<!-- 
RSS generated by JIRA (9.7.1#970001-sha1:2222b88b221c4928ef0de3161136cc90c8356a66) at Wed Feb 07 21:14:40 UTC 2024

It is possible to restrict the fields that are returned in this document by specifying the 'field' parameter in your request.
For example, to request only the issue key and summary append 'field=key&field=summary' to the URL of your request.
-->
<rss version="0.92" >
<channel>
    <title>MongoDB Jira</title>
    <link>https://jira.mongodb.org</link>
    <description>This file is an XML representation of an issue</description>
    <language>en-us</language>    <build-info>
        <version>9.7.1</version>
        <build-number>970001</build-number>
        <build-date>13-04-2023</build-date>
    </build-info>


<item>
            <title>[CDRIVER-2254] Could not authenticate using kerberos authentication with mongoc-driver v1.5.0</title>
                <link>https://jira.mongodb.org/browse/CDRIVER-2254</link>
                <project id="10030" key="CDRIVER">C Driver</project>
                    <description>&lt;p&gt;Based on &lt;a href=&quot;https://jira.mongodb.org/browse/CDRIVER-323&quot; class=&quot;external-link&quot; rel=&quot;nofollow&quot;&gt;https://jira.mongodb.org/browse/CDRIVER-323&lt;/a&gt;, the canonicalizeHostName flag is being passed in the uri string during kerberos authentication. When using the mongo-c-driver v1.5.0 with kerberos authetication, the driver hangs when using canonicalizeHostName=true. Precisely, the hang takes places inside the _mongoc_cluster_get_canonicalized_name function. This hang was not observed when using the mongo-c-driver v1.1.10. Not sure if this is the cause but the implementation of mongoc_stream_get_base_stream function (called within _mongoc_cluster_get_canonicalized_name) has changed since the 1.1.10 version. &lt;/p&gt;

&lt;p&gt;If the flag (canonicalizeHostName) is not set at all, then the kerberos authentication mechanism works for the mongo-c-driver v1.5.0. Is using the flag a requirement?&lt;/p&gt;

&lt;p&gt;The testing was performed with the following setup:&lt;/p&gt;

&lt;p&gt;MongoDB server version:			3.4.4 (enterprise)&lt;br/&gt;
MongoDB server installed on:                 Centos 7&lt;/p&gt;

&lt;p&gt;MongoDB Client on:               Centos7 (tested on Windows 7 as well)&lt;br/&gt;
Mongo-c-driver version:         1.5.0&lt;/p&gt;


&lt;p&gt;In case it is helpful, the format of the connection string being used when using canonicalizedHostName is:&lt;/p&gt;

&lt;p&gt;mongodb://example%20TEST.COM@mongocdriver:27017/test?authMechanism=GSSAPI&amp;amp;gssapiServiceName=mongodb&amp;amp;canonicalizeHostname=true&amp;amp;connectTimeoutMS=1213&amp;amp;serverSelectionTimeoutMS=1234&amp;amp;socketTimeoutMS=123321&lt;/p&gt;</description>
                <environment></environment>
        <key id="420121">CDRIVER-2254</key>
            <summary>Could not authenticate using kerberos authentication with mongoc-driver v1.5.0</summary>
                <type id="1" iconUrl="https://jira.mongodb.org/secure/viewavatar?size=xsmall&amp;avatarId=14703&amp;avatarType=issuetype">Bug</type>
                                            <priority id="3" iconUrl="https://jira.mongodb.org/images/icons/priorities/major.svg">Major - P3</priority>
                        <status id="6" iconUrl="https://jira.mongodb.org/images/icons/statuses/closed.png" description="The issue is considered finished, the resolution is correct. Issues which are closed can be reopened.">Closed</status>
                    <statusCategory id="3" key="done" colorName="success"/>
                                    <resolution id="13201">Fixed</resolution>
                                        <assignee username="jesse@mongodb.com">A. Jesse Jiryu Davis</assignee>
                                    <reporter username="nachiketg">Nachiket Goswami</reporter>
                        <labels>
                    </labels>
                <created>Thu, 24 Aug 2017 23:23:40 +0000</created>
                <updated>Sat, 28 Oct 2023 11:30:31 +0000</updated>
                            <resolved>Mon, 20 Nov 2017 13:45:40 +0000</resolved>
                                    <version>1.2.4</version>
                                    <fixVersion>1.9.0</fixVersion>
                                    <component>auth</component>
                                        <votes>0</votes>
                                    <watches>4</watches>
                                                                                                                <comments>
                            <comment id="1730218" author="xgen-internal-githook" created="Mon, 20 Nov 2017 13:45:52 +0000"  >&lt;p&gt;Author:&lt;/p&gt;
{&apos;name&apos;: &apos;A. Jesse Jiryu Davis&apos;, &apos;username&apos;: &apos;ajdavis&apos;, &apos;email&apos;: &apos;jesse@mongodb.com&apos;}
&lt;p&gt;Message: &lt;a href=&quot;https://jira.mongodb.org/browse/CDRIVER-2254&quot; title=&quot;Could not authenticate using kerberos authentication with mongoc-driver v1.5.0&quot; class=&quot;issue-link&quot; data-issue-key=&quot;CDRIVER-2254&quot;&gt;&lt;del&gt;CDRIVER-2254&lt;/del&gt;&lt;/a&gt; fix hang with &quot;canonicalizeHostname&quot;&lt;/p&gt;

&lt;p&gt;The GSSAPI / Kerberos option canonicalizeHostname allows the driver to&lt;br/&gt;
authenticate when hosts report different hostnames than what is used in&lt;br/&gt;
the Kerberos database. We had used it both with Cyrus-SASL and with&lt;br/&gt;
Microsoft&apos;s SSPI, and it had an infinite loop.&lt;/p&gt;

&lt;p&gt;Fix the infinite loop, and ignore the setting with SSPI, since SSPI&lt;br/&gt;
canonicalizes hostnames itself. The setting is only required for Cyrus.&lt;br/&gt;
Branch: master&lt;br/&gt;
&lt;a href=&quot;https://github.com/mongodb/mongo-c-driver/commit/35c200ac9077415d513ed80a93ed7a8051025cbe&quot; class=&quot;external-link&quot; target=&quot;_blank&quot; rel=&quot;nofollow noopener&quot;&gt;https://github.com/mongodb/mongo-c-driver/commit/35c200ac9077415d513ed80a93ed7a8051025cbe&lt;/a&gt;&lt;/p&gt;</comment>
                            <comment id="1695065" author="behackett" created="Tue, 10 Oct 2017 19:35:02 +0000"  >&lt;p&gt;canonicalHostname shouldn&apos;t be necessary anywhere but Windows SSPI. MIT krb5 and Heimdal automatically canonicalize the service hostname. Setting that option should have no effect anywhere else.&lt;/p&gt;

&lt;p&gt;&lt;a href=&quot;https://web.mit.edu/kerberos/krb5-1.13/doc/admin/princ_dns.html#service-principal-canonicalization&quot; class=&quot;external-link&quot; target=&quot;_blank&quot; rel=&quot;nofollow noopener&quot;&gt;https://web.mit.edu/kerberos/krb5-1.13/doc/admin/princ_dns.html#service-principal-canonicalization&lt;/a&gt;&lt;/p&gt;</comment>
                            <comment id="1659923" author="jesse" created="Tue, 29 Aug 2017 19:43:41 +0000"  >&lt;p&gt;Sorry, I was looking at the wrong commit, I understand what you&apos;re telling me now. Yes, I see that starting in version 1.2.0, mongoc_stream_get_base_stream never returns NULL, even if the stream-&amp;gt;get_base_stream function pointer is NULL, which causes _mongoc_cluster_get_canonicalized_name to loop forever trying to find the root stream.&lt;/p&gt;

&lt;p&gt;We should revert that change to mongoc_stream_get_base_stream. As a refactoring, _mongoc_cluster_get_canonicalized_name should call mongoc_stream_get_root_stream so this logic is only implemented in one place. We should unittest _mongoc_cluster_get_canonicalized_name without requiring a Kerberos cluster. If possible we should also test an actual Kerberos cluster in our Evergreen continuous-integration server with &quot;canonicalizeHostName:true&quot;.&lt;/p&gt;

&lt;p&gt;Since you can use Kerberos now by leaving canonicalizeHostName false, I&apos;m scheduling this for a future release, 1.9.&lt;/p&gt;</comment>
                            <comment id="1659695" author="nachiketg" created="Tue, 29 Aug 2017 16:44:05 +0000"  >&lt;p&gt;Thank you for the explanation here. The following is what I observed:&lt;/p&gt;

&lt;p&gt;1. I did a quick change locally within mongoc_stream_get_base_stream to return NULL (as was done in 1.1.10) instead of returning stream at the end of the function definition which allowed me to get rid of the hang.&lt;/p&gt;

&lt;p&gt;2. 100% CPU is indeed being used by the app during the hang.&lt;/p&gt;</comment>
                            <comment id="1659596" author="jesse" created="Tue, 29 Aug 2017 15:25:06 +0000"  >&lt;p&gt;The only change in mongoc_stream_get_base_stream after 1.1.10 is that we changed from returning NULL if the passed-in stream is NULL, to asserting that the passed-in stream is not NULL:&lt;/p&gt;

&lt;p&gt;&lt;a href=&quot;https://github.com/mongodb/mongo-c-driver/commit/1941a0a6fd7271ac26d7a3a152df30f810a662a8#diff-9e3b47d38bb628521cb9e33f3bf81f43L304&quot; class=&quot;external-link&quot; target=&quot;_blank&quot; rel=&quot;nofollow noopener&quot;&gt;https://github.com/mongodb/mongo-c-driver/commit/1941a0a6fd7271ac26d7a3a152df30f810a662a8#diff-9e3b47d38bb628521cb9e33f3bf81f43L304&lt;/a&gt;&lt;/p&gt;

&lt;p&gt;It doesn&apos;t seem to me that this change could result in a hang. In fact, since the caller _mongoc_cluster_get_canonicalized_name asserts that the stream is not NULL after calling mongoc_stream_get_base_stream, it doesn&apos;t seem to me that the change to mongoc_stream_get_base_stream can have any effect on hostname canonicalization at all. Can you tell me why you expect that reverting to 1.1.10&apos;s implementation of mongoc_stream_get_base_stream should solve this problem?&lt;/p&gt;

&lt;p&gt;Additionally, can you say whether your application is spinning (using 100% CPU) while it hangs?&lt;/p&gt;

&lt;p&gt;To answer your question, hostname canonicalization is not required. As you&apos;ve observed, in your setup Kerberos works without it. It&apos;s only necessary if the hostname used in Kerberos authentication does not match a host alias in your connection URI.&lt;/p&gt;</comment>
                            <comment id="1658785" author="nachiketg" created="Mon, 28 Aug 2017 18:11:52 +0000"  >&lt;p&gt;I tested this with the c driver v 1.7 and the hang is still observable even after using the updated connection string syntax. The hang takes places inside mongoc_stream_get_base_stream. I believe the mongoc_stream_get_base_stream() function definition present in v1.1.10 should solve this problem.&lt;/p&gt;</comment>
                            <comment id="1656749" author="bjori" created="Thu, 24 Aug 2017 23:32:40 +0000"  >&lt;p&gt;I&apos;ve got memories of mongoc_stream_get_base_stream having a bug where it would wind up in an endless loop.&lt;/p&gt;

