There's a catch-22 in SASL mechanism negotiation with arbiters. In order for drivers not to have to do a second mechanism negotiation round trip, they need to add saslSupportedMechs to the initial ismaster command. This appears to fail on arbiters with a UserNotFound error. Instead, arbiters should reply with a normal ismaster response without a saslSupportedMechs field so that drivers can discover that the server is an arbiter after which they won't attempt authentication anyway.
Repro:
- set up a 3.7.3 server with authentication and a user
- connect with an old client (to avoid
SERVER-33947) - manually run ismaster with saslSupportedMechs
$ ~/mongodb/3.4.14/bin/mongo metis.local:57058 MongoDB shell version v3.4.14 connecting to: mongodb://metis.local:57058/test MongoDB server version: 3.7.3 WARNING: shell and server versions do not match MongoDB Enterprise foo:ARBITER> use admin switched to db admin MongoDB Enterprise foo:ARBITER> db.runCommand({ismaster:1, saslSupportedMechs:"admin.root"}) { "operationTime" : Timestamp(1523475642, 1), "ok" : 0, "errmsg" : "Could not find user root@admin", "code" : 11, "codeName" : "UserNotFound" }
By contrast, connecting to a secondary works:
$ ~/mongodb/3.4.14/bin/mongo metis.local:57048 MongoDB shell version v3.4.14 connecting to: mongodb://metis.local:57048/test MongoDB server version: 3.7.3 WARNING: shell and server versions do not match MongoDB Enterprise foo:SECONDARY> use admin switched to db admin MongoDB Enterprise foo:SECONDARY> db.runCommand({ismaster:1, saslSupportedMechs:"admin.root"}) { "hosts" : [ "metis.local:57038", "metis.local:57048" ], "arbiters" : [ "metis.local:57058" ], "setName" : "foo", "setVersion" : 1, "ismaster" : false, "secondary" : true, "primary" : "metis.local:57038", "me" : "metis.local:57048", "lastWrite" : { "opTime" : { "ts" : Timestamp(1523475952, 1), "t" : NumberLong(3) }, "lastWriteDate" : ISODate("2018-04-11T19:45:52Z"), "majorityOpTime" : { "ts" : Timestamp(1523475952, 1), "t" : NumberLong(3) }, "majorityWriteDate" : ISODate("2018-04-11T19:45:52Z") }, "maxBsonObjectSize" : 16777216, "maxMessageSizeBytes" : 48000000, "maxWriteBatchSize" : 100000, "localTime" : ISODate("2018-04-11T19:45:58.059Z"), "logicalSessionTimeoutMinutes" : 30, "minWireVersion" : 0, "maxWireVersion" : 7, "readOnly" : false, "saslSupportedMechs" : [ "SCRAM-SHA-256", "SCRAM-SHA-1" ], "ok" : 1, "operationTime" : Timestamp(1523475952, 1) }