[SERVER-8983] Add error code for authentication fails - especially important for auditing products Created: 14/Mar/13  Updated: 11/Jul/16  Resolved: 28/Mar/13

Status: Closed
Project: Core Server
Component/s: Security
Affects Version/s: 2.4.0-rc2
Fix Version/s: 2.4.2, 2.5.0

Type: Improvement Priority: Major - P3
Reporter: Matt Kalan Assignee: Andy Schwerin
Resolution: Done Votes: 0
Labels: None
Remaining Estimate: Not Specified
Time Spent: Not Specified
Original Estimate: Not Specified

Issue Links:
Related
is related to SERVER-11329 Authentication Error number does not ... Closed
Backwards Compatibility: Fully Compatible
Participants:

 Description   

Currently when authentication fails (e.g. in db.auth() in the shell), the error that comes back does not have an error code, just a description. It is a common auditing policy by enterprises to log how many times someone tries to log-in and not having an error code for this makes it harder to identify. Especially as other DB products have error codes, it makes Mongo a special case.

Providing error codes is a separate JIRA issue but specifically for this error would help in the short-term and make Mongo easier to integrate with.



 Comments   
Comment by auto [ 28/Mar/13 ]

Author:

{u'date': u'2013-03-27T14:46:09Z', u'name': u'Andy Schwerin', u'email': u'schwerin@10gen.com'}

Message: SERVER-8983 Include AuthenticationFailed error code in failed MONGODB-CR authentications.
Branch: v2.4
https://github.com/mongodb/mongo/commit/7f45f0fe14b9ffd64b6e75a9fe87d49c66a17b83

Comment by Spencer Brody (Inactive) [ 28/Mar/13 ]

The error message is "auth fails".

The "code" field will have the value 18

Comment by Matt Kalan [ 28/Mar/13 ]

Is the actual message returned in the err field "AuthenticationFailed" or something else? And the code field I assume is where 18 is in the result document.

Comment by Andy Schwerin [ 28/Mar/13 ]

There is no complete list, right now. Error codes under 4000 are here:

https://github.com/mongodb/mongo/blob/master/src/mongo/base/error_codes.err

These are the "semantically meaningful" codes, that you application might use to make decisions. Higher error codes are more about the location where the error occurred and less about the meaning.

Comment by Matt Kalan [ 28/Mar/13 ]

Andy, is there a list of error codes and their description anywhere? In particular for this one, I see you say error code 18, and also what is the message? This page doesn't seem to be updated: http://www.mongodb.org/about/contributors/error-codes/

Comment by auto [ 28/Mar/13 ]

Author:

{u'date': u'2013-03-27T14:46:09Z', u'name': u'Andy Schwerin', u'email': u'schwerin@10gen.com'}

Message: SERVER-8983 Include AuthenticationFailed error code in failed MONGODB-CR authentications.
Branch: master
https://github.com/mongodb/mongo/commit/2dc4f569adf4b66a2b9f4500de521c9cdf7ba73b

Comment by Matt Kalan [ 26/Mar/13 ]

I intend on the wire here not necessarily in the log. I'm hearing we would like to allow reporting on Mongo-CR as well so can we add support for that too in the live error response?

Comment by Andy Schwerin [ 22/Mar/13 ]

I was apparently incorrect. Only the SASL variants of the authentication commands properly set the AuthenticationFailed code in returned messages, though neither write the code to the log. Which change is this request about, though? The logging should be easy enough to backport, while the behavior of the MONGODB-CR authentication interchange will need a touch more QA to be certain.

Comment by Andy Schwerin [ 22/Mar/13 ]

Error code 18 is AuthenticationFailed in 2.4.0. This value is returned to the client, but not presently written to the logs. Please clarify the desired behavior on authentication failure.

Comment by Matt Kalan [ 14/Mar/13 ]

It works well if this format used already for other errors would be used for auth fails too.
db.$cmd.reply({err:'E11000 duplicate key error index: test.things.$id dup key: { : 6.0 }',code:11000,n:0,connectionId:68,ok:61503.000000})"

Generated at Thu Feb 08 03:18:59 UTC 2024 using Jira 9.7.1#970001-sha1:2222b88b221c4928ef0de3161136cc90c8356a66.