Uploaded image for project: 'Drivers'
  1. Drivers
  2. DRIVERS-188

Make copydb work with SASL (SCRAM)

XMLWordPrintableJSON

    • Type: Icon: Task Task
    • Resolution: Done
    • Priority: Icon: Major - P3 Major - P3
    • None
    • Component/s: None
    • None

      See SERVER-15684 for a description of the protocol. I assume drivers' copy_database helper methods already accept five parameters named something like fromdb, todb, fromhost, username, and password.

      Drivers (PyMongo 2.8 and the next Ruby Driver 1.x release) should continue to support MONGODB-CR, and add support for SCRAM-SHA-1. No other SASL mechanisms should be supported (GSSAPI, CRAM-MD5, ...).

      Add SCRAM-SHA-1 support like so:

      1. Add a "mechanism" option to the copy_database helper method. For backwards compatibility, the user is not required to specify the mechanism. Allowed values are "MONGODB-CR" and "SCRAM-SHA-1". The default value is "DEFAULT" or null or some other special value.

      2. If the user has not specified a mechanism, choose based on the connected server's maxWireVersion: SCRAM-SHA-1 if maxWireVersion >= 3, otherwise MONGODB-CR. This is a heuristic, based on the assumption that people are likely to copy between mongods running the same version. We cannot tell what version fromhost is running. This heuristic fails if the connected server is modern but the fromhost mongod predates SCRAM-SHA-1. See step 4. (Note: copydb is impossible if the connected server predates SCRAM-SHA-1 and the fromhost mongod is modern and disables MONGODB-CR.)

      3. For SCRAM-SHA-1, begin with "copydbsaslstart" (all lowercase) instead of "copydbgetnonce".

      4. If the server's reply to "copydbsaslstart" has ok: 0, and the "errmsg" field contains the substring "no such cmd: saslStart", you know the fromhost predates SCRAM-SHA-1. Raise an informative error like "<fromhost> doesn't support SCRAM-SHA-1, pass mechanism='MONGODB-CR' to copy_database". Replace <fromhost> with the actual fromhost. Re-raise any other errors from "copydbsaslstart" normally. In particular, if the user explicitly sets mechanism to SCRAM-SHA-1 and the connected server is too old, you'll get a different error, "no such cmd: copydbsaslstart", which you should re-raise like any other command failure.

      5. If "copydbsaslstart" works correctly, call "copydb" repeatedly until you receive done: true, according to the protocol described in SERVER-15684.

            Assignee:
            barrie Barrie Segal
            Reporter:
            barrie Barrie Segal
            Votes:
            0 Vote for this issue
            Watchers:
            10 Start watching this issue

              Created:
              Updated:
              Resolved: