[SERVER-61585] Mongosh triggering an okta 2fa on every single command Created: 17/Nov/21  Updated: 12/Jul/23

Status: Open
Project: Core Server
Component/s: None
Affects Version/s: None
Fix Version/s: None

Type: Bug Priority: Major - P3
Reporter: Vincent Do Assignee: Maurizio Casimirri
Resolution: Unresolved Votes: 0
Labels: None
Remaining Estimate: Not Specified
Time Spent: Not Specified
Original Estimate: Not Specified

Issue Links:
Problem/Incident
causes COMPASS-4527 Multiple mongos connections Closed
Related
is related to COMPASS-7009 Frequent "Connection pool cleared" error Open
Sprint: Up for triaging
Participants:
Case:

 Description   

Problem Statement/Rationale

When using the legacy mongo shell to connect to a database that is hooked up to use external auth via a provider like okta, the shell will trigger single request to authenticate that will trigger a single 2fa verification. However, when using mongosh, every single command that I run against the database trigger an additional 2fa verification request for some reason. It's almost like mongosh is authenticating on every single command executed in the session

Steps to Reproduce

Connect to any mongodb instance that's hooked up to okta as external auth? For example, https://wiki.corp.mongodb.com/display/MMS/Cloud+Dev+and+QA+Environments

Expected Results

See above

Actual Results

See above

Additional Notes

Any additional information that may be useful to include.



 Comments   
Comment by Vincent Do [ 17/Nov/21 ]

Ah I see that makes sense. Thanks for the explanation

Comment by Anna Henningsen [ 17/Nov/21 ]

massimiliano.marcon Right, that’s what’s going on here. There are a number of related tickets around this, including https://jira.mongodb.org/browse/PM-1808, but nothing that I’m aware of that would actually tackle the problem in a way that helps mongosh (or other driver-based connections).

Comment by Massimiliano Marcon [ 17/Nov/21 ]

I think what happens isn't exactly that you get the 2fa request for every command, you will get it for the first n commands where n is the size of the connection pool. But I understand how the UX is bad. mongo does not use a connection pool, which is why you are only asked for 2fa verification once. The short term solution is to pass maxPoolSize=1 in the connection string. The better solution, since this is a general problem with any driver, is that the server becomes connection-pool-aware. I think there is a SERVER ticket somewhere about that but I can't find it.

anna.henningsen please keep me honest here.

Generated at Thu Feb 08 05:52:49 UTC 2024 using Jira 9.7.1#970001-sha1:2222b88b221c4928ef0de3161136cc90c8356a66.