[DRIVERS-188] Make copydb work with SASL (SCRAM) Created: 16/Oct/14  Updated: 27/May/22  Resolved: 21/Jun/16

Status: Closed
Project: Drivers
Component/s: None
Fix Version/s: None

Type: Task Priority: Major - P3
Reporter: Barrie Segal Assignee: Barrie Segal
Resolution: Done Votes: 0
Labels: None
Remaining Estimate: Not Specified
Time Spent: Not Specified
Original Estimate: Not Specified

Issue Links:
Depends
depends on MOTOR-54 Make copydb work with SASL (SCRAM) Closed
depends on PYTHON-777 Make copydb work with SASL (SCRAM) Closed
depends on RUBY-835 Make copydb work with SASL (SCRAM) Closed
depends on SERVER-15684 Make copydb work with SASL (SCRAM) Closed
depends on CXX-389 Add support for auth to CopyDb helper Closed
Server Compat: 2.8
Driver Compliance:
Key Status/Resolution FixVersion
MOTOR-54 Won't Fix 0.4
PYTHON-777 Done 2.8
RUBY-835 Done 1.12
CXX-389 Done legacy-1.0.0-rc4

 Description   

See SERVER-15684 for a description of the protocol. I assume drivers' copy_database helper methods already accept five parameters named something like fromdb, todb, fromhost, username, and password.

Drivers (PyMongo 2.8 and the next Ruby Driver 1.x release) should continue to support MONGODB-CR, and add support for SCRAM-SHA-1. No other SASL mechanisms should be supported (GSSAPI, CRAM-MD5, ...).

Add SCRAM-SHA-1 support like so:

1. Add a "mechanism" option to the copy_database helper method. For backwards compatibility, the user is not required to specify the mechanism. Allowed values are "MONGODB-CR" and "SCRAM-SHA-1". The default value is "DEFAULT" or null or some other special value.

2. If the user has not specified a mechanism, choose based on the connected server's maxWireVersion: SCRAM-SHA-1 if maxWireVersion >= 3, otherwise MONGODB-CR. This is a heuristic, based on the assumption that people are likely to copy between mongods running the same version. We cannot tell what version fromhost is running. This heuristic fails if the connected server is modern but the fromhost mongod predates SCRAM-SHA-1. See step 4. (Note: copydb is impossible if the connected server predates SCRAM-SHA-1 and the fromhost mongod is modern and disables MONGODB-CR.)

3. For SCRAM-SHA-1, begin with "copydbsaslstart" (all lowercase) instead of "copydbgetnonce".

4. If the server's reply to "copydbsaslstart" has ok: 0, and the "errmsg" field contains the substring "no such cmd: saslStart", you know the fromhost predates SCRAM-SHA-1. Raise an informative error like "<fromhost> doesn't support SCRAM-SHA-1, pass mechanism='MONGODB-CR' to copy_database". Replace <fromhost> with the actual fromhost. Re-raise any other errors from "copydbsaslstart" normally. In particular, if the user explicitly sets mechanism to SCRAM-SHA-1 and the connected server is too old, you'll get a different error, "no such cmd: copydbsaslstart", which you should re-raise like any other command failure.

5. If "copydbsaslstart" works correctly, call "copydb" repeatedly until you receive done: true, according to the protocol described in SERVER-15684.



 Comments   
Comment by Andrew Morrow (Inactive) [ 03/Mar/15 ]

Validating for C+11 because validated for C, and C+11 does not offer a copyDb helper.

Comment by A. Jesse Jiryu Davis [ 02/Mar/15 ]

C driver provides no copydb helper, validated.

Generated at Thu Feb 08 08:20:57 UTC 2024 using Jira 9.7.1#970001-sha1:2222b88b221c4928ef0de3161136cc90c8356a66.