[GODRIVER-1344] Authentication fails against Hidden secondaries in direct connection mode Created: 16/Oct/19  Updated: 17/Oct/19  Resolved: 17/Oct/19

Status: Closed
Project: Go Driver
Component/s: Authentication
Affects Version/s: 1.1.2
Fix Version/s: None

Type: Bug Priority: Major - P3
Reporter: David Golden Assignee: Unassigned
Resolution: Won't Do Votes: 0
Labels: None
Remaining Estimate: Not Specified
Time Spent: Not Specified
Original Estimate: Not Specified

Issue Links:
Depends
is depended on by TOOLS-2380 mongodump fails against hidden node w... Closed
Related
related to GODRIVER-1090 Authentication fails against Hidden S... Closed

 Description   

From TOOLS-2380, the Go driver doesn't appear to authenticate in a direct connection to a hidden secondary. This has caused a regression in tools, as users want to dump from hidden members to avoid load on members serving applications.

Reproduction:

  • mongod 4.2.0
  • 4 node replica set with 1 hidden member
  • authentication enabled: "root" user with "root" role
  • directly connecting to hidden member errors with "(Unauthorized) command listDatabases requires authentication"
  • directly connecting to secondary succeeds

package main
 
import (
    "context"
    "fmt"
    "time"
 
    "go.mongodb.org/mongo-driver/bson"
    "go.mongodb.org/mongo-driver/mongo"
    "go.mongodb.org/mongo-driver/mongo/options"
)
 
func main() {
    client, err := mongo.NewClient(options.Client().ApplyURI("mongodb://root:XXX@metis:53929/?connect=direct"))
    if err != nil {
        panic(err)
    }
    ctx, cancel := context.WithTimeout(context.Background(), 20*time.Second)
    defer cancel()
    err = client.Connect(ctx)
    if err != nil {
        panic(err)
    }
 
    admin := client.Database("admin")
    res := admin.RunCommand(context.Background(), bson.D{{"listDatabases", 1}})
    if res.Err() != nil {
        panic(res.Err())
    }
    var doc bson.D
    if err := res.Decode(&doc); err != nil {
        panic(err)
    }
    json, err := bson.MarshalExtJSON(doc, false, false)
    if err != nil {
        panic(err)
    }
    fmt.Println(string(json))
}



 Comments   
Comment by David Golden [ 16/Oct/19 ]

No.  That option came after the initial tools porting, plus it's deprecated and GODRIVER-846 says it's going to be removed after GODRIVER-617, which is complete.

We need a long-term solution that doesn't require the low level library.  If this is blocking on SPEC-1301, maybe we could expedite that as a path forward?  I'm happy to propose a spec patch to auth direct connections, as I mentioned previously.

Comment by Jeffrey Yemin [ 16/Oct/19 ]

david.golden are the tools using the AuthenticateToAnything field in ClientOptions (discussed in GODRIVER-1090)?

Generated at Thu Feb 08 08:36:12 UTC 2024 using Jira 9.7.1#970001-sha1:2222b88b221c4928ef0de3161136cc90c8356a66.