[GODRIVER-1090] Authentication fails against Hidden Secondary Created: 28/May/19  Updated: 27/Oct/23  Resolved: 28/May/19

Status: Closed
Project: Go Driver
Component/s: Authentication
Affects Version/s: None
Fix Version/s: None

Type: Bug Priority: Critical - P2
Reporter: Jonathan Balsano Assignee: Unassigned
Resolution: Works as Designed Votes: 0
Labels: None
Remaining Estimate: Not Specified
Time Spent: Not Specified
Original Estimate: Not Specified

Attachments: File second.go    
Issue Links:
Depends
Duplicate
is duplicated by GODRIVER-1033 Authenticated connection does not hav... Closed
Related
is related to GODRIVER-1344 Authentication fails against Hidden s... Closed

 Description   

Steps to Reproduce:

  1. Set up a four member replica set with SCRAM-SHA auth enabled AND the localhost exception disabled:
  • Primary
  • Secondary
  • Secondary
  • Secondary
    • Hidden: true
    • Priority: 0
  1. Set up a user with the "clusterMonitor" role on admin
  2. Create a NewClient connection with basic clientOptions, authenticating with that user against admin
  3. Connect the new client (Note that if at this stage you call connectionStatus you'll get back empty users and roles - this seems like a separate case from GODRIVER-1033 the connectionStatus result is the same)
  4. Get the admin database
  5. Use RunCommand to try to call replSetGetStatus

Expected:
replSetGetStatus executes properly
Observed:
replSetGetStatus receives an authorization error



 Comments   
Comment by Jonathan Balsano [ 28/May/19 ]

kris.brandow explained to me today that this is expected behavior - the MongoDB Go Driver adheres to the drivers spec and does not successfully authenticate to nodes not in the following list:
1. Primaries
2. Secondaries
3. Standalones
4. Mongos

Comment by Jonathan Balsano [ 28/May/19 ]

jeff.yemin I'm using the same setup as in GODRIVER-1033, so read preference nearest, direct connection, client options exactly as in GODRIVER-1033. (The script I'm using has the same initialization block.) I'm not specifying a separate read preference for RunCommand.

Comment by Jeffrey Yemin [ 28/May/19 ]

jonathan.balsano, a few questions:

  1. What does the connection string look like for the NewClient? Or if you're not using a connection string how did you configure client options?
  2. What read preference are you specifying for RunCommand, if any?
Generated at Thu Feb 08 08:35:39 UTC 2024 using Jira 9.7.1#970001-sha1:2222b88b221c4928ef0de3161136cc90c8356a66.