[SERVER-15684] Make copydb work with SASL (SCRAM) Created: 16/Oct/14  Updated: 02/Aug/18  Resolved: 31/Oct/14

Status: Closed
Project: Core Server
Component/s: Security
Affects Version/s: 2.7.7
Fix Version/s: 2.8.0-rc0

Type: Task Priority: Major - P3
Reporter: Andreas Nilsson Assignee: Gregory McKeon (Inactive)
Resolution: Done Votes: 0
Labels: None
Remaining Estimate: Not Specified
Time Spent: Not Specified
Original Estimate: Not Specified

Issue Links:
Depends
is depended on by DRIVERS-188 Make copydb work with SASL (SCRAM) Closed
Tested
Participants:

 Description   

copydb with sasl begins with an admin command, "copydbsaslstart", followed by a call to "copydb" and a second call to "copydb". All commands are done on the target server's "admin" database.

CLIENT TO SERVER: {
    copydbsaslstart: 1,
    fromhost: "host",
    fromdb: "db",
    mechanism: "SCRAM-SHA-1",
    payload: BinData
}

The payload is the same as for "saslStart" with SCRAM-SHA-1. The server replies:

SERVER TO CLIENT: { conversationId: 1, done: false, payload: BinData}

There is no copydbsaslcontinue. Instead, copydb gets alternate parameters:

CLIENT TO SERVER: {
    copydb: 1,
    fromhost: "host",
    fromdb: "db",
    todb: "db2",
    payload: BinData,
    conversationId: N
} 

The payload is the same as for saslContinue with SCRAM-SHA-1. The conversation continues like:

SERVER TO CLIENT: { conversationId: 1, done: false, payload: BinData, ok: 1.0 }
CLIENT TO SERVER: { copydb: 1, fromhost: "host", fromdb: "db", todb: "db2", payload: BinData, conversationId: 1 }
SERVER TO CLIENT: { conversationId: 1, done: true, payload: BinData, ok: 1.0 }

The database has now been copied.

The shell helper copyDatabase has a new "mechanism" parameter that can be "MONGODB-CR" or "SCRAM-SHA-1". If no mechanism is provided, the shell helper uses SCRAM-SHA-1 if the target server has maxWireVersion >= 3 and MONGODB-CR otherwise.



 Comments   
Comment by Githook User [ 12/Nov/14 ]

Author:

{u'username': u'agralius', u'name': u'Andreas Nilsson', u'email': u'andreas.nilsson@10gen.com'}

Message: SERVER-15684 Expand copyDatabase helper with optional auth mech
Branch: master
https://github.com/mongodb/mongo/commit/525c5407c270b2e9050be9dd78b14dc7cab69eae

Comment by A. Jesse Jiryu Davis [ 06/Nov/14 ]

andreas.nilsson@10gen.com I've updated the description of the protocol, can you say what the shell did? Has it decided to always try SCRAM-SHA-1 first, or does it only do so if the server's maxWireVersion >= 3?

Comment by Githook User [ 03/Nov/14 ]

Author:

{u'username': u'agralius', u'name': u'Andreas Nilsson', u'email': u'andreas.nilsson@10gen.com'}

Message: SERVER-15684 Make copydb from localhost not call auth
Branch: master
https://github.com/mongodb/mongo/commit/4026a60ee751a5190efb893539f65381bf173bc7

Comment by Githook User [ 31/Oct/14 ]

Author:

{u'username': u'agralius', u'name': u'Andreas Nilsson', u'email': u'andreas.nilsson@10gen.com'}

Message: SERVER-15684 Make copydb work with SCRAM (SASL)
Branch: master
https://github.com/mongodb/mongo/commit/76d2b35f91a9296f135393da02ac7486d802eac6

Generated at Thu Feb 08 03:38:40 UTC 2024 using Jira 9.7.1#970001-sha1:2222b88b221c4928ef0de3161136cc90c8356a66.