[SERVER-6117] SlaveOk Query fails with auth error even after logging in Created: 18/Jun/12  Updated: 11/Jul/16  Resolved: 09/Jul/12

Status: Closed
Project: Core Server
Component/s: Internal Client, Replication
Affects Version/s: 2.0.1, 2.1.1
Fix Version/s: 2.2.0-rc0

Type: Bug Priority: Major - P3
Reporter: Randolph Tan Assignee: Randolph Tan
Resolution: Done Votes: 0
Labels: replication
Remaining Estimate: Not Specified
Time Spent: Not Specified
Original Estimate: Not Specified

Issue Links:
Related
related to SERVER-6330 Can still perform unauthenticated que... Closed
related to SERVER-6334 ReplSet connections magically gets re... Closed
Operating System: ALL
Participants:

 Description   

Error message from running the attached script:

 
 m31001| Mon Jun 18 15:57:30 [conn8] assertion 10057 unauthorized db:test ns:test.user lock type:0 client:127.0.0.1 ns:test.user query:{}
 m31001| Mon Jun 18 15:57:30 [conn8] { $err: "unauthorized db:test ns:test.user lock type:0 client:127.0.0.1", code: 10057 }
Mon Jun 18 15:57:30 uncaught exception: error: {
	"$err" : "unauthorized db:test ns:test.user lock type:0 client:127.0.0.1",
	"code" : 10057
}



 Comments   
Comment by Kay Agahd [ 21/Aug/12 ]

Thanks Randolph. I didn't see your message because I hadn't refreshed the page before posting.

Comment by Kay Agahd [ 21/Aug/12 ]

Btw. I tested also v2.2.0-rc0 (http://downloads.mongodb.org/linux/mongodb-linux-x86_64-2.2.0-rc0.tgz) with the same results.

Comment by Randolph Tan [ 20/Aug/12 ]

Hi,

This looks like a Java driver bug. I have created a new ticket (JAVA-625) for you to track.

Comment by Kay Agahd [ 20/Aug/12 ]

Please reopen. I tested it on v2.2.0-rc1 and could reproduce the error.
Java code (using java-driver v2.8.0):

ArrayList<ServerAddress> servers = new ArrayList<ServerAddress>();
servers.add(new ServerAddress("s231", 20050));
servers.add(new ServerAddress("s231", 20051));
servers.add(new ServerAddress("s231", 20052));
 
Mongo m = new Mongo(servers);
 
m.setReadPreference(ReadPreference.SECONDARY);
final BasicDBObject query = new BasicDBObject();
final BasicDBObject fields = new BasicDBObject();
 
query.put("_id", new BasicDBObject("$gte", Integer.valueOf(1)));
fields.put("_id", Long.valueOf(1));
 
final DB db = m.getDB("offerStore");
boolean ok = db.authenticate("user", "pw".toCharArray());
System.out.println("ok: " + ok);
final DBCursor c = db.getCollection("offer").find(query, fields).limit(10);
 
while(c.hasNext()) {
DBObject offer = c.next();
System.out.println(offer);
}
c.close();

Output after several runs:

ok: false
Exception in thread "main" com.mongodb.MongoException: unauthorized db:offerStore ns:offerStore.offer lock type:0 client:192.x.y.z
	at com.mongodb.MongoException.parse(MongoException.java:82)
	at com.mongodb.DBApiLayer$MyCollection.__find(DBApiLayer.java:317)
	at com.mongodb.DBApiLayer$MyCollection.__find(DBApiLayer.java:298)
	at com.mongodb.DBCursor._check(DBCursor.java:369)
	at com.mongodb.DBCursor._hasNext(DBCursor.java:492)
	at com.mongodb.DBCursor.hasNext(DBCursor.java:517)
	at de.idealo.offerstore.mongo.TempTest.authenticationTest(TempTest.java:507)
	at de.idealo.offerstore.mongo.TempTest.main(TempTest.java:716)

Comment by auto [ 09/Jul/12 ]

Author:

{u'date': u'2012-07-09T12:08:58-07:00', u'name': u'Randolph Tan', u'email': u'randolph@10gen.com'}

Message: SERVER-6117 SlaveOk Query fails with auth error even after logging in
Branch: master
https://github.com/mongodb/mongo/commit/02b30c6fd728a5d3f0dce5d60c74dd9c0a1d775c

Comment by Randolph Tan [ 09/Jul/12 ]

Caused by:

The auth helper method (which the mongo shell also uses) only authenticates the internal connection to the primary and keeps a table of previously authenticated username and passwords that work. Whenever a new connection is created, it will use this table to authenticate the newly created connection. The problem is that the current implementation does not update the auth credentials when the connection already has a cached secondary, and you'll need to make it fail once to make it marked as not ok, which will make the DBClientReplicaSet create a fresh connection that would use the stored auth table.

Fix:
Whenever we authenticate using the DBClientReplicaSet::auth helper method, authenticate not just the primary connection but also to the cached secondary connection if we had one.

Comment by Randolph Tan [ 09/Jul/12 ]

Removed attached test code since there are some mistakes - will push the updated test to the master branch.

Comment by Randolph Tan [ 21/Jun/12 ]

Test also fails on both 2.0.1 and 2.0.6.

Comment by Andy Schwerin [ 21/Jun/12 ]

Is this a regression from 2.0?

Comment by Randolph Tan [ 18/Jun/12 ]

Attached test code. Should also test in conjunction with read preference (SERVER-4464) once it has been pushed to master.

Generated at Thu Feb 08 03:10:47 UTC 2024 using Jira 9.7.1#970001-sha1:2222b88b221c4928ef0de3161136cc90c8356a66.