[JAVA-397] authentication for replica set fails frequently because 'getnonce' and 'authenticate' command is issued to different server Created: 20/Jul/11  Updated: 29/Aug/12  Resolved: 20/Aug/12

Status: Closed
Project: Java Driver
Component/s: Cluster Management
Affects Version/s: 2.6.3
Fix Version/s: 2.9.0

Type: Bug Priority: Major - P3
Reporter: Hitoshi Asai Assignee: Jeffrey Yemin
Resolution: Done Votes: 0
Labels: driver, replication, slaveOk
Remaining Estimate: Not Specified
Time Spent: Not Specified
Original Estimate: Not Specified
Environment:

OS: Ubuntu 11.04 64bit, Mongod: 1.8.2, JDK: Oracle JDK 1.6.0u26, mongo-java-driver: 2.6.3


Issue Links:
Duplicate
is duplicated by JAVA-625 SlaveOk Query fails with auth error e... Closed
Related
related to JAVA-497 ReadPrefs ignored for commands Closed
Backwards Compatibility: Fully Compatible

 Description   

following code returns false.

import com.mongodb.Mongo
import com.mongodb.ServerAddress
 
val servers = new java.util.ArrayList[ServerAddress]
servers.add("192.168.10.1",27017)
servers.add("192.168.10.2",27017)
servers.add("192.168.10.3",27017)
val mongo = new Mongo(servers)
mongo.slaveOk // <= IMPORTANT!
mongo.getDB("dbname").authenticate("user","pass".toCharArray)

'getnonce' and 'authenticate' command seems to be issued to different server.
( 'getnonce' issued to 192.168.10.2, 'authenticate' issued to 192.168.10.3)

and logged following message on the server which received 'authenticate' command.

auth: bad nonce received or getnonce not called. could be a driver bug or a security attack. db:dbname

'getnonce' and 'authenticate' should be issued to same server whether 'slaveOk' or not.



 Comments   
Comment by Jeffrey Yemin [ 29/Aug/12 ]

Closing as part of 2.9.0 release process.

Comment by Jeffrey Yemin [ 20/Aug/12 ]

This was fixed in scope of JAVA-497

Comment by Jeffrey Yemin [ 20/Aug/12 ]

This was still broken, but now fixed in 2.9.0.

Comment by Jeffrey Yemin [ 20/Aug/12 ]

Can you try with 2.9.0-RC1. I changed the code in that release to work like this:

  1. Use the new ReadPreference.primaryPreferred() read preference for authenticate
  2. Surround getnonce and authenticate commands with DB.requestStart/DB.requestDone, so that if there is no primary, the same connection to the same secondary will be used for both calls.

See https://github.com/mongodb/mongo-java-driver/commit/0cac416c24073e27733df9bee3e7e2418a3b59c2

Comment by Kay Agahd [ 20/Aug/12 ]

Just to let you know that the bug still persists in MongoDB v2.2.0-rc1.

I added a comment to this issue, since it might be a server and not a driver bug:
https://jira.mongodb.org/browse/SERVER-6117?focusedCommentId=154874#comment-154874

Comment by auto [ 04/Aug/11 ]

Author:

{u'login': u'agirbal', u'name': u'agirbal', u'email': u'antoine@10gen.com'}

Message: JAVA-397: authentication for replica set fails frequently because 'getnonce' and 'authenticate' command is issued to different server
Branch: master
https://github.com/mongodb/mongo-java-driver/commit/e05cfb4ddb24b9133bcb58dfe90d0f7aaf57cdf7

Comment by Antoine Girbal [ 04/Aug/11 ]

thanks for the report.
current workaround:

  • call authenticate before setting slaveOk = true on database
  • or call authenticate in a loop until it succeeds
    Authentication of individual connections behaves correctly.
Generated at Thu Feb 08 08:52:11 UTC 2024 using Jira 9.7.1#970001-sha1:2222b88b221c4928ef0de3161136cc90c8356a66.