[SERVER-33981] Support GSSAPI hostname canonicalization in mongo shell Created: 19/Mar/18  Updated: 27/Oct/23  Resolved: 29/Jun/20

Status: Closed
Project: Core Server
Component/s: Shell
Affects Version/s: None
Fix Version/s: None

Type: New Feature Priority: Minor - P4
Reporter: A. Jesse Jiryu Davis Assignee: Backlog - Service Architecture
Resolution: Gone away Votes: 0
Labels: None
Remaining Estimate: Not Specified
Time Spent: Not Specified
Original Estimate: Not Specified

Issue Links:
Related
is related to CDRIVER-2522 Option to specify GSSAPI hostname Closed
Assigned Teams:
Service Arch
Participants:

 Description   

I noticed, while investigating CDRIVER-2522, that the mongo shell and the MongoDB drivers have different ways to handle the situation where a server's hostname differs from the hostname the client should use for Kerberos authentication.

Drivers support CANONICALIZE_HOST_NAME, whose behavior is described in the Auth Spec. It is configured in the URI like:

mongodb://user@host/?authMechanism=GSSAPI&authMechanismProperties=CANONICALIZE_HOST_NAME:true

The shell is different; it permits users to set the GSSAPI hostname directly:

mongo <options> --gssapiHostname foo

There's a comment in mongo_uri_connect.cpp, "CANONICALIZE_HOST_NAME is currently unsupported".

I propose adding to the MongoDB client code the ability to recognize the CANONICALIZE_HOST_NAME option in the URI and canonicalize hostnames, following the Auth Spec. I have code in the C Driver that implements it for Windows and Unix.



 Comments   
Comment by Jessica Sigafoos [ 29/Jun/20 ]

The new shell is using the node.js driver, so when we add Kerberos support, it will do what the driver does by default.

Comment by Spencer Jackson [ 13/Apr/18 ]

Got it, thanks. The shell uses libkrb5 too, and by default the 'rdns' property is true. So it seems that for the most part CANONICALIZE_HOST_NAME won't be able to affect the shell's behavior.

Comment by A. Jesse Jiryu Davis [ 13/Apr/18 ]

Our spec doesn't prohibit canonicalization if CANONICALIZE_HOST_NAME is false:

https://github.com/mongodb/specifications/blob/master/source/auth/auth.rst#hostname-canonicalization

Right, the C Driver uses libkrb5 on Linux, and it does not try to prevent libkrb5 from canonicalizing.

Comment by Spencer Jackson [ 13/Apr/18 ]

jesse, If CANONICALIZE_HOST_NAME is false, is a driver allowed to canonicalize the provided hostname anyway?

To perform GSSAPI authentication, I assume that the C driver is using libkrb5, probably via a couple of degrees of abstraction. If CANONICALIZE_HOST_NAME is set to false, but krb5.conf does not contain 'rdns = false', will the hostname provided by the application be canonicalized? If no, how does the C driver override libkrb5?

Comment by Gregory McKeon (Inactive) [ 11/Apr/18 ]

ping spencer.jackson to take a look

Generated at Thu Feb 08 04:35:12 UTC 2024 using Jira 9.7.1#970001-sha1:2222b88b221c4928ef0de3161136cc90c8356a66.