[SERVER-69464] "Attempt to switch user during SASL authentication" error when cluster is configured for x509 membership auth Created: 06/Sep/22  Updated: 10/Jul/23  Resolved: 25/Oct/22

Status: Closed
Project: Core Server
Component/s: Security
Affects Version/s: 5.0.8, 6.0.0
Fix Version/s: None

Type: Bug Priority: Major - P3
Reporter: Dmitry Ryabtsev Assignee: Backlog - Security Team
Resolution: Duplicate Votes: 0
Labels: None
Remaining Estimate: Not Specified
Time Spent: Not Specified
Original Estimate: Not Specified

Issue Links:
Duplicate
duplicates SERVER-70242 Intracluster X509 authentication can ... Closed
Related
related to SERVER-58591 Better instrumentation for TLS authen... Closed
Assigned Teams:
Server Security
Operating System: ALL
Steps To Reproduce:

1. Create cluster

mlaunch init --replicaset --nodes 1 --sharded 1 --config 1 --csrs --tlsCAFile CA.pem --tlsMode preferTLS --tlsCertificateKeyFile server.pem --bind_ip_all --clusterAuthMode x509 --setParameter authenticationMechanisms=PLAIN,SCRAM-SHA-256,SCRAM-SHA-1

2. Connect:

mongo --tls --tlsCertificateKeyFile server.pem --tlsCAFile CA.pem --authenticationMechanism MONGODB-X509 --authenticationDatabase '$external' 

3. In my case mlaunch is failing to add shard. So need to run the following manually:

sh.addShard("shard01/localhost:27018")

4. In the log of the shard process observe the error as in the description. User connections are not required

Participants:
Case:

 Description   

I'm able to easily reproduce the issue from SERVER-58591 on v6.0:

{"t":{"$date":"2022-09-06T17:15:51.971+10:00"},"s":"I",  "c":"ACCESS",   "id":5286202, "ctx":"conn24","msg":"Different user name was supplied to saslSupportedMechs","attr":{"error":{"code":17,"codeName":"ProtocolError","errmsg":"Attempt to switch database target during SASL authentication from __system@local to @$external"}}}
{"t":{"$date":"2022-09-06T17:15:51.971+10:00"},"s":"I",  "c":"ACCESS",   "id":20429,   "ctx":"conn24","msg":"Successfully authenticated","attr":{"client":"127.0.0.1:34638","mechanism":"MONGODB-X509","user":"CN=*.domain.net,OU=mongodb,O=MongoDB,L=Sydney,ST=NSW,C=AU","db":"$external"}}

I don't think there is anything wrong with the config as user connections are not required for the issue to manifest.

This looks to be a benign issue as I don't see any functional problems with how the cluster is operating. But the fact that it is raised as an error is concerning the users.



 Comments   
Comment by Spencer Jackson [ 25/Oct/22 ]

I just did some digging into SERVER-70242 and realized that these are probably the same issue. I'm going to close this ticket in favor of SERVER-70242, because that ticket has root cause and potential mitigations in its description.

Generated at Thu Feb 08 06:13:32 UTC 2024 using Jira 9.7.1#970001-sha1:2222b88b221c4928ef0de3161136cc90c8356a66.