[SERVER-33993] (kerberos) failed to connect if the principle name has '@' character Created: 20/Mar/18 Updated: 27/Nov/18 Resolved: 27/Nov/18 |
|
| Status: | Closed |
| Project: | Core Server |
| Component/s: | Security |
| Affects Version/s: | None |
| Fix Version/s: | None |
| Type: | Bug | Priority: | Major - P3 |
| Reporter: | winnie_quest | Assignee: | Benjamin Caimano (Inactive) |
| Resolution: | Duplicate | Votes: | 1 |
| Labels: | None | ||
| Remaining Estimate: | Not Specified | ||
| Time Spent: | Not Specified | ||
| Original Estimate: | Not Specified | ||
| Attachments: |
|
||||||||||||
| Issue Links: |
|
||||||||||||
| Operating System: | ALL | ||||||||||||
| Sprint: | Service Arch 2018-10-08, Service Arch 2018-10-22, Service Arch 2018-11-05, Service Arch 2018-11-19, Service Arch 2018-12-03 | ||||||||||||
| Participants: | |||||||||||||
| Description |
|
hi (note: for escape purpose, we have to add a back-slash before @ if the principle name has @) |
| Comments |
| Comment by Gregory McKeon (Inactive) [ 27/Nov/18 ] | ||||||||
|
Closing as a duplicate, since there were two tasks that came out of this that were both filed as separate tickets. | ||||||||
| Comment by A. Jesse Jiryu Davis [ 30/Apr/18 ] | ||||||||
|
Yes, we're tracking that in | ||||||||
| Comment by Andrew Morrow (Inactive) [ 30/Apr/18 ] | ||||||||
|
Hi winnie_quest - Just an FYI, but the C++ driver wraps the C driver and delegates all URI interpretation to the C driver. If there is an issue, I recommend opening a ticket in the CDRIVER project: https://jira.mongodb.org/projects/CDRIVER. | ||||||||
| Comment by winnie_quest [ 28/Apr/18 ] | ||||||||
|
hi Ben, I have tried with :
but it still doesn't work. | ||||||||
| Comment by Benjamin Caimano (Inactive) [ 27/Apr/18 ] | ||||||||
|
Hmmmmmm, so I'm not a CXX driver expert by any means. (The shell falls to one team and the cxx to another.) I am curious if perhaps the driver escapes the html and then escapes special characters. Does it work with this:
Any verbose output would be appreciated. (Also, apologies if I'm taking us down the wrong path, jesse.) | ||||||||
| Comment by winnie_quest [ 27/Apr/18 ] | ||||||||
|
hi Ben, Am I correct? if so, I found I tried to connect by mongodb CXX driver, like this: connection would get failed. | ||||||||
| Comment by Benjamin Caimano (Inactive) [ 24/Apr/18 ] | ||||||||
|
Hey winnie_quest, So the mongod server stores usernames in pure bytes. When you add a user via the mongo shell, it uses javascript to interpret your string which means that to get a backslash into a username you need to escape that slash. The reason the kdc server rejects a principal that has multiple at-signs in it is due to the internal special character rules of kerberos. It needs that backslash in the byte string to escape all at-signs that are in the principal name portion. Going a little deeper, to connect a mongodb user to a kerberos principal, the mongodb user needs to reflect the "canonical" name of the principal. Specifically for MIT kerberos, that means that all at-signs that aren't the one that separates name and domain must be escaped by a backslash. I say specifically for MIT kerberos because the standard is very unhelpful (see section 4.2 for how they leave this up to the OS and thus the implementation). When you use the mongo shell to connect to the mongod server via gss-api/libkrb5, the shell uses your ticket from kinit. The ticket you use in the images above to authenticate is using a principal that does have the backslash, the escape character. You then send the string from the --username argument as the user you want to be in the mongod server. There are two issues here:
Apologies if I seem to be restating things you know, I'm trying to make sure we're on the same page here. This isn't something we can really fix--we don't control and cannot predict what the rules are for how characters are escaped. In general, we'd recommend you look at the naming rules for your specific GSS-API implementation and make sure your usernames conform to them. P.S. If you're curious about how kerberos does its escaping, you can see how it works here. You can also see how it prints out principles here. I've specifically linked the lines where it deals with escape characters. Importantly, the "krb5_parse_name" function is used just about anywhere a principle is considered, including login. This means that the byte representation passed to kerberos must include escape characters. | ||||||||
| Comment by winnie_quest [ 24/Apr/18 ] | ||||||||
|
hi Ben, According to your suggestion, I had a test, if I added a user like this: Well, I created this JIRA item because of https://jira.mongodb.org/browse/CDRIVER-2549, in my program, I was trying to connect to mongo db server with mongodb cxx driver, but I couldn't connect to it with "user@a@KER.COM", this issue was found by our QA, I just want to report this issue to mongDB. | ||||||||
| Comment by Benjamin Caimano (Inactive) [ 18/Apr/18 ] | ||||||||
|
Hi winnie_quest, This appears to be a frustrating result of how javascript--and thus the Mongo Shell officially handle strings. Kerberos actually stores the backslash as a raw character for the principal. However, javascript string parsing resolves an at-sign input string as an at-sign raw string without a backslash. (The process of escaping a string for our shell is less than obvious.) Would you mind trying to add your test user like so:
|