[SERVER-8479] Let system administrator specify the GSSAPI service and host name reported by mongo servers. Created: 08/Feb/13  Updated: 18/Nov/13  Resolved: 20/Feb/13

Status: Closed
Project: Core Server
Component/s: Security
Affects Version/s: None
Fix Version/s: 2.4.0-rc1

Type: Improvement Priority: Minor - P4
Reporter: Andy Schwerin Assignee: Andy Schwerin
Resolution: Done Votes: 0
Labels: None
Remaining Estimate: Not Specified
Time Spent: Not Specified
Original Estimate: Not Specified

Issue Links:
Depends
is depended on by JAVA-845 Ability to use different SPN on the d... Closed
is depended on by DRIVERS-1889 Ability to use different Service Name... Closed
Duplicate
is duplicated by SERVER-8325 Let administrator override sasl servi... Closed
Related
related to SERVER-11770 Sasl Service Name cannot be specified... Closed
Backwards Compatibility: Minor Change
Participants:

 Description   

Currently, the GSSAPI service name for a mongo server is hardcoded to mongodb, and the hostname for authentication purposes is found by calling getHostName(). This requires customers to have a working DNS setup, and to not use CNAMEs to identify mongo nodes to clients.

A solution that allows customers to use CNAMEs is to allow system admins to optionally override at startup the hostname used by the server for purposes of sasl authentication.



 Comments   
Comment by Andy Schwerin [ 20/Feb/13 ]

Splitting this ticket in two. The work already committed allows for the use of CNAMEs, as described below, without changes to client drivers or the ismaster command, as required by the follow-on SERVER-8641.

Suppose that a mongo server runs on a machine named m101.example.com, but that clients should connect to it via the CNAME m.example.com. The administrator should create a service principal "mongodb/m.example.com@EXAMPLE.COM", put keys for that principal into a keytab on m101.example.com, say in /data/m.keytab, and then run mongod as follows:

env KRB5_KTNAME=/data/m.keytab mongod \
    --auth \
    --setParameter authenticationMechanisms=GSSAPI \
    --setParameter saslHostName m.example.com \
    ...

Then, clients can connect and authenticate to "m.example.com" using GSSAPI. They should typically use the fully qualified domain name, to avoid authentication errors.

Comment by Andy Schwerin [ 14/Feb/13 ]

Due to behavior of the underlying GSSAPI library mandated by http://tools.ietf.org/html/rfc1964, it may be impossible to reliably override the host name portion of the service principal name when reverse DNS is available to resolve the service host's ANAME from its IP address.

Generated at Thu Feb 08 03:17:33 UTC 2024 using Jira 9.7.1#970001-sha1:2222b88b221c4928ef0de3161136cc90c8356a66.