[SERVER-47388] Complete TODO listed in SERVER-45108 Created: 07/Apr/20  Updated: 29/Oct/23  Resolved: 08/Jan/21

Status: Closed
Project: Core Server
Component/s: None
Affects Version/s: None
Fix Version/s: 4.9.0

Type: Task Priority: Major - P3
Reporter: PM Bot Assignee: Haley Connelly
Resolution: Fixed Votes: 0
Labels: autogen-todo, sharding-wfbf-day
Remaining Estimate: Not Specified
Time Spent: Not Specified
Original Estimate: Not Specified

Issue Links:
Related
is related to SERVER-45108 Change authutil.asCluster to check co... Closed
Backwards Compatibility: Fully Compatible
Sprint: Security 2020-04-20, Sharding 2020-12-28, Sharding 2021-01-11, Sharding 2021-01-25
Participants:

 Description   

There is a TODO in the codebase referencing a resolved ticket which is assigned to you.

Please follow this link to see the lines of code referencing this resolved ticket:
https://github.com/mongodb/mongo/search?q=SERVER-45108&type=Code

The next steps for this ticket are to either remove the outdated TODO or follow the steps in the TODO if it is correct. If the latter, please update the summary and description of this ticket to represent the work you're actually doing.



 Comments   
Comment by Githook User [ 08/Jan/21 ]

Author:

{'name': 'Haley Connelly', 'email': 'haley.connelly@mongodb.com', 'username': 'haleyConnelly'}

Message: SERVER-47388 Enable support for x509 auth for _flushRoutingTableCacheUpdates in shardingtest
Branch: master
https://github.com/mongodb/mongo/commit/9e1f0ea4f371a8101f96c84d2ecd3811d68cafb6

Comment by Max Hirschhorn [ 04/Sep/20 ]

I took a look at this ticket and wanted to leave a bit more context. authutil.asCluster() isn't particularly useful to ShardingTest's initialization because there won't be any users for the client to authenticate as. The following kind of change results in an error about the "CN=client,OU=KernelUser,O=MongoDB,L=New York City,ST=New York,C=US" user not existing. This is why the sharding_with_x509.js test creates that user immediately before running the index consistency checks as part of shutting down the sharded cluster.

// Index consistency check during shutdown needs a privileged user to auth as.
const x509User = 'CN=client,OU=KernelUser,O=MongoDB,L=New York City,ST=New York,C=US';
st.s.getDB('$external').createUser({user: x509User, roles: [{role: '__system', db: 'admin'}]});

diff --git a/src/mongo/shell/shardingtest.js b/src/mongo/shell/shardingtest.js
index 63f57bc0cc..99ac2745dd 100644
--- a/src/mongo/shell/shardingtest.js
+++ b/src/mongo/shell/shardingtest.js
@@ -1834,7 +1834,7 @@ var ShardingTest = function(params) {
                 {_flushRoutingTableCacheUpdates: "config.system.sessions"}));
         };
 
-        if (keyFileLocal) {
+        if (keyFileLocal || x509AuthRequired) {
             authutil.asCluster(authConn, keyFileLocal, () => execFlushRT(conn));
         } else {
             execFlushRT(conn);
@@ -1842,7 +1842,7 @@ var ShardingTest = function(params) {
     };
 
     // TODO SERVER-45108: Enable support for x509 auth for _flushRoutingTableCacheUpdates.
-    if (!otherParams.manualAddShard && !x509AuthRequired) {
+    if (!otherParams.manualAddShard) {
         for (let i = 0; i < numShards; i++) {
             const keyFileLocal =
                 (otherParams.shards && otherParams.shards[i] && otherParams.shards[i].keyFile)

Instead, the pattern in ReplSetTest with runFnWithAuthOnPrimary() would be to create a separate mongo shell process which authenticates as a member of the cluster (i.e. the same way the mongod and mongos processes authenticate to each other) and runs any initialization commands. A separate mongo shell process must be used to supply a different --tlsCertificateKeyFile (aka --sslPEMKeyFile) than the one specified in the ssl.yml test suite file.

diff --git a/src/mongo/shell/shardingtest.js b/src/mongo/shell/shardingtest.js
index 63f57bc0cc..8e324c9dab 100644
--- a/src/mongo/shell/shardingtest.js
+++ b/src/mongo/shell/shardingtest.js
@@ -1836,13 +1836,31 @@ var ShardingTest = function(params) {
 
         if (keyFileLocal) {
             authutil.asCluster(authConn, keyFileLocal, () => execFlushRT(conn));
+        } else if (x509AuthRequired) {
+            const exitCode = _runMongoProgram(
+                ...["mongo",
+                    conn.host,
+                    "--tls",
+                    "--tlsAllowInvalidHostnames",
+                    "--tlsCertificateKeyFile",
+                    conn.fullOptions.tlsCertificateKeyFile ? conn.fullOptions.tlsCertificateKeyFile
+                                                           : conn.fullOptions.sslPEMKeyFile,
+                    "--tlsCAFile",
+                    conn.fullOptions.tlsCAFile ? conn.fullOptions.tlsCAFile
+                                               : conn.fullOptions.sslCAFile,
+                    "--authenticationDatabase=$external",
+                    "--authenticationMechanism=MONGODB-X509",
+                    "--eval",
+                    `(${execFlushRT.toString()})(db.getMongo())`,
+            ]);
+            assert.eq(0, exitCode, "parallel shell for x509 auth failed");
         } else {
             execFlushRT(conn);
         }
     };
 
     // TODO SERVER-45108: Enable support for x509 auth for _flushRoutingTableCacheUpdates.
-    if (!otherParams.manualAddShard && !x509AuthRequired) {
+    if (!otherParams.manualAddShard) {
         for (let i = 0; i < numShards; i++) {
             const keyFileLocal =
                 (otherParams.shards && otherParams.shards[i] && otherParams.shards[i].keyFile)

Comment by Sara Golemon [ 20/Apr/20 ]

Passing back to haley.connelly who added this TODO along with SERVER-44308.

Haley, the work on authUtil.asCluser() was completed in SERVER-45108, so whatever you need to do to enable this should be gtg.

Generated at Thu Feb 08 05:14:02 UTC 2024 using Jira 9.7.1#970001-sha1:2222b88b221c4928ef0de3161136cc90c8356a66.