[JAVA-840] Java driver doesn't read the authentication level of the server Created: 03/Jun/13  Updated: 25/Jun/13  Resolved: 25/Jun/13

Status: Closed
Project: Java Driver
Component/s: Authentication, Configuration
Affects Version/s: 2.11.1
Fix Version/s: None

Type: Improvement Priority: Major - P3
Reporter: Noam Almog Assignee: Unassigned
Resolution: Won't Fix Votes: 0
Labels: driver
Remaining Estimate: Not Specified
Time Spent: Not Specified
Original Estimate: Not Specified

Backwards Compatibility: Major Change

 Description   

I'm configuring the driver to authenticate to a mongoDB server.
The mongoDB server doesn't require authentication. While the driver tries to authenticate it gets this error:
com.mongodb.CommandFailureException:

{ "serverUsed" : "/127.0.0.1:27115" , "errmsg" : "auth fails" , "ok" : 0.0}

Since the mongoDB default option is not to authenticate most of our db's doesn't require any authentication. Supporting this will allow us to gradually add authentication to our cluster without any down time.



 Comments   
Comment by Jeffrey Yemin [ 04/Jun/13 ]

No, it will succeed. That's the only way to do what you want to do. The driver has no way to detect whether a server was started with --auth.

Comment by Noam Almog [ 04/Jun/13 ]

Hi Jeff,

I'm trying to authenticate against a server without the user that i didn't start with --auth.
If there is a user defined in the DB and I'm not starting the server with --auth, will the authentication fail ?

Comment by Jeffrey Yemin [ 04/Jun/13 ]

What do you mean by an "unauthenticated" server? One that doesn't have the user created yet, one started without --auth, or both?

Comment by Noam Almog [ 04/Jun/13 ]

Our problem right now is that if we start the client (using the java driver) it fails to authenticate against an unauthenticated server. The only way to override this behavior is by overriding that java driver code.
If we had driver that could recognize when the server is using authentication or at least bypass the authentication failure in this case we could have upgraded all the clients and then restart the entire mongo cluster which would make the entire cluster to use authentication with minimal down time.
To do that we need at least a more relaxed authentication method.

Comment by Jeffrey Yemin [ 03/Jun/13 ]

There is no real way for the driver to support this without server support, except for standalone MongoDB servers (no replica set, no sharding). For the standalone case, the upgrade path is as follows:

  1. Add users to whatever databases you need
  2. Start authenticating with the driver, e.g. use a URI like "mongodb://user:pwd@localhost:27017/admin"
  3. Re-start the server with --auth flag

The problem is that for replica sets and sharded clusters, there is no way to do add a keyfile without downtime. See http://docs.mongodb.org/manual/core/replication/#security. This will most likely be changed in the next server release, 2.6, so that you'll be able to do rolling upgrades.

Generated at Thu Feb 08 08:53:12 UTC 2024 using Jira 9.7.1#970001-sha1:2222b88b221c4928ef0de3161136cc90c8356a66.