Uploaded image for project: 'Core Server'
  1. Core Server
  2. SERVER-69464

"Attempt to switch user during SASL authentication" error when cluster is configured for x509 membership auth

    • Type: Icon: Bug Bug
    • Resolution: Duplicate
    • Priority: Icon: Major - P3 Major - P3
    • None
    • Affects Version/s: 5.0.8, 6.0.0
    • Component/s: Security
    • None
    • Server Security
    • ALL
    • Hide

      1. Create cluster

      mlaunch init --replicaset --nodes 1 --sharded 1 --config 1 --csrs --tlsCAFile CA.pem --tlsMode preferTLS --tlsCertificateKeyFile server.pem --bind_ip_all --clusterAuthMode x509 --setParameter authenticationMechanisms=PLAIN,SCRAM-SHA-256,SCRAM-SHA-1
      

      2. Connect:

      mongo --tls --tlsCertificateKeyFile server.pem --tlsCAFile CA.pem --authenticationMechanism MONGODB-X509 --authenticationDatabase '$external' 
      

      3. In my case mlaunch is failing to add shard. So need to run the following manually:

      sh.addShard("shard01/localhost:27018")
      

      4. In the log of the shard process observe the error as in the description. User connections are not required

      Show
      1. Create cluster mlaunch init --replicaset --nodes 1 --sharded 1 --config 1 --csrs --tlsCAFile CA.pem --tlsMode preferTLS --tlsCertificateKeyFile server.pem --bind_ip_all --clusterAuthMode x509 --setParameter authenticationMechanisms=PLAIN,SCRAM-SHA-256,SCRAM-SHA-1 2. Connect: mongo --tls --tlsCertificateKeyFile server.pem --tlsCAFile CA.pem --authenticationMechanism MONGODB-X509 --authenticationDatabase '$external' 3. In my case mlaunch is failing to add shard. So need to run the following manually: sh.addShard("shard01/localhost:27018") 4. In the log of the shard process observe the error as in the description. User connections are not required

      I'm able to easily reproduce the issue from SERVER-58591 on v6.0:

      {"t":{"$date":"2022-09-06T17:15:51.971+10:00"},"s":"I",  "c":"ACCESS",   "id":5286202, "ctx":"conn24","msg":"Different user name was supplied to saslSupportedMechs","attr":{"error":{"code":17,"codeName":"ProtocolError","errmsg":"Attempt to switch database target during SASL authentication from __system@local to @$external"}}}
      {"t":{"$date":"2022-09-06T17:15:51.971+10:00"},"s":"I",  "c":"ACCESS",   "id":20429,   "ctx":"conn24","msg":"Successfully authenticated","attr":{"client":"127.0.0.1:34638","mechanism":"MONGODB-X509","user":"CN=*.domain.net,OU=mongodb,O=MongoDB,L=Sydney,ST=NSW,C=AU","db":"$external"}}
      

      I don't think there is anything wrong with the config as user connections are not required for the issue to manifest.

      This looks to be a benign issue as I don't see any functional problems with how the cluster is operating. But the fact that it is raised as an error is concerning the users.

            Assignee:
            backlog-server-security [DO NOT USE] Backlog - Security Team
            Reporter:
            dmitry.ryabtsev@mongodb.com Dmitry Ryabtsev
            Votes:
            0 Vote for this issue
            Watchers:
            4 Start watching this issue

              Created:
              Updated:
              Resolved: