-
Type: New Feature
-
Resolution: Fixed
-
Priority: Critical - P2
-
Affects Version/s: None
-
Component/s: Authentication
-
None
While the authentication specification currently prohibits authenticating against an arbiter, users of the Go driver require this behavior. To enable this do the following:
- Add an option to options.ClientOptions to enable authenticating with an arbiter
- Add a PerformAuthentication field to auth.HandshakerOptions
- This field's type is func(description.Server) bool
- This field is used to determine if auth should take place. If it returns true, perform authentication
- If PerformAuthentication is nil, a default function should be called, which allows authentication following the authentication specification
- Inside auth.Handshaker call options.PerformAuthentication with description.Server from the response to command.Handshake
- If it is not allowed, skip authentication
- If it is allowed, proceed with authentication by calling options.Authenticator.Auth
- Remove the current arbiter checks from auth.ConductSaslConversation and auth.MongoDBCRAuthenticator.Auth
While unrelated, add a nil check for options.Authenticator to avoid a nil pointer panic.
Under an auth+arbiter setup, the only way to authenticate to an arbiter is to use the keyfile (when X.509 member auth is not used). I am finding that I while I am able to auth using the keyfile to a regular member of the replica set, I am not able to auth to the arbiter.
I am attaching the go program I am using. Here is the output:
with a regular node:
[tim@liquid tst]$ go run go-driver-auth-find.go liquid.local:9001 [tim@liquid tst]$
(no output because the collection is empty)
with an arbiter:
[tim@liquid tst]$ go run go-driver-auth-find.go liquid.local:9004 panic: (Unauthorized) command find requires authentication goroutine 1 [running]: main.main() /Users/tim/tst/go-driver-auth-find.go:37 +0x64e exit status 2 [tim@liquid tst]$
Here are the relevant log lines from the regular member:
2019-02-01T16:05:52.565-0500 I NETWORK [listener] connection accepted from 10.0.1.11:64664 #45 (13 connections now open) 2019-02-01T16:05:52.568-0500 I NETWORK [listener] connection accepted from 10.0.1.11:64665 #46 (14 connections now open) 2019-02-01T16:05:52.569-0500 I NETWORK [conn46] received client metadata from 10.0.1.11:64665 conn46: { driver: { name: "mongo-go-driver", version: "v0.3.0-prerelease" }, os: { type: "darwin", architecture: "amd64" }, platform: "go1.10.8" } 2019-02-01T16:05:52.578-0500 I ACCESS [conn46] Successfully authenticated as principal __system on local 2019-02-01T16:05:52.580-0500 I NETWORK [conn46] end connection 10.0.1.11:64665 (13 connections now open) 2019-02-01T16:05:52.580-0500 I NETWORK [conn45] end connection 10.0.1.11:64664 (12 connections now open)
and from the arbiter:
2019-02-01T16:05:59.159-0500 I NETWORK [listener] connection accepted from 10.0.1.11:64668 #40 (4 connections now open) 2019-02-01T16:05:59.161-0500 I NETWORK [listener] connection accepted from 10.0.1.11:64669 #41 (5 connections now open) 2019-02-01T16:05:59.162-0500 I NETWORK [conn41] received client metadata from 10.0.1.11:64669 conn41: { driver: { name: "mongo-go-driver", version: "v0.3.0-prerelease" }, os: { type: "darwin", architecture: "amd64" }, platform: "go1.10.8" } 2019-02-01T16:05:59.163-0500 I NETWORK [conn41] end connection 10.0.1.11:64669 (4 connections now open) 2019-02-01T16:05:59.163-0500 I NETWORK [conn40] end connection 10.0.1.11:64668 (3 connections now open)
- causes
-
GODRIVER-846 Unable to authenticate to a replica set member using the keyfile
- Closed