[SERVER-34421] saslSupportedMechs on arbiters must not error Created: 11/Apr/18 Updated: 29/Oct/23 Resolved: 24/Apr/18 |
|
| Status: | Closed |
| Project: | Core Server |
| Component/s: | Security |
| Affects Version/s: | 3.7.3 |
| Fix Version/s: | 3.7.7 |
| Type: | Bug | Priority: | Major - P3 |
| Reporter: | David Golden | Assignee: | Spencer Jackson |
| Resolution: | Fixed | Votes: | 0 |
| Labels: | None | ||
| Remaining Estimate: | Not Specified | ||
| Time Spent: | Not Specified | ||
| Original Estimate: | Not Specified | ||
| Backwards Compatibility: | Fully Compatible |
| Operating System: | ALL |
| Sprint: | Platforms 2018-04-23, Platforms 2018-05-07 |
| Participants: |
| Description |
|
There's a catch-22 in SASL mechanism negotiation with arbiters. In order for drivers not to have to do a second mechanism negotiation round trip, they need to add saslSupportedMechs to the initial ismaster command. This appears to fail on arbiters with a UserNotFound error. Instead, arbiters should reply with a normal ismaster response without a saslSupportedMechs field so that drivers can discover that the server is an arbiter after which they won't attempt authentication anyway. Repro:
By contrast, connecting to a secondary works:
|
| Comments |
| Comment by Githook User [ 18/Feb/22 ] |
|
Author: {'name': 'James Kovacs', 'email': 'jkovacs@post.harvard.edu', 'username': 'JamesKovacs'}Message: |
| Comment by Githook User [ 18/Feb/22 ] |
|
Author: {'name': 'James Kovacs', 'email': 'jkovacs@post.harvard.edu', 'username': 'JamesKovacs'}Message: This reverts commit a8723971bb0d9ce6bfefdf3cc42c661b856e4706. |
| Comment by Githook User [ 08/Aug/18 ] |
|
Author: {'username': 'xdg', 'name': 'David Golden', 'email': 'xdg@xdg.me'}Message: SPEC-1145 Update auth spec for ismaster not erroring When the auth spec was developed, the server would give an ismaster |
| Comment by Githook User [ 24/Apr/18 ] |
|
Author: {'email': 'spencer.jackson@mongodb.com', 'username': 'spencerjackson', 'name': 'Spencer Jackson'}Message: |
| Comment by David Golden [ 11/Apr/18 ] |
|
This should hold for all server types/states that can't auth – not just arbiters. Anytime a server can't look up users, ismaster needs to provide a normal reply, not an error reply. I'm thinking about replica set members that are still starting up – clients need to be able to get their ismaster reply to properly classify their status. |