[SERVER-61030] Add authenticate command to allowlist for OP_QUERY Created: 27/Oct/21  Updated: 29/Oct/23  Resolved: 27/Oct/21

Status: Closed
Project: Core Server
Component/s: None
Affects Version/s: 5.1.0-rc2
Fix Version/s: 5.2.0, 5.1.0-rc3

Type: Bug Priority: Blocker - P1
Reporter: Eric Milkie Assignee: David Storch
Resolution: Fixed Votes: 0
Labels: None
Remaining Estimate: Not Specified
Time Spent: Not Specified
Original Estimate: Not Specified

Issue Links:
Backports
Depends
Related
is related to SERVER-58338 Return an error if client attempts an... Closed
Backwards Compatibility: Fully Compatible
Operating System: ALL
Backport Requested:
v5.1
Sprint: QE 2021-11-01
Participants:

 Description   

In SERVER-58338 we removed support for the authenticate command via OP_QUERY, but preserved support for the saslStart command. This was unintentional, and we should add back just support for authenticate, to be parallel with the other allowed commands that drivers issue prior to determining whether to use OP_MSG or not.



 Comments   
Comment by Githook User [ 27/Oct/21 ]

Author:

{'name': 'David Storch', 'email': 'david.storch@mongodb.com', 'username': 'dstorch'}

Message: SERVER-61030 Add 'authenticate' command to the OP_QUERY allowlist

(cherry picked from commit dea0353a2927370505ae22307d5d72362af9017b)
Branch: v5.1
https://github.com/mongodb/mongo/commit/c3a2b06948ef5fe75dd49ddea12f50e1f65da00b

Comment by David Storch [ 27/Oct/21 ]

Oops, I wrote up a more detailed commit message but failed to include it when merging. Here it is, for additional context:

Some driver versions will issue this command as OP_QUERY for
X.509 authentication, even though protocol negotation will
resolve to OP_MSG. Drivers should change their
implementation to issue 'authenticate' as OP_MSG against
server versions 5.1 and newer. In the meantime, this change
causes the server to accept OP_QUERY 'authenticate'
commands, ensuring that drivers with the aforementioned
behavior continue to be able to perform authentication.

Comment by Githook User [ 27/Oct/21 ]

Author:

{'name': 'David Storch', 'email': 'david.storch@mongodb.com', 'username': 'dstorch'}

Message: SERVER-61030 Add 'authenticate' command to the OP_QUERY allowlist
Branch: master
https://github.com/mongodb/mongo/commit/dea0353a2927370505ae22307d5d72362af9017b

Generated at Thu Feb 08 05:51:22 UTC 2024 using Jira 9.7.1#970001-sha1:2222b88b221c4928ef0de3161136cc90c8356a66.