[SERVER-17671] Refuse to complete initial sync from nodes with 2.4-style auth data Created: 19/Mar/15  Updated: 09/Jun/17  Resolved: 25/Mar/15

Status: Closed
Project: Core Server
Component/s: Security
Affects Version/s: None
Fix Version/s: 3.0.2, 3.1.1

Type: Improvement Priority: Major - P3
Reporter: Alexander Komyagin Assignee: Andy Schwerin
Resolution: Done Votes: 0
Labels: None
Remaining Estimate: Not Specified
Time Spent: Not Specified
Original Estimate: Not Specified

Issue Links:
Related
related to SERVER-17808 Ensure availability in initial_sync_u... Closed
related to SERVER-17998 Ignore socket exceptions in initial_s... Closed
related to SERVER-17826 Ignore ismaster exceptions in initial... Closed
is related to SERVER-25943 Initial sync should handle invalid au... Closed
Tested
Backwards Compatibility: Fully Compatible
Backport Completed:
Participants:

 Description   

Currently we have a few authentication startup checks in 3.0:

  • check for indexes on system.users
  • check for schema version

These checks prevent mongod from starting even when auth is off, but without this improvement you can sync a 3.0 node from 2.6 node with the 2.4 auth schema, and it will work just fine until you try to restart the node.

We should validate during initial sync that the sync source has a new enough auth schema version.



 Comments   
Comment by Githook User [ 27/Mar/15 ]

Author:

{u'username': u'kkmongo', u'name': u'Kamran Khan', u'email': u'kamran.khan@mongodb.com'}

Message: SERVER-17671 Test that initial sync aborts on unsupported auth schemas

Closes #940

Signed-off-by: Ramon Fernandez <ramon.fernandez@mongodb.com>
(cherry picked from commit 934bd1b10115b30eb145bbba6f9dac091dfd0353)
Branch: v3.0
https://github.com/mongodb/mongo/commit/dd81442d6960854e072dbd308246dcad2b9525df

Comment by Githook User [ 27/Mar/15 ]

Author:

{u'username': u'kkmongo', u'name': u'Kamran Khan', u'email': u'kamran.khan@mongodb.com'}

Message: SERVER-17671 Test that initial sync aborts on unsupported auth schemas

Closes #940

Signed-off-by: Ramon Fernandez <ramon.fernandez@mongodb.com>
Branch: master
https://github.com/mongodb/mongo/commit/934bd1b10115b30eb145bbba6f9dac091dfd0353

Comment by Githook User [ 25/Mar/15 ]

Author:

{u'username': u'andy10gen', u'name': u'Andy Schwerin', u'email': u'schwerin@mongodb.com'}

Message: SERVER-17671 Catch incompatible auth schema during initial sync and abort secondary.

This will restrict MongoDB 3.0 to cloning from nodes with auth schemas it supports.
This will prevent an accidental initial sync from a 2.4 primary or a 2.6 primary
that has not run authSchemaUpgrade since upgrading from 2.4.
Branch: v3.0
https://github.com/mongodb/mongo/commit/852ce65df2b6e6e9c6890bd8be797a8af41533d1

Comment by Githook User [ 25/Mar/15 ]

Author:

{u'username': u'andy10gen', u'name': u'Andy Schwerin', u'email': u'schwerin@mongodb.com'}

Message: SERVER-17671 Clone admin database first during initial sync, to catch auth errors are early.
Branch: v3.0
https://github.com/mongodb/mongo/commit/6a65a71d9dede4c0568e2e0311a0314f07abc8e0

Comment by Githook User [ 25/Mar/15 ]

Author:

{u'username': u'andy10gen', u'name': u'Andy Schwerin', u'email': u'schwerin@mongodb.com'}

Message: SERVER-17671 Catch incompatible auth schema during initial sync and abort secondary.

This will restrict MongoDB 3.0 to cloning from nodes with auth schemas it supports.
This will prevent an accidental initial sync from a 2.4 primary or a 2.6 primary
that has not run authSchemaUpgrade since upgrading from 2.4.
Branch: master
https://github.com/mongodb/mongo/commit/d5cd0b603f5f60f7e63523fac31a2a00aa0114f8

Comment by Githook User [ 25/Mar/15 ]

Author:

{u'username': u'andy10gen', u'name': u'Andy Schwerin', u'email': u'schwerin@mongodb.com'}

Message: SERVER-17671 Clone admin database first during initial sync, to catch auth errors are early.
Branch: master
https://github.com/mongodb/mongo/commit/bd03079b0f93097c409c9b17a0ff1c852f30b356

Generated at Thu Feb 08 03:45:13 UTC 2024 using Jira 9.7.1#970001-sha1:2222b88b221c4928ef0de3161136cc90c8356a66.