[SERVER-33981] Support GSSAPI hostname canonicalization in mongo shell Created: 19/Mar/18 Updated: 27/Oct/23 Resolved: 29/Jun/20 |
|
| Status: | Closed |
| Project: | Core Server |
| Component/s: | Shell |
| Affects Version/s: | None |
| Fix Version/s: | None |
| Type: | New Feature | Priority: | Minor - P4 |
| Reporter: | A. Jesse Jiryu Davis | Assignee: | Backlog - Service Architecture |
| Resolution: | Gone away | Votes: | 0 |
| Labels: | None | ||
| Remaining Estimate: | Not Specified | ||
| Time Spent: | Not Specified | ||
| Original Estimate: | Not Specified | ||
| Issue Links: |
|
||||||||
| Assigned Teams: |
Service Arch
|
||||||||
| Participants: | |||||||||
| Description |
|
I noticed, while investigating Drivers support CANONICALIZE_HOST_NAME, whose behavior is described in the Auth Spec. It is configured in the URI like:
The shell is different; it permits users to set the GSSAPI hostname directly:
There's a comment in mongo_uri_connect.cpp, "CANONICALIZE_HOST_NAME is currently unsupported". I propose adding to the MongoDB client code the ability to recognize the CANONICALIZE_HOST_NAME option in the URI and canonicalize hostnames, following the Auth Spec. I have code in the C Driver that implements it for Windows and Unix. |
| Comments |
| Comment by Jessica Sigafoos [ 29/Jun/20 ] |
|
The new shell is using the node.js driver, so when we add Kerberos support, it will do what the driver does by default. |
| Comment by Spencer Jackson [ 13/Apr/18 ] |
|
Got it, thanks. The shell uses libkrb5 too, and by default the 'rdns' property is true. So it seems that for the most part CANONICALIZE_HOST_NAME won't be able to affect the shell's behavior. |
| Comment by A. Jesse Jiryu Davis [ 13/Apr/18 ] |
|
Our spec doesn't prohibit canonicalization if CANONICALIZE_HOST_NAME is false: https://github.com/mongodb/specifications/blob/master/source/auth/auth.rst#hostname-canonicalization Right, the C Driver uses libkrb5 on Linux, and it does not try to prevent libkrb5 from canonicalizing. |
| Comment by Spencer Jackson [ 13/Apr/18 ] |
|
jesse, If CANONICALIZE_HOST_NAME is false, is a driver allowed to canonicalize the provided hostname anyway? To perform GSSAPI authentication, I assume that the C driver is using libkrb5, probably via a couple of degrees of abstraction. If CANONICALIZE_HOST_NAME is set to false, but krb5.conf does not contain 'rdns = false', will the hostname provided by the application be canonicalized? If no, how does the C driver override libkrb5? |
| Comment by Gregory McKeon (Inactive) [ 11/Apr/18 ] |
|
ping spencer.jackson to take a look |