo Ramirez
            Votes:
            0 Vote for this issue
            Watchers:
            8 Start watching this issue

              Created:
              Updated:
              Resolved: