-
Type: Bug
-
Resolution: Fixed
-
Priority: Major - P3
-
Affects Version/s: None
-
Component/s: None
-
None
-
Fully Compatible
The function mongoc_database_add_user is a C driver helper to construct a createUser command. Currently it does not send the correct form of the pwd field for MongoDB 4.0.
The createUser command allows two ways to specify the password:
The field pwd can be a plaintext password. Example in mongo shell (assuming mongod is running with --auth):
db.runCommand ( {createUser: "username", pwd: "plaintext_password", roles: [ { role: "root", db: "admin" } ] })
Or pwd can be the result of an MD5 hash of the form:
md5(username + ":mongo:" + password)
and digestPassword must be set to false.
In MongoDB 4.0, we authenticate using a new more secure authentication mechanism, SCRAM-SHA-256. When creating a user with SCRAM-SHA-256 credentials, MongoDB 4.0 no longer allows specifying the password in a hashed form, and will return an error.
Unfortunately, the mongoc_database_add_user does send pwd using the hashed form of the password. So currently this function always returns an error if connected to a MongoDB 4.0 server. Instead, we must do the simpler thing: send the plaintext password and omit sending the digestPassword field.
Then, update the docs page for mongoc_database_add_user to warn the user to only call this method if the driver is using TLS.
Then, update places in our tests which should be using mongoc_database_add_user but aren't: here and here.