[SERVER-11329] Authentication Error number does not match the error code in error message Created: 23/Oct/13  Updated: 11/Jul/16  Resolved: 30/Oct/13

Status: Closed
Project: Core Server
Component/s: Logging, Security
Affects Version/s: 2.5.3
Fix Version/s: 2.5.4

Type: Question Priority: Minor - P4
Reporter: Bin Lan Assignee: Andreas Nilsson
Resolution: Done Votes: 0
Labels: 26qa
Remaining Estimate: Not Specified
Time Spent: Not Specified
Original Estimate: Not Specified

Issue Links:
Related
related to SERVER-8983 Add error code for authentication fai... Closed
Participants:

 Description   

We found that some of the Error numbers do not match the error codes in the error message body, for example:

Error: 18

{ ok: 0.0, errmsg: "X.509 authentication must always use the $external database.", code: 17 }

Error: 18

{ ok: 0.0, errmsg: "User not found", code: 11 }

Should they be the same or it is expected behavior?

You can observe the above output by running the test case found here:

https://github.com/10gen/QA/blob/master/QA-335/auth_error_code_X509.js

You can uncomment line 25 to see a detailed error message.



 Comments   
Comment by auto [ 30/Oct/13 ]

Author:

{u'username': u'agralius', u'name': u'Andreas Nilsson', u'email': u'andreas.nilsson@10gen.com'}

Message: SERVER-11329 Display correct auth return values in the shell
Branch: master
https://github.com/mongodb/mongo/commit/a154946a48b3fea77747f810ff60dce734e9b0dd

Comment by Andreas Nilsson [ 25/Oct/13 ]

In the shell (client/dbclient.cpp) lines 553 and 580 we call auth and uasserts with ErrorCodes::AuthenticationFailed and the errmsg from the auth call. That error message might contain a different error code as displayed above.

Alternative ways forward:
1. Keep the current behavior
2. Change the error code of the uassert to reflect the return value
3. Change the return code to always be AuthenticationFailed for auth failures.

Comment by Andreas Nilsson [ 25/Oct/13 ]

Here is another one when using a disabled auth mechanism:

Error: 18

{ ok: 0.0, errmsg: "Challenge-response authentication using getnonce and authenticate commands is disabled.", code: 2 }
Comment by Andreas Nilsson [ 24/Oct/13 ]

So these correctly corresponds to:
ErrorCodes::ProtocolError (17)
ErrorCodes::UserNotFound (11)

and they get wrapped into an AuthenticationFailed 18. schwerin, what do you want to do about this? I remember us specifically choosing ProtocolError over AuthenticationFailed in the x.509 case.

Comment by Bin Lan [ 23/Oct/13 ]

andreas.nilsson@10gen.com, I updated the ticket with the actual test case we uploaded to github.

Comment by Andreas Nilsson [ 23/Oct/13 ]

bin.lan@10gen.com can you please provide the scenarios to reproduce these error messages.

Generated at Thu Feb 08 03:25:30 UTC 2024 using Jira 9.7.1#970001-sha1:2222b88b221c4928ef0de3161136cc90c8356a66.