Uploaded image for project: 'Core Server'
  1. Core Server
  2. SERVER-16668

SASL PLAIN authentication mechanism is inconsistent between community and enterprise

XMLWordPrintableJSON

    • Fully Compatible
    • ALL
    • Hide

      Create a user

      > db.createUser({user: "sajack", pwd: "secret", roles: ["readWrite"]})
Successfully added user: { "user" : "sajack", "roles" : [ "readWrite" ] }

Activate a community server, using PLAIN
sajack@linux-p7yj /home/sajack/mongo git master () % ./mongod --dbpath db1 --auth --setParameter authenticationMechanisms=PLAIN                                                                                                   2 :(
2014-12-24T15:09:54.585-0500 I CONTROL  [initandlisten] MongoDB starting : pid=13909 port=27017 dbpath=db1 64-bit host=linux-p7yj.site
2014-12-24T15:09:54.585-0500 I CONTROL  [initandlisten] _DEBUG build (which is slower)
2014-12-24T15:09:54.585-0500 I CONTROL  [initandlisten] 
2014-12-24T15:09:54.585-0500 I CONTROL  [initandlisten] ** WARNING: /sys/kernel/mm/transparent_hugepage/enabled is 'always'.
2014-12-24T15:09:54.585-0500 I CONTROL  [initandlisten] **        We suggest setting it to 'never'
2014-12-24T15:09:54.585-0500 I CONTROL  [initandlisten] 
2014-12-24T15:09:54.585-0500 I CONTROL  [initandlisten] db version v2.8.0-rc5-pre-
2014-12-24T15:09:54.585-0500 I CONTROL  [initandlisten] git version: 8e8ecc54d3e63be0c2d19463031432f1308bcb7c
2014-12-24T15:09:54.585-0500 I CONTROL  [initandlisten] OpenSSL version: OpenSSL 1.0.1j 15 Oct 2014
2014-12-24T15:09:54.585-0500 I CONTROL  [initandlisten] build info: Linux linux-p7yj.site 3.17.4-2.g2d23787-desktop #1 SMP PREEMPT Tue Nov 25 20:17:30 UTC 2014 (2d23787) x86_64 BOOST_LIB_VERSION=1_49
2014-12-24T15:09:54.585-0500 I CONTROL  [initandlisten] allocator: tcmalloc
2014-12-24T15:09:54.586-0500 I CONTROL  [initandlisten] options: { security: { authorization: "enabled" }, setParameter: { authenticationMechanisms: "PLAIN" }, storage: { dbPath: "db1" } }
2014-12-24T15:09:54.599-0500 I JOURNAL  [initandlisten] journal dir=db1/journal
2014-12-24T15:09:54.600-0500 I JOURNAL  [initandlisten] recover : no journal files present, no recovery needed
2014-12-24T15:09:55.215-0500 I JOURNAL  [initandlisten] preallocateIsFaster=true 4.48
2014-12-24T15:09:55.458-0500 I JOURNAL  [initandlisten] preallocateIsFaster=true 2.28
2014-12-24T15:09:56.674-0500 I NETWORK  [initandlisten] waiting for connections on port 27017
2014-12-24T15:09:58.676-0500 I NETWORK  [initandlisten] connection accepted from 127.0.0.1:45690 #1 (1 connection now open)
2014-12-24T15:09:58.689-0500 I ACCESS   [conn1] Unauthorized not authorized on admin to execute command { getLog: "startupWarnings" }
2014-12-24T15:09:58.696-0500 I ACCESS   [conn1] Unauthorized not authorized on admin to execute command { replSetGetStatus: 1.0, forShell: 1.0 }
2014-12-24T15:10:00.169-0500 I ACCESS   [conn1] Successfully authenticated as principal sajack on test
2014-12-24T15:10:03.552-0500 I NETWORK  [conn1] end connection 127.0.0.1:45690 (0 connections now open)

Log in using PLAIN
> db.runCommand({saslStart:1, mechanism: "PLAIN", payload: "c2FqYWNrAHNhamFjawBzZWNyZXQ="})
{ "conversationId" : 1, "done" : true, "payload" : "", "ok" : 1 }

Restart server with the enterprise module.

