[SERVER-15588] An arbiter should return an empty list of supported SASL mechanisms Created: 09/Oct/14  Updated: 06/Dec/22

Status: Backlog
Project: Core Server
Component/s: Security
Affects Version/s: None
Fix Version/s: None

Type: Improvement Priority: Major - P3
Reporter: Jeffrey Yemin Assignee: Backlog - Security Team
Resolution: Unresolved Votes: 0
Labels: platforms-re-triaged
Remaining Estimate: Not Specified
Time Spent: Not Specified
Original Estimate: Not Specified

Issue Links:
Related
is related to SERVER-5479 Arbiter in authenticated replica set ... Backlog
is related to SERVER-12143 Make some unauthenticated commands re... Closed
Assigned Teams:
Server Security
Participants:

 Description   

Currently, to determine whether a server supports authentication, a driver has to call isMaster to see if the server is an arbiter, and then only initiate authentication if it's not. This will become a problem if isMaster is itself put behind authentication.

Another way would be to make an arbiter return an empty list of supported mechanisms from the saslStart command, which makes sense because currently arbiters do not support any mechanisms. saslStart may need to return if the server is an arbiter.

So instead of:

> db.runCommand({"saslStart" : 1, mechanism : "SCRAM-SHA1"})
{
	"supportedMechanisms" : [
		"MONGODB-CR",
		"MONGODB-X509",
		"SCRAM-SHA-1"
	],
	"ok" : 0,
	"code" : 2,
	"errmsg" : "Unsupported mechanism SCRAM-SHA1"
}

respond

> db.runCommand({"saslStart" : 1, mechanism : "SCRAM-SHA1"})
{
	"supportedMechanisms" : [],
	"ok" : 0,
	"code" : 2,
	"errmsg" : "Unsupported mechanism SCRAM-SHA1"
}



 Comments   
Comment by David Golden [ 09/Oct/14 ]

I agree it should be changed, but it doesn't fully solve the problem for drivers unless it returns some other data field that differentiates an arbiter-aware saslStart result from an earlier-version saslStart result. Otherwise we can't trust the result if we do get a list of mechanisms.

E.g. given a future (non-arbiter) server that has only MONGODB-X509 enabled:

> db.runCommand({"saslStart" : 1, mechanism : "SCRAM-SHA1"})
{
	"supportedMechanisms" : [
		"MONGODB-X509"
	],
        "isArbiter": 0
	"ok" : 0,
	"code" : 2,
	"errmsg" : "Unsupported mechanism SCRAM-SHA1"
}

Generated at Thu Feb 08 03:38:26 UTC 2024 using Jira 9.7.1#970001-sha1:2222b88b221c4928ef0de3161136cc90c8356a66.