[SERVER-8479] Let system administrator specify the GSSAPI service and host name reported by mongo servers. Created: 08/Feb/13 Updated: 18/Nov/13 Resolved: 20/Feb/13 |
|
| Status: | Closed |
| Project: | Core Server |
| Component/s: | Security |
| Affects Version/s: | None |
| Fix Version/s: | 2.4.0-rc1 |
| Type: | Improvement | Priority: | Minor - P4 |
| Reporter: | Andy Schwerin | Assignee: | Andy Schwerin |
| Resolution: | Done | Votes: | 0 |
| Labels: | None | ||
| Remaining Estimate: | Not Specified | ||
| Time Spent: | Not Specified | ||
| Original Estimate: | Not Specified | ||
| Issue Links: |
|
||||||||||||||||||||||||||||
| Backwards Compatibility: | Minor Change | ||||||||||||||||||||||||||||
| Participants: | |||||||||||||||||||||||||||||
| Description |
|
Currently, the GSSAPI service name for a mongo server is hardcoded to mongodb, and the hostname for authentication purposes is found by calling getHostName(). This requires customers to have a working DNS setup, and to not use CNAMEs to identify mongo nodes to clients. A solution that allows customers to use CNAMEs is to allow system admins to optionally override at startup the hostname used by the server for purposes of sasl authentication. |
| Comments |
| Comment by Andy Schwerin [ 20/Feb/13 ] | |||||
|
Splitting this ticket in two. The work already committed allows for the use of CNAMEs, as described below, without changes to client drivers or the ismaster command, as required by the follow-on Suppose that a mongo server runs on a machine named m101.example.com, but that clients should connect to it via the CNAME m.example.com. The administrator should create a service principal "mongodb/m.example.com@EXAMPLE.COM", put keys for that principal into a keytab on m101.example.com, say in /data/m.keytab, and then run mongod as follows:
Then, clients can connect and authenticate to "m.example.com" using GSSAPI. They should typically use the fully qualified domain name, to avoid authentication errors. | |||||
| Comment by Andy Schwerin [ 14/Feb/13 ] | |||||
|
Due to behavior of the underlying GSSAPI library mandated by http://tools.ietf.org/html/rfc1964, it may be impossible to reliably override the host name portion of the service principal name when reverse DNS is available to resolve the service host's ANAME from its IP address. |