Uploaded image for project: 'C Driver'
  1. C Driver
  2. CDRIVER-5696

Deprecate support of Cyrus SASL on Windows

    • Type: Icon: Task Task
    • Resolution: Fixed
    • Priority: Icon: Unknown Unknown
    • 1.28.0
    • Affects Version/s: None
    • Component/s: None
    • None
    • C Drivers
    • Not Needed
    • Hide

      1. What would you like to communicate to the user about this feature?
      2. Would you like the user to see examples of the syntax and/or executable code and its output?
      3. Which versions of the driver/connector does this apply to?

      Show
      1. What would you like to communicate to the user about this feature? 2. Would you like the user to see examples of the syntax and/or executable code and its output? 3. Which versions of the driver/connector does this apply to?

      Proposal

      Drop support of Cyrus-SASL on Windows.

      At present the C driver documents support for Cyrus-SASL on Windows:

      On Windows, Kerberos support requires compiling the driver against Windows Native SSPI or cyrus-sasl. The default configuration of the driver will use Windows Native SSPI.

      Use of Cyrus on Windows is opted-in by setting the CMake option ENABLE_SASL=CYRUS

      Motivation

      Low Expected Use

      I expect there are few users using the C driver with Cyrus-SASL instead of the default SSPI.

      Building Cyrus-SASL from source on Windows is documented as as "work in progress". SSPI with Kerberos appears available since Windows 2000.

      CDRIVER-2040 notes:

      We've never proved Cyrus SASL works with Kerberos/GSSAPI on Windows

      CDRIVER-299 notes:

      We use Cyrus SASL on Windows, which is very hard to build and configure, and I (Jesse) couldn't get it to authenticate successfully. It probably does work, but it's terrifically inconvenient.

      I only found one ticket referencing use of Cyrus-SASL on Windows. CDRIVER-783 notes:

      The use case is: connecting a Windows client to a UNIX MIT Kerberos server.

      Missing test coverage

      There are no C driver tasks on Windows that test authenticating with GSSAPI when using Cyrus-SASL. There are notably C driver tasks on Windows referencing Cyrus-SASL. Examples:

      • sasl-cyrus-winssl-windows-2019-vs2017-x64-compile
      • sasl-cyrus-winssl-windows-2019-vs2017-x64-test-latest-server-auth

      However, I expect the test task is not testing GSSAPI auth. Testing GSSAPI auth only appears to occur in the authentication-tests* by running run-auth-tests.sh.  GSSAPI auth is the only feature that uses Cyrus-SASL.

      If this proposal is rejected, I would want to add tests to CI. Instructions to test on an Evergreen spawn host are documented here.

            Assignee:
            kevin.albertson@mongodb.com Kevin Albertson
            Reporter:
            kevin.albertson@mongodb.com Kevin Albertson
            Votes:
            0 Vote for this issue
            Watchers:
            1 Start watching this issue

              Created:
              Updated:
              Resolved: