[SERVER-43853] Failed scram auth log message conflates multiple reasons Created: 04/Oct/19  Updated: 29/Oct/23  Resolved: 24/Oct/19

Status: Closed
Project: Core Server
Component/s: None
Affects Version/s: 4.0.12
Fix Version/s: 4.3.1

Type: Bug Priority: Minor - P4
Reporter: Oleg Pudeyev (Inactive) Assignee: Sara Golemon
Resolution: Fixed Votes: 0
Labels: None
Remaining Estimate: Not Specified
Time Spent: Not Specified
Original Estimate: Not Specified

Issue Links:
Related
related to RUBY-1948 Default authentication options are se... Closed
Backwards Compatibility: Minor Change
Operating System: ALL
Sprint: Security 2019-11-04
Participants:

 Description   

In debugging an auth-related failure today, I came across the following message in mongod log:

2019-10-04T17:21:51.803-0400 I ACCESS [conn379] SASL SCRAM-SHA-256 authentication failed for dev on admin from client 127.0.0.1:55716 ; AuthenticationFailed: Unable to perform SCRAM authentication for a user with missing or invalid SCRAM credentials

This message conflates two non-overlapping failure modes:

1. The credentials were missing, and thus scram authentication was not attempted.
2. Credentials were supplied, authentication was attempted, credentials were found to be invalid.

Each of these failure modes should have its own, separate log message.

I used a 4.0 server for the test but master appears to have the same message string in it.



 Comments   
Comment by Githook User [ 24/Oct/19 ]

Author:

{'name': 'Sara Golemon', 'username': 'sgolemon', 'email': 'sara.golemon@mongodb.com'}

Message: SERVER-43853 Clarify SCRAM authentication error messages
Branch: master
https://github.com/mongodb/mongo/commit/ce00713876aa3388a2abcebda00672632a0c5ff5

Comment by Sara Golemon [ 23/Oct/19 ]

To clarify, #2 is actually we have invalid credential data stored in our authentication database. This is an unlikely case which requires the DBA to be doing something misbehavey.

I do agree that the error message is suboptimal from a user standpoint. I'll rethink how we surface these cases.

Generated at Thu Feb 08 05:04:18 UTC 2024 using Jira 9.7.1#970001-sha1:2222b88b221c4928ef0de3161136cc90c8356a66.