Attempt to log in again:
> db.runCommand({saslStart:1, mechanism: "PLAIN", payload: "c2FqYWNrAHNhamFjawBzZWNyZXQ="})
{ "ok" : 0, "code" : 18, "errmsg" : "Authentication failed." }
      Show
      Create a user > db.createUser({user: "sajack", pwd: "secret", roles: ["readWrite"]}) Successfully added user: { "user" : "sajack", "roles" : [ "readWrite" ] } Activate a community server, using PLAIN sajack@linux-p7yj /home/sajack/mongo git master () % ./mongod --dbpath db1 --auth --setParameter authenticationMechanisms=PLAIN 2 :( 2014-12-24T15:09:54.585-0500 I CONTROL [initandlisten] MongoDB starting : pid=13909 port=27017 dbpath=db1 64-bit host=linux-p7yj.site 2014-12-24T15:09:54.585-0500 I CONTROL [initandlisten] _DEBUG build (which is slower) 2014-12-24T15:09:54.585-0500 I CONTROL [initandlisten] 2014-12-24T15:09:54.585-0500 I CONTROL [initandlisten] ** WARNING: /sys/kernel/mm/transparent_hugepage/enabled is 'always'. 2014-12-24T15:09:54.585-0500 I CONTROL [initandlisten] ** We suggest setting it to 'never' 2014-12-24T15:09:54.585-0500 I CONTROL [initandlisten] 2014-12-24T15:09:54.585-0500 I CONTROL [initandlisten] db version v2.8.0-rc5-pre- 2014-12-24T15:09:54.585-0500 I CONTROL [initandlisten] git version: 8e8ecc54d3e63be0c2d19463031432f1308bcb7c 2014-12-24T15:09:54.585-0500 I CONTROL [initandlisten] OpenSSL version: OpenSSL 1.0.1j 15 Oct 2014 2014-12-24T15:09:54.585-0500 I CONTROL [initandlisten] build info: Linux linux-p7yj.site 3.17.4-2.g2d23787-desktop #1 SMP PREEMPT Tue Nov 25 20:17:30 UTC 2014 (2d23787) x86_64 BOOST_LIB_VERSION=1_49 2014-12-24T15:09:54.585-0500 I CONTROL [initandlisten] allocator: tcmalloc 2014-12-24T15:09:54.586-0500 I CONTROL [initandlisten] options: { security: { authorization: "enabled" }, setParameter: { authenticationMechanisms: "PLAIN" }, storage: { dbPath: "db1" } } 2014-12-24T15:09:54.599-0500 I JOURNAL [initandlisten] journal dir=db1/journal 2014-12-24T15:09:54.600-0500 I JOURNAL [initandlisten] recover : no journal files present, no recovery needed 2014-12-24T15:09:55.215-0500 I JOURNAL [initandlisten] preallocateIsFaster=true 4.48 2014-12-24T15:09:55.458-0500 I JOURNAL [initandlisten] preallocateIsFaster=true 2.28 2014-12-24T15:09:56.674-0500 I NETWORK [initandlisten] waiting for connections on port 27017 2014-12-24T15:09:58.676-0500 I NETWORK [initandlisten] connection accepted from 127.0.0.1:45690 #1 (1 connection now open) 2014-12-24T15:09:58.689-0500 I ACCESS [conn1] Unauthorized not authorized on admin to execute command { getLog: "startupWarnings" } 2014-12-24T15:09:58.696-0500 I ACCESS [conn1] Unauthorized not authorized on admin to execute command { replSetGetStatus: 1.0, forShell: 1.0 } 2014-12-24T15:10:00.169-0500 I ACCESS [conn1] Successfully authenticated as principal sajack on test 2014-12-24T15:10:03.552-0500 I NETWORK [conn1] end connection 127.0.0.1:45690 (0 connections now open) Log in using PLAIN > db.runCommand({saslStart:1, mechanism: "PLAIN", payload: "c2FqYWNrAHNhamFjawBzZWNyZXQ="}) { "conversationId" : 1, "done" : true, "payload" : "", "ok" : 1 } Restart server with the enterprise module. Attempt to log in again: > db.runCommand({saslStart:1, mechanism: "PLAIN", payload: "c2FqYWNrAHNhamFjawBzZWNyZXQ="}) { "ok" : 0, "code" : 18, "errmsg" : "Authentication failed." }
    • Security 16 (06/24/16), Security 17 (07/15/16), Security (08/08/16)

      On a community server, it is possible to use the PLAIN mechanism to authenticate against a local database user. The enterprise server does not support this through Cyrus SASL.

            Assignee:
            andreas.nilsson Andreas Nilsson
            Reporter:
            spencer.jackson@mongodb.com Spencer Jackson
            Votes:
            0 Vote for this issue
            Watchers:
            11 Start watching this issue

              Created:
              Updated:
              Resolved: