[SERVER-33935] utils_auth.js should support connecting to clusters running with SSL Created: 16/Mar/18 Updated: 29/Oct/23 Resolved: 20/Mar/18 |
|
| Status: | Closed |
| Project: | Core Server |
| Component/s: | Replication, Testing Infrastructure |
| Affects Version/s: | 3.7.3 |
| Fix Version/s: | 3.4.15, 3.6.4, 3.7.4 |
| Type: | Bug | Priority: | Major - P3 |
| Reporter: | Robert Guo (Inactive) | Assignee: | Robert Guo (Inactive) |
| Resolution: | Fixed | Votes: | 0 |
| Labels: | None | ||
| Remaining Estimate: | Not Specified | ||
| Time Spent: | Not Specified | ||
| Original Estimate: | Not Specified | ||
| Issue Links: |
|
||||||||||||||||
| Backwards Compatibility: | Fully Compatible | ||||||||||||||||
| Operating System: | ALL | ||||||||||||||||
| Backport Requested: |
v3.6, v3.4, v3.2
|
||||||||||||||||
| Sprint: | TIG 2018-03-26 | ||||||||||||||||
| Participants: | |||||||||||||||||
| Linked BF Score: | 0 | ||||||||||||||||
| Description |
|
authutil.asCluster() in mongo/src/shell/utils_auth.js is hardcoded to use SCRAM-SHA-1 to auth the __system user. On replica sets running with SSL, we have to use MONGODB-X509 as the auth mechanism and pass in an empty user and password. |
| Comments |
| Comment by Githook User [ 24/Mar/18 ] | ||||||||||||||||||||||||
|
Author: {'email': 'robert.guo@10gen.com', 'name': 'Robert Guo', 'username': 'guoyr'}Message: (cherry picked from commit 290edd9cd2f6476f83605ee3189875d4592fc975) | ||||||||||||||||||||||||
| Comment by Githook User [ 23/Mar/18 ] | ||||||||||||||||||||||||
|
Author: {'email': 'robert.guo@10gen.com', 'name': 'Robert Guo', 'username': 'guoyr'}Message: (cherry picked from commit 290edd9cd2f6476f83605ee3189875d4592fc975) | ||||||||||||||||||||||||
| Comment by Githook User [ 20/Mar/18 ] | ||||||||||||||||||||||||
|
Author: {'email': 'robert.guo@10gen.com', 'name': 'Robert Guo', 'username': 'guoyr'}Message: | ||||||||||||||||||||||||
| Comment by Githook User [ 20/Mar/18 ] | ||||||||||||||||||||||||
|
Author: {'email': 'robert.guo@10gen.com', 'name': 'Robert Guo', 'username': 'guoyr'}Message: | ||||||||||||||||||||||||
| Comment by Robert Guo (Inactive) [ 16/Mar/18 ] | ||||||||||||||||||||||||
|
max.hirschhorn I had actually just chatted with Spencer before filing this ticket. A couple of things I learnt: 1. Regardless of the client auth mechanism, the __system user auths using either keyFile or X509, depending if you're using keyfile or SSL. 2. The shell has to start with SSL to auth the __system user with X509, you can't change modes after the shell has started currently. So for testing purposes, it's fine to just use whatever is passed in through TestData. | ||||||||||||||||||||||||
| Comment by Max Hirschhorn [ 16/Mar/18 ] | ||||||||||||||||||||||||
|
robert.guo, should we negotiate the authentication mechanism by sending an {isMaster: 1, saslSupportedMechs: <userId>} command request to the server, similar to what DB.prototype._getDefaultAuthenticationMechanism() does?
|