[SERVER-8983] Add error code for authentication fails - especially important for auditing products Created: 14/Mar/13 Updated: 11/Jul/16 Resolved: 28/Mar/13 |
|
| Status: | Closed |
| Project: | Core Server |
| Component/s: | Security |
| Affects Version/s: | 2.4.0-rc2 |
| Fix Version/s: | 2.4.2, 2.5.0 |
| Type: | Improvement | Priority: | Major - P3 |
| Reporter: | Matt Kalan | Assignee: | Andy Schwerin |
| Resolution: | Done | Votes: | 0 |
| Labels: | None | ||
| Remaining Estimate: | Not Specified | ||
| Time Spent: | Not Specified | ||
| Original Estimate: | Not Specified | ||
| Issue Links: |
|
||||||||
| Backwards Compatibility: | Fully Compatible | ||||||||
| Participants: | |||||||||
| Description |
|
Currently when authentication fails (e.g. in db.auth() in the shell), the error that comes back does not have an error code, just a description. It is a common auditing policy by enterprises to log how many times someone tries to log-in and not having an error code for this makes it harder to identify. Especially as other DB products have error codes, it makes Mongo a special case. Providing error codes is a separate JIRA issue but specifically for this error would help in the short-term and make Mongo easier to integrate with. |
| Comments |
| Comment by auto [ 28/Mar/13 ] |
|
Author: {u'date': u'2013-03-27T14:46:09Z', u'name': u'Andy Schwerin', u'email': u'schwerin@10gen.com'}Message: |
| Comment by Spencer Brody (Inactive) [ 28/Mar/13 ] |
|
The error message is "auth fails". The "code" field will have the value 18 |
| Comment by Matt Kalan [ 28/Mar/13 ] |
|
Is the actual message returned in the err field "AuthenticationFailed" or something else? And the code field I assume is where 18 is in the result document. |
| Comment by Andy Schwerin [ 28/Mar/13 ] |
|
There is no complete list, right now. Error codes under 4000 are here: https://github.com/mongodb/mongo/blob/master/src/mongo/base/error_codes.err These are the "semantically meaningful" codes, that you application might use to make decisions. Higher error codes are more about the location where the error occurred and less about the meaning. |
| Comment by Matt Kalan [ 28/Mar/13 ] |
|
Andy, is there a list of error codes and their description anywhere? In particular for this one, I see you say error code 18, and also what is the message? This page doesn't seem to be updated: http://www.mongodb.org/about/contributors/error-codes/ |
| Comment by auto [ 28/Mar/13 ] |
|
Author: {u'date': u'2013-03-27T14:46:09Z', u'name': u'Andy Schwerin', u'email': u'schwerin@10gen.com'}Message: |
| Comment by Matt Kalan [ 26/Mar/13 ] |
|
I intend on the wire here not necessarily in the log. I'm hearing we would like to allow reporting on Mongo-CR as well so can we add support for that too in the live error response? |
| Comment by Andy Schwerin [ 22/Mar/13 ] |
|
I was apparently incorrect. Only the SASL variants of the authentication commands properly set the AuthenticationFailed code in returned messages, though neither write the code to the log. Which change is this request about, though? The logging should be easy enough to backport, while the behavior of the MONGODB-CR authentication interchange will need a touch more QA to be certain. |
| Comment by Andy Schwerin [ 22/Mar/13 ] |
|
Error code 18 is AuthenticationFailed in 2.4.0. This value is returned to the client, but not presently written to the logs. Please clarify the desired behavior on authentication failure. |
| Comment by Matt Kalan [ 14/Mar/13 ] |
|
It works well if this format used already for other errors would be used for auth fails too. |