[JAVA-4002] &authMechanismProperties=JAVA_SUBJECT:mongodb Created: 06/Feb/21 Updated: 27/Oct/23 Resolved: 09/Feb/21 |
|
| Status: | Closed |
| Project: | Java Driver |
| Component/s: | Security |
| Affects Version/s: | 3.12.7 |
| Fix Version/s: | None |
| Type: | Bug | Priority: | Major - P3 |
| Reporter: | Nick Lange | Assignee: | Jeffrey Yemin |
| Resolution: | Works as Designed | Votes: | 0 |
| Labels: | None | ||
| Remaining Estimate: | Not Specified | ||
| Time Spent: | Not Specified | ||
| Original Estimate: | Not Specified | ||
| Environment: |
Linux/Nifi/Kerberos GSSAPI |
||
| Attachments: |
|
||||||||
| Issue Links: |
|
||||||||
| Documentation Changes: | Needed | ||||||||
| Description |
|
Both explicit calls via MongoCredential and the URI support overriding the JAVA_SUBJECT_KEY to use a defined section of the jaas-config instead of "com.sun.security.jgss.krb5.initiate". However, the underlying code appears to use the literal-String value instead of getting the Subject() from the running-kerberos jaas config which then errors out. I'd expect the running jaas-config to be consulted for the named-subject and then the appropriate method calls invoked.
Without this fix, I'm forced to run the app with javax.security.auth.useSubjectCredsOnly=false which defeats some of the isolation that the Nifi product was looking to achieve.
|
| Comments |
| Comment by Jeffrey Yemin [ 09/Feb/21 ] | ||||||||
|
I opened JAVA-4004 to track improvements to the reference documentation. If you have time, can you tell us a little about how you're using Apache NiFi with MongoDB? It's not been on our radar until now. Thank you for bringing this to our attention! Regards, | ||||||||
| Comment by Nick Lange [ 08/Feb/21 ] | ||||||||
|
Thanks for taking the time to research and get back to me Jeffrey. I agree moving to 4.2.0 and its simplified structure is best outcome. I've filed a wish list Jira for the NIFI team to evaluate the impact of the migration in a separate JIRA. I also agree with the sample code as a workaround - that's what I eventually settled on while I wait for NIFI to move to the new driver code. [https://issues.apache.org/jira/browse/NIFI-8208|NIFI-8208]
"There is no way that I can see to set the Subject via connection string, " I think this is the main point of me reaching out. The docs are not clear that you cannot: https://mongodb.github.io/mongo-java-driver/3.12/driver/tutorials/authentication/
At any rate, I've settled on the workaround. I'll leave it to the team's discretion with how to treat this JIRA.
| ||||||||
| Comment by Jeffrey Yemin [ 06/Feb/21 ] | ||||||||
|
Here's some sample code for how to associate a Subject with the credential:
Also, you might be interested in | ||||||||
| Comment by Jeffrey Yemin [ 06/Feb/21 ] | ||||||||
|
Please also share the code you use to create the MongoClient, whether via MongoClientOptions/Settings or via the connection string. There is no way that I can see to set the Subject via connection string, so looking at your initialization code might clarify matters. Please also share any other configuration, including jaaa-config and any Kerberos-related system properties that are set. | ||||||||
| Comment by Jeffrey Yemin [ 06/Feb/21 ] | ||||||||
|
I had a quick look at com.mongodb.internal.connection.SaslAuthenticator and don't see anything immediately that matches your description. It seems rather that the code gets the Subject from the MongoCredential and if it's non-null, it executes the authentication conversation in the context of Subject.doAs. There is no reference to the literal string value "com.sun.security.jgss.krb5.initiate" anywhere in the driver code. | ||||||||
| Comment by Jeffrey Yemin [ 06/Feb/21 ] | ||||||||
|
Hi there, thank you for reaching out. Would you mind also opening an issue in our MongoDB support portal, located at support.mongodb.com? That way we can provide you the most comprehensive support. If you have already opened a support case, please let me know and I can get in touch directly with the support engineer handling the case. Thank you! |