Uploaded image for project: 'Core Server'
  1. Core Server
  2. SERVER-34421

saslSupportedMechs on arbiters must not error

    • Type: Icon: Bug Bug
    • Resolution: Fixed
    • Priority: Icon: Major - P3 Major - P3
    • 3.7.7
    • Affects Version/s: 3.7.3
    • Component/s: Security
    • None
    • Fully Compatible
    • ALL
    • Platforms 2018-04-23, Platforms 2018-05-07

      There's a catch-22 in SASL mechanism negotiation with arbiters. In order for drivers not to have to do a second mechanism negotiation round trip, they need to add saslSupportedMechs to the initial ismaster command. This appears to fail on arbiters with a UserNotFound error. Instead, arbiters should reply with a normal ismaster response without a saslSupportedMechs field so that drivers can discover that the server is an arbiter after which they won't attempt authentication anyway.

      Repro:

      1. set up a 3.7.3 server with authentication and a user
      2. connect with an old client (to avoid SERVER-33947)
      3. manually run ismaster with saslSupportedMechs
      $ ~/mongodb/3.4.14/bin/mongo metis.local:57058
      MongoDB shell version v3.4.14
      connecting to: mongodb://metis.local:57058/test
      MongoDB server version: 3.7.3
      WARNING: shell and server versions do not match
      MongoDB Enterprise foo:ARBITER> use admin
      switched to db admin
      MongoDB Enterprise foo:ARBITER> db.runCommand({ismaster:1, saslSupportedMechs:"admin.root"})
      
      {
              "operationTime" : Timestamp(1523475642, 1),
              "ok" : 0,
              "errmsg" : "Could not find user root@admin",
              "code" : 11,
              "codeName" : "UserNotFound"
      }
      

      By contrast, connecting to a secondary works:

      $ ~/mongodb/3.4.14/bin/mongo metis.local:57048
      MongoDB shell version v3.4.14
      connecting to: mongodb://metis.local:57048/test
      MongoDB server version: 3.7.3
      WARNING: shell and server versions do not match
      MongoDB Enterprise foo:SECONDARY> use admin
      switched to db admin
      MongoDB Enterprise foo:SECONDARY> db.runCommand({ismaster:1, saslSupportedMechs:"admin.root"})
      {
              "hosts" : [
                      "metis.local:57038",
                      "metis.local:57048"
              ],
              "arbiters" : [
                      "metis.local:57058"
              ],
              "setName" : "foo",
              "setVersion" : 1,
              "ismaster" : false,
              "secondary" : true,
              "primary" : "metis.local:57038",
              "me" : "metis.local:57048",
              "lastWrite" : {
                      "opTime" : {
                              "ts" : Timestamp(1523475952, 1),
                              "t" : NumberLong(3)
                      },
                      "lastWriteDate" : ISODate("2018-04-11T19:45:52Z"),
                      "majorityOpTime" : {
                              "ts" : Timestamp(1523475952, 1),
                              "t" : NumberLong(3)
                      },
                      "majorityWriteDate" : ISODate("2018-04-11T19:45:52Z")
              },
              "maxBsonObjectSize" : 16777216,
              "maxMessageSizeBytes" : 48000000,
              "maxWriteBatchSize" : 100000,
              "localTime" : ISODate("2018-04-11T19:45:58.059Z"),
              "logicalSessionTimeoutMinutes" : 30,
              "minWireVersion" : 0,
              "maxWireVersion" : 7,
              "readOnly" : false,
              "saslSupportedMechs" : [
                      "SCRAM-SHA-256",
                      "SCRAM-SHA-1"
              ],
              "ok" : 1,
              "operationTime" : Timestamp(1523475952, 1)
      }
      

            Assignee:
            spencer.jackson@mongodb.com Spencer Jackson
            Reporter:
            david.golden@mongodb.com David Golden
            Votes:
            0 Vote for this issue
            Watchers:
            9 Start watching this issue

              Created:
              Updated:
              Resolved: