[SERVER-16668] SASL PLAIN authentication mechanism is inconsistent between community and enterprise Created: 24/Dec/14  Updated: 13/Aug/16  Resolved: 29/Jul/16

Status: Closed
Project: Core Server
Component/s: Security
Affects Version/s: None
Fix Version/s: 3.3.11

Type: Bug Priority: Major - P3
Reporter: Spencer Jackson Assignee: Andreas Nilsson
Resolution: Done Votes: 0
Labels: authentication, sasl
Remaining Estimate: Not Specified
Time Spent: Not Specified
Original Estimate: Not Specified

Issue Links:
Related
Backwards Compatibility: Fully Compatible
Operating System: ALL
Steps To Reproduce:

Create a user

> db.createUser({user: "sajack", pwd: "secret", roles: ["readWrite"]})
Successfully added user: { "user" : "sajack", "roles" : [ "readWrite" ] }
 
Activate a community server, using PLAIN
sajack@linux-p7yj /home/sajack/mongo git master () % ./mongod --dbpath db1 --auth --setParameter authenticationMechanisms=PLAIN                                                                                                   2 :(
2014-12-24T15:09:54.585-0500 I CONTROL  [initandlisten] MongoDB starting : pid=13909 port=27017 dbpath=db1 64-bit host=linux-p7yj.site
2014-12-24T15:09:54.585-0500 I CONTROL  [initandlisten] _DEBUG build (which is slower)
2014-12-24T15:09:54.585-0500 I CONTROL  [initandlisten] 
2014-12-24T15:09:54.585-0500 I CONTROL  [initandlisten] ** WARNING: /sys/kernel/mm/transparent_hugepage/enabled is 'always'.
2014-12-24T15:09:54.585-0500 I CONTROL  [initandlisten] **        We suggest setting it to 'never'
2014-12-24T15:09:54.585-0500 I CONTROL  [initandlisten] 
2014-12-24T15:09:54.585-0500 I CONTROL  [initandlisten] db version v2.8.0-rc5-pre-
2014-12-24T15:09:54.585-0500 I CONTROL  [initandlisten] git version: 8e8ecc54d3e63be0c2d19463031432f1308bcb7c
2014-12-24T15:09:54.585-0500 I CONTROL  [initandlisten] OpenSSL version: OpenSSL 1.0.1j 15 Oct 2014
2014-12-24T15:09:54.585-0500 I CONTROL  [initandlisten] build info: Linux linux-p7yj.site 3.17.4-2.g2d23787-desktop #1 SMP PREEMPT Tue Nov 25 20:17:30 UTC 2014 (2d23787) x86_64 BOOST_LIB_VERSION=1_49
2014-12-24T15:09:54.585-0500 I CONTROL  [initandlisten] allocator: tcmalloc
2014-12-24T15:09:54.586-0500 I CONTROL  [initandlisten] options: { security: { authorization: "enabled" }, setParameter: { authenticationMechanisms: "PLAIN" }, storage: { dbPath: "db1" } }
2014-12-24T15:09:54.599-0500 I JOURNAL  [initandlisten] journal dir=db1/journal
2014-12-24T15:09:54.600-0500 I JOURNAL  [initandlisten] recover : no journal files present, no recovery needed
2014-12-24T15:09:55.215-0500 I JOURNAL  [initandlisten] preallocateIsFaster=true 4.48
2014-12-24T15:09:55.458-0500 I JOURNAL  [initandlisten] preallocateIsFaster=true 2.28
2014-12-24T15:09:56.674-0500 I NETWORK  [initandlisten] waiting for connections on port 27017
2014-12-24T15:09:58.676-0500 I NETWORK  [initandlisten] connection accepted from 127.0.0.1:45690 #1 (1 connection now open)
2014-12-24T15:09:58.689-0500 I ACCESS   [conn1] Unauthorized not authorized on admin to execute command { getLog: "startupWarnings" }
2014-12-24T15:09:58.696-0500 I ACCESS   [conn1] Unauthorized not authorized on admin to execute command { replSetGetStatus: 1.0, forShell: 1.0 }
2014-12-24T15:10:00.169-0500 I ACCESS   [conn1] Successfully authenticated as principal sajack on test
2014-12-24T15:10:03.552-0500 I NETWORK  [conn1] end connection 127.0.0.1:45690 (0 connections now open)
 
Log in using PLAIN
> db.runCommand({saslStart:1, mechanism: "PLAIN", payload: "c2FqYWNrAHNhamFjawBzZWNyZXQ="})
{ "conversationId" : 1, "done" : true, "payload" : "", "ok" : 1 }
 
Restart server with the enterprise module.
 
Attempt to log in again:
> db.runCommand({saslStart:1, mechanism: "PLAIN", payload: "c2FqYWNrAHNhamFjawBzZWNyZXQ="})
{ "ok" : 0, "code" : 18, "errmsg" : "Authentication failed." }

Sprint: Security 16 (06/24/16), Security 17 (07/15/16), Security (08/08/16)
Participants:

 Description   

On a community server, it is possible to use the PLAIN mechanism to authenticate against a local database user. The enterprise server does not support this through Cyrus SASL.



 Comments   
Comment by Githook User [ 29/Jul/16 ]

Author:

{u'name': u'Andreas Nilsson', u'email': u'andreas.nilsson@mongodb.com'}

Message: SERVER-16668 Make SASL PLAIN consistent between community and enterprise
Branch: master
https://github.com/10gen/mongo-enterprise-modules/commit/4420b70e1ba23dbc1517506fc3efb42c2eeeef12

Comment by Githook User [ 29/Jul/16 ]

Author:

{u'name': u'Andreas Nilsson', u'email': u'andreas.nilsson@mongodb.com'}

Message: SERVER-16668 Make SASL PLAIN consistent between community and enterprise
Branch: master
https://github.com/mongodb/mongo/commit/3cca3da0ad890c8272f56e18f8066c472b2a25f4

Generated at Thu Feb 08 03:41:51 UTC 2024 using Jira 9.7.1#970001-sha1:2222b88b221c4928ef0de3161136cc90c8356a66.