[GODRIVER-1763] Unable to authenticate with SCRAM-SHA-256 Created: 07/Oct/20 Updated: 27/Oct/23 Resolved: 23/Nov/20 |
|
| Status: | Closed |
| Project: | Go Driver |
| Component/s: | Authentication |
| Affects Version/s: | 1.4.2 |
| Fix Version/s: | None |
| Type: | Bug | Priority: | Major - P3 |
| Reporter: | Derek Smith | Assignee: | Kevin Albertson |
| Resolution: | Gone away | Votes: | 1 |
| Labels: | None | ||
| Remaining Estimate: | Not Specified | ||
| Time Spent: | Not Specified | ||
| Original Estimate: | Not Specified | ||
| Environment: |
Running in a debian based docker image |
||
| Description |
|
I am trying to connect to a database that is setup with authentication using SCRAM-SHA-256 using the go mongodb driver but I cannot make it work. What else do I need to do on this machine to get this to work? Do I have to install SASL libraries? auth error: sasl conversation error: unable to authenticate using mechanism "SCRAM-SHA-256": (AuthenticationFailed) Authentication failed. |
| Comments |
| Comment by 镇龙 张 [ 15/Mar/21 ] | ||||||||||||||||||||||||||
|
I ran into the same problem too.
Here's the log :
| ||||||||||||||||||||||||||
| Comment by Backlog - Core Eng Program Management Team [ 23/Nov/20 ] | ||||||||||||||||||||||||||
|
There hasn't been any recent activity on this ticket, so we're resolving it. Thanks for reaching out! Please feel free to comment on this if you're able to provide more information. | ||||||||||||||||||||||||||
| Comment by Kevin Albertson [ 06/Nov/20 ] | ||||||||||||||||||||||||||
|
Thank you for the additional information. I attempted to closely match your environment and the user (which only has SCRAM-SHA-256 credentials without SCRAM-SHA-1 credentials) but I am still able to authenticate with the Go driver 1.4.2. – Server logs with higher verbosity may provide additional error information. By increasing the logComponentVerbosity for the "command" and "accessControl" components, I am able to get some additional information about which step in the authentication handshake fails, and additional error information. For example, I started a 4.2.6 mongod with with increased log verbosity:
And connected using the Go driver 1.4.2 with a faulty password, and was able to see the following logs:
If it's possible to reattempt with higher verbosity logs, that may help diagnose the issue. If you are able to obtain these logs, please redact the "payload" field of the "speculativeAuthenticate" document before including them. – Another, perhaps unlikely, hypothesis is that somehow the connection is going to an unexpected mongod / mongos. Connecting without auth, and running the isMaster command could verify you are connecting to the expected mongos. | ||||||||||||||||||||||||||
| Comment by Derek Smith [ 30/Oct/20 ] | ||||||||||||||||||||||||||
|
Kevin,
Here is the user document.
The user has a simple password that consists of alpha characters only.
| ||||||||||||||||||||||||||
| Comment by Kevin Albertson [ 27/Oct/20 ] | ||||||||||||||||||||||||||
|
Hi dereksmith.dev@gmail.com, I have not yet been able to reproduce this. I will continue to attempt (working on setting up a local kubernetes cluster to more closely match your environment), but here is an update in the meantime. The Go driver depends on https://github.com/xdg-go/scram to support the SCRAM-SHA-1 and SCRAM-SHA-256 auth mechanisms. There should not be any missing external libraries. I tested connecting with the Go driver with SCRAM-SHA-256 against a 4.2.6 single node replica set and was able to connect without issue. I have a few other questions which may help diagnose. 1. Does specifying an explicit auth mechanism of SCRAM-SHA-1 work? E.g. 2. Does the username or password contain multi-byte UTF-8 characters? That could indicate an issue in the Go driver's implementation of SASLPrep. 3. If possible, can you include the redacted contents of the user's document in the admin database system.users collection? It should resemble the following:
| ||||||||||||||||||||||||||
| Comment by Derek Smith [ 17/Oct/20 ] | ||||||||||||||||||||||||||
|
Kevin, here is some more information regarding my issue. I am running the MongoDB Kubernetes Operator (https://github.com/mongodb/mongodb-kubernetes-operator) inside of a microk8s cluster. It is running MongoDB version 4.2.6. Inside of this cluster I have dotnet core (C#) and Golang workloads that communicate with the MongoDB server. The dotnet core libraries are able to connect to the database just fine, but the golang code is not. I am also using Studio 3T for MongoDB on my machine and am able to connect to the cluster with that.
Connection string used by Mongo 3T Studio: (passwords redacted)
Connection string used by dotnet core and golang inside the cluster:
The go code is using this driver:
The code is being run inside of a docker container. Is there an external library I need to install on the box for this to work?
| ||||||||||||||||||||||||||
| Comment by Kevin Albertson [ 14/Oct/20 ] | ||||||||||||||||||||||||||
|
Thank you for the report! I may need more information to investigate and reproduce. Those errors are generated from server responses. What version of the server are you authenticating against, and how is it deployed (standalone, replica set, sharded cluster)? Are you able to reproduce this with a new user? If so, can you include the steps you are using to create? | ||||||||||||||||||||||||||
| Comment by 琦智 王 [ 10/Oct/20 ] | ||||||||||||||||||||||||||
|
I got this error too. Might be made for:
And change to "SCRAM-SHA-1", error also exist:
PTAL. |