Loading...

XML

Word

Printable

JSON

Type: Bug
Resolution: Fixed
Priority: Major - P3
Fix Version/s: 4.9.0, 4.4.6
Affects Version/s: None
Component/s: Security
Labels:
None

Backwards Compatibility:
Fully Compatible
Operating System:
ALL
Backport Requested:

v4.4
Sprint:
Security 2021-03-22, Security 2021-04-05
Linked BF Score:
169

When trying to authenticate from ARNs for AWS China and Gov regions, the server throws an error message:

{"t":{"$date":"2021-02-24T21:46:18.029+00:00"},"s":"I",  "c":"ACCESS",   "id":20249,   "ctx":"conn785","msg":"Authentication failed","attr":{"mechanism":"MONGODB-AWS","principalName":"AKIA5BNHFCACSUUDSOR3","authenticationDatabase":"$external","client":"66.65.136.84:50215","result":"Location51282: Incorrect ARN"}}

It appears the code needs to be updated in the following places:
https://github.com/10gen/mongo-enterprise-modules/blob/master/src/sasl/sasl_aws_server_protocol.cpp#L216-L217

https://github.com/10gen/mongo-enterprise-modules/blob/07a2f1b3245d2a18a8b53482091aa32cbf9210be/src/sasl/sasl_aws_server_protocol.cpp#L41

Example ARNs:

arn:aws-cn:iam::123312345293:user/some.person
arn:aws-cn:iam::123312345293:role/my-test-kms
arn:aws-us-gov:iam::123312345293:user/someone.else
arn:aws-us-gov:iam::123312345293:role/test-role

Note that for roles, Atlas converts the ARNs to the STS format.

Assignee:: Benjamin Caimano (Inactive)

Reporter:: Ralph Capasso

Participants:: Benjamin Caimano, Githook User, James Heppenstall, Ralph Capasso

Votes:: 0 Vote for this issue

Watchers:: 6 Start watching this issue

Created:: Feb 25 2021 05:34:51 PM UTC

Updated:: Oct 29 2023 09:57:01 PM UTC

Resolved:: Mar 22 2021 07:58:49 PM UTC