[SERVER-53724] Make DBClient able to reauthenticate with x509 automatically when reconnecting for tenant migrations Created: 12/Jan/21  Updated: 29/Oct/23  Resolved: 26/Jan/21

Status: Closed
Project: Core Server
Component/s: None
Affects Version/s: None
Fix Version/s: 4.9.0

Type: Task Priority: Major - P3
Reporter: Vesselina Ratcheva (Inactive) Assignee: Jason Zhang
Resolution: Fixed Votes: 0
Labels: pm-1791_milestone-P
Remaining Estimate: Not Specified
Time Spent: Not Specified
Original Estimate: Not Specified

Issue Links:
Depends
is depended on by SERVER-53282 Handle collection drop mid-query-stag... Closed
Backwards Compatibility: Fully Compatible
Sprint: Sharding 2021-01-25, Sharding 2021-02-08
Participants:

 Description   

Currently, we pass in the transientSSLParams for x509 when calling connect(). This allows us to connect and authenticate successfully, but at this time we are not able to reauthenticate after automatic DBClient reconnects here. We already have provisions for doing something similar with keyauth here, so hopefully we can leverage some of that functionality.

Ideally, this should all be handled internally in DBClient itself. We need information from the recipient service to reauthenticate, but perhaps that can be done cleanly via storing a lambda.



 Comments   
Comment by Githook User [ 25/Jan/21 ]

Author:

{'name': 'Jason Zhang', 'email': 'jason.zhang@mongodb.com', 'username': 'jz1242'}

Message: SERVER-53724 Make DBClient able to reauthenticate with x509 automatically when reconnecting for tenant migrations
Branch: master
https://github.com/mongodb/mongo/commit/57aa9e6106905a8969af5b997e2b316ce2d71b62

Comment by Mark Benvenuto [ 13/Jan/21 ]

jack.mulrow as you suggested, just cache transientSSLParams in DBClientConnection. There does not need to be any interaction with the authCache as these are separate concerns. The transientSSLParams is related to the connection and is not something with login credentials.

I would also remove the optional parameter from connect() to find any other possible issues related to not calling connect with the right parameters.

Comment by Jack Mulrow [ 12/Jan/21 ]

I think one way to handle this is to cache the transientSSLParams passed to DBClientConnection::connectSocketOnly() (added in SERVER-52707) and use them when reconnecting in DBClientConnection::_checkConnection(). We can cache them in a new member variable, like what we do with _serverAddress and _applicationName. It looks like the authCache map in DBClientConnection should already be caching and reusing the x509 auth document used by the recipient service to auth earlier on, so I don't think any work is required for that.

spencer.jackson (or mark.benvenuto since you reviewed SERVER-52707), what do you think?

Generated at Thu Feb 08 05:31:42 UTC 2024 using Jira 9.7.1#970001-sha1:2222b88b221c4928ef0de3161136cc90c8356a66.