&lt;p&gt;Could you please try upgrading to 1.7: &lt;a href=&quot;https://github.com/mongodb/mongo-c-driver/releases/tag/1.7.0&quot; class=&quot;external-link&quot; target=&quot;_blank&quot; rel=&quot;nofollow noopener&quot;&gt;https://github.com/mongodb/mongo-c-driver/releases/tag/1.7.0&lt;/a&gt;&lt;/p&gt;

&lt;p&gt;1.5 is pretty old at this point.&lt;/p&gt;

&lt;p&gt;Btw, those connection uri options have been deprecated. The &quot;correct&quot; way is now:&lt;/p&gt;
&lt;p/&gt;
&lt;div id=&quot;syntaxplugin&quot; class=&quot;syntaxplugin&quot; style=&quot;border: 1px dashed #bbb; border-radius: 5px !important; overflow: auto; max-height: 30em;&quot;&gt;
&lt;table cellspacing=&quot;0&quot; cellpadding=&quot;0&quot; border=&quot;0&quot; width=&quot;100%&quot; style=&quot;font-size: 1em; line-height: 1.4em !important; font-weight: normal; font-style: normal; color: black;&quot;&gt;
		&lt;tbody &gt;
				&lt;tr id=&quot;syntaxplugin_code_and_gutter&quot;&gt;
						&lt;td  style=&quot; line-height: 1.4em !important; padding: 0em; vertical-align: top;&quot;&gt;
					&lt;pre style=&quot;font-size: 1em; margin: 0 10px;  margin-top: 10px;   margin-bottom: 10px;  width: auto; padding: 0;&quot;&gt;&lt;span style=&quot;color: black; font-family: &apos;Consolas&apos;, &apos;Bitstream Vera Sans Mono&apos;, &apos;Courier New&apos;, Courier, monospace !important;&quot;&gt;mongodb://example%20TEST.COM@mongocdriver:27017/test?authMechanism=GSSAPI&amp;amp;authMechanismProperties=SERVICE_NAME:mongodb,CANONICALIZE_HOST_NAME:true&amp;amp;connectTimeoutMS=1213&amp;amp;serverSelectionTimeoutMS=1234&amp;amp;socketTimeoutMS=123321&lt;/span&gt;&lt;/pre&gt;
			&lt;/td&gt;
		&lt;/tr&gt;
			&lt;/tbody&gt;
&lt;/table&gt;
&lt;/div&gt;
&lt;p/&gt;</comment>
                    </comments>
                <issuelinks>
                            <issuelinktype id="10012">
                    <name>Related</name>
                                                                <inwardlinks description="is related to">
                                        <issuelink>
            <issuekey id="127558">CDRIVER-323</issuekey>
        </issuelink>
                            </inwardlinks>
                                    </issuelinktype>
                    </issuelinks>
                <attachments>
                    </attachments>
                <subtasks>
                    </subtasks>
                <customfields>
                                                                                                                                                                                                                                                                                                                                                                    <customfield id="customfield_15850" key="com.atlassian.jira.plugins.jira-development-integration-plugin:devsummary">
                        <customfieldname>Development</customfieldname>
                        <customfieldvalues>
                            
                        </customfieldvalues>
                    </customfield>
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                            <customfield id="customfield_12550" key="com.pyxis.greenhopper.jira:gh-lexo-rank">
                        <customfieldname>Rank</customfieldname>
                        <customfieldvalues>
                            <customfieldvalue>2|ht5f3r:</customfieldvalue>

                        </customfieldvalues>
                    </customfield>
                                                                <customfield id="customfield_10558" key="com.pyxis.greenhopper.jira:gh-global-rank">
                        <customfieldname>Rank (Obsolete)</customfieldname>
                        <customfieldvalues>
                            <customfieldvalue>9223372036854775807</customfieldvalue>
                        </customfieldvalues>
                    </customfield>
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                            </customfields>
    </item>
</channel>
</rss>