[SERVER-33935] utils_auth.js should support connecting to clusters running with SSL Created: 16/Mar/18  Updated: 29/Oct/23  Resolved: 20/Mar/18

Status: Closed
Project: Core Server
Component/s: Replication, Testing Infrastructure
Affects Version/s: 3.7.3
Fix Version/s: 3.4.15, 3.6.4, 3.7.4

Type: Bug Priority: Major - P3
Reporter: Robert Guo (Inactive) Assignee: Robert Guo (Inactive)
Resolution: Fixed Votes: 0
Labels: None
Remaining Estimate: Not Specified
Time Spent: Not Specified
Original Estimate: Not Specified

Issue Links:
Backports
Depends
Related
is related to SERVER-33751 Auth when connecting to an existing c... Closed
Backwards Compatibility: Fully Compatible
Operating System: ALL
Backport Requested:
v3.6, v3.4, v3.2
Sprint: TIG 2018-03-26
Participants:
Linked BF Score: 0

 Description   

authutil.asCluster() in mongo/src/shell/utils_auth.js is hardcoded to use SCRAM-SHA-1 to auth the __system user. On replica sets running with SSL, we have to use MONGODB-X509 as the auth mechanism and pass in an empty user and password.



 Comments   
Comment by Githook User [ 24/Mar/18 ]

Author:

{'email': 'robert.guo@10gen.com', 'name': 'Robert Guo', 'username': 'guoyr'}

Message: SERVER-33935 add clusterAuthMode option to TestData

(cherry picked from commit 290edd9cd2f6476f83605ee3189875d4592fc975)
Branch: v3.4
https://github.com/mongodb/mongo/commit/de0d0ebfd6365481f41bddda3ff33fd984d65dc6

Comment by Githook User [ 23/Mar/18 ]

Author:

{'email': 'robert.guo@10gen.com', 'name': 'Robert Guo', 'username': 'guoyr'}

Message: SERVER-33935 add clusterAuthMode option to TestData

(cherry picked from commit 290edd9cd2f6476f83605ee3189875d4592fc975)
Branch: v3.6
https://github.com/mongodb/mongo/commit/bc794a397e0befa89de8b3fc511fc95435bb635f

Comment by Githook User [ 20/Mar/18 ]

Author:

{'email': 'robert.guo@10gen.com', 'name': 'Robert Guo', 'username': 'guoyr'}

Message: SERVER-33935 remove trailing whitespaces
Branch: master
https://github.com/mongodb/mongo/commit/56b93cc67319cfb85fc8fdae36549bcbc0701065

Comment by Githook User [ 20/Mar/18 ]

Author:

{'email': 'robert.guo@10gen.com', 'name': 'Robert Guo', 'username': 'guoyr'}

Message: SERVER-33935 add clusterAuthMode option to TestData
Branch: master
https://github.com/mongodb/mongo/commit/290edd9cd2f6476f83605ee3189875d4592fc975

Comment by Robert Guo (Inactive) [ 16/Mar/18 ]

max.hirschhorn I had actually just chatted with Spencer before filing this ticket.

A couple of things I learnt: 1. Regardless of the client auth mechanism, the __system user auths using either keyFile or X509, depending if you're using keyfile or SSL. 2. The shell has to start with SSL to auth the __system user with X509, you can't change modes after the shell has started currently.

So for testing purposes, it's fine to just use whatever is passed in through TestData.

Comment by Max Hirschhorn [ 16/Mar/18 ]

robert.guo, should we negotiate the authentication mechanism by sending an {isMaster: 1, saslSupportedMechs: <userId>} command request to the server, similar to what DB.prototype._getDefaultAuthenticationMechanism() does?

DB.prototype._getDefaultAuthenticationMechanism = function(username, database) {
    if (username !== undefined) {
        const userid = database + "." + username;
        const result = this.runCommand({isMaster: 1, saslSupportedMechs: userid});
        if (result.ok && (result.saslSupportedMechs !== undefined)) {
            const mechs = result.saslSupportedMechs;
            if (!Array.isArray(mechs)) {
                throw Error("Server replied with invalid saslSupportedMechs response");
            }
            // Never include PLAIN in auto-negotiation.
            const priority = ["GSSAPI", "SCRAM-SHA-256", "SCRAM-SHA-1"];
            for (var i = 0; i < priority.length; ++i) {
                if (mechs.includes(priority[i])) {
                    return priority[i];
                }
            }
        }
        // If isMaster doesn't support saslSupportedMechs,
        // or if we couldn't agree on a mechanism,
        // then fallthrough to configured default or SCRAM-SHA-1.
    }
 
    ...
}

CC sara.golemon, spencer.jackson

Generated at Thu Feb 08 04:35:02 UTC 2024 using Jira 9.7.1#970001-sha1:2222b88b221c4928ef0de3161136cc90c8356a66.