[SERVER-34421] saslSupportedMechs on arbiters must not error Created: 11/Apr/18  Updated: 29/Oct/23  Resolved: 24/Apr/18

Status: Closed
Project: Core Server
Component/s: Security
Affects Version/s: 3.7.3
Fix Version/s: 3.7.7

Type: Bug Priority: Major - P3
Reporter: David Golden Assignee: Spencer Jackson
Resolution: Fixed Votes: 0
Labels: None
Remaining Estimate: Not Specified
Time Spent: Not Specified
Original Estimate: Not Specified

Backwards Compatibility: Fully Compatible
Operating System: ALL
Sprint: Platforms 2018-04-23, Platforms 2018-05-07
Participants:

 Description   

There's a catch-22 in SASL mechanism negotiation with arbiters. In order for drivers not to have to do a second mechanism negotiation round trip, they need to add saslSupportedMechs to the initial ismaster command. This appears to fail on arbiters with a UserNotFound error. Instead, arbiters should reply with a normal ismaster response without a saslSupportedMechs field so that drivers can discover that the server is an arbiter after which they won't attempt authentication anyway.

Repro:

  1. set up a 3.7.3 server with authentication and a user
  2. connect with an old client (to avoid SERVER-33947)
  3. manually run ismaster with saslSupportedMechs

$ ~/mongodb/3.4.14/bin/mongo metis.local:57058
MongoDB shell version v3.4.14
connecting to: mongodb://metis.local:57058/test
MongoDB server version: 3.7.3
WARNING: shell and server versions do not match
MongoDB Enterprise foo:ARBITER> use admin
switched to db admin
MongoDB Enterprise foo:ARBITER> db.runCommand({ismaster:1, saslSupportedMechs:"admin.root"})
 
{
        "operationTime" : Timestamp(1523475642, 1),
        "ok" : 0,
        "errmsg" : "Could not find user root@admin",
        "code" : 11,
        "codeName" : "UserNotFound"
}

By contrast, connecting to a secondary works:

$ ~/mongodb/3.4.14/bin/mongo metis.local:57048
MongoDB shell version v3.4.14
connecting to: mongodb://metis.local:57048/test
MongoDB server version: 3.7.3
WARNING: shell and server versions do not match
MongoDB Enterprise foo:SECONDARY> use admin
switched to db admin
MongoDB Enterprise foo:SECONDARY> db.runCommand({ismaster:1, saslSupportedMechs:"admin.root"})
{
        "hosts" : [
                "metis.local:57038",
                "metis.local:57048"
        ],
        "arbiters" : [
                "metis.local:57058"
        ],
        "setName" : "foo",
        "setVersion" : 1,
        "ismaster" : false,
        "secondary" : true,
        "primary" : "metis.local:57038",
        "me" : "metis.local:57048",
        "lastWrite" : {
                "opTime" : {
                        "ts" : Timestamp(1523475952, 1),
                        "t" : NumberLong(3)
                },
                "lastWriteDate" : ISODate("2018-04-11T19:45:52Z"),
                "majorityOpTime" : {
                        "ts" : Timestamp(1523475952, 1),
                        "t" : NumberLong(3)
                },
                "majorityWriteDate" : ISODate("2018-04-11T19:45:52Z")
        },
        "maxBsonObjectSize" : 16777216,
        "maxMessageSizeBytes" : 48000000,
        "maxWriteBatchSize" : 100000,
        "localTime" : ISODate("2018-04-11T19:45:58.059Z"),
        "logicalSessionTimeoutMinutes" : 30,
        "minWireVersion" : 0,
        "maxWireVersion" : 7,
        "readOnly" : false,
        "saslSupportedMechs" : [
                "SCRAM-SHA-256",
                "SCRAM-SHA-1"
        ],
        "ok" : 1,
        "operationTime" : Timestamp(1523475952, 1)
}



 Comments   
Comment by Githook User [ 18/Feb/22 ]

Author:

{'name': 'James Kovacs', 'email': 'jkovacs@post.harvard.edu', 'username': 'JamesKovacs'}

Message: DRIVERS-2213: Revert "Don't use arbiters in auth configs" since SERVER-34421 has been fixed. (#187)
Branch: master
https://github.com/mongodb-labs/drivers-evergreen-tools/commit/5ac3767f874e37dcb21171774ca04fdf9571859e

Comment by Githook User [ 18/Feb/22 ]

Author:

{'name': 'James Kovacs', 'email': 'jkovacs@post.harvard.edu', 'username': 'JamesKovacs'}

Message: DRIVERS-2213: Revert "Don't use arbiters in auth configs" since SERVER-34421 has been fixed.

This reverts commit a8723971bb0d9ce6bfefdf3cc42c661b856e4706.
Branch: master
https://github.com/mongodb-labs/drivers-evergreen-tools/commit/1da7b85373e617828c1ef4e4d4d843b37d0b8852

Comment by Githook User [ 08/Aug/18 ]

Author:

{'username': 'xdg', 'name': 'David Golden', 'email': 'xdg@xdg.me'}

Message: SPEC-1145 Update auth spec for ismaster not erroring

When the auth spec was developed, the server would give an ismaster
error for unknown users. That was fixed in SERVER-34421 before the 4.0
GA. This commit removes language that implies the server will error.
Branch: master
https://github.com/mongodb/specifications/commit/4f212acb5154a3c3d124525ad1f0f308efa93ef8

Comment by Githook User [ 24/Apr/18 ]

Author:

{'email': 'spencer.jackson@mongodb.com', 'username': 'spencerjackson', 'name': 'Spencer Jackson'}

Message: SERVER-34421: isMaster saslSupportedMechs shouldn't error on UserNotFound
Branch: master
https://github.com/mongodb/mongo/commit/f761fe13f3d27959d421ae610ac20fdcb8701cce

Comment by David Golden [ 11/Apr/18 ]

This should hold for all server types/states that can't auth – not just arbiters. Anytime a server can't look up users, ismaster needs to provide a normal reply, not an error reply. I'm thinking about replica set members that are still starting up – clients need to be able to get their ismaster reply to properly classify their status.

Generated at Thu Feb 08 04:36:37 UTC 2024 using Jira 9.7.1#970001-sha1:2222b88b221c4928ef0de3161136cc90c8356a66.