diff options
author | Gregory Wlodarek <gregory.wlodarek@mongodb.com> | 2020-08-16 21:10:33 -0400 |
---|---|---|
committer | Evergreen Agent <no-reply@evergreen.mongodb.com> | 2020-08-17 01:48:12 +0000 |
commit | 3cc779415f2777223b5549d3dfd1b85eef01842b (patch) | |
tree | e165efebd7b0d7d83c68f0de5d88d46b3ac2285e | |
parent | ecd1e0b022a68110ada6517f84ffd91ea8a91bca (diff) | |
download | mongo-3cc779415f2777223b5549d3dfd1b85eef01842b.tar.gz |
Revert "SERVER-48693 Add network counter for cluster authentication"
This reverts commit 24dd72daae9e4cf59ad51910058bc111f20edbff.
-rw-r--r-- | jstests/auth/auth-counters.js | 85 | ||||
-rw-r--r-- | jstests/auth/speculative-auth-replset.js | 11 | ||||
-rw-r--r-- | jstests/auth/speculative-auth-sharding.js | 45 | ||||
-rw-r--r-- | jstests/auth/speculative-sasl-start.js | 34 | ||||
-rw-r--r-- | jstests/ssl/auth-counters.js | 65 | ||||
-rw-r--r-- | jstests/ssl/speculative-auth-replset.js | 11 | ||||
-rw-r--r-- | jstests/ssl/speculative-auth-sharding.js | 25 | ||||
-rw-r--r-- | jstests/ssl/speculative-authenticate.js | 32 | ||||
-rw-r--r-- | src/mongo/client/authenticate.h | 1 | ||||
-rw-r--r-- | src/mongo/db/auth/sasl_commands.cpp | 32 | ||||
-rw-r--r-- | src/mongo/db/auth/sasl_mechanism_registry.h | 9 | ||||
-rw-r--r-- | src/mongo/db/commands/authentication_commands.cpp | 65 | ||||
-rw-r--r-- | src/mongo/db/stats/counters.cpp | 28 | ||||
-rw-r--r-- | src/mongo/db/stats/counters.h | 7 |
14 files changed, 115 insertions, 335 deletions
diff --git a/jstests/auth/auth-counters.js b/jstests/auth/auth-counters.js index f3f2af6a758..bbb66a619ae 100644 --- a/jstests/auth/auth-counters.js +++ b/jstests/auth/auth-counters.js @@ -3,15 +3,9 @@ (function() { 'use strict'; -const keyfile = 'jstests/libs/key1'; -const badKeyfile = 'jstests/libs/key2'; -let replTest = new ReplSetTest({nodes: 1, keyFile: keyfile, nodeOptions: {auth: ""}}); -replTest.startSet(); -replTest.initiate(); -let primary = replTest.getPrimary(); - -const admin = primary.getDB('admin'); -const test = primary.getDB('test'); +const mongod = MongoRunner.runMongod({auth: ''}); +const admin = mongod.getDB('admin'); +const test = mongod.getDB('test'); admin.createUser({user: 'admin', pwd: 'pwd', roles: ['root'], mechanisms: ['SCRAM-SHA-256']}); admin.auth('admin', 'pwd'); @@ -21,22 +15,21 @@ test.createUser({user: 'user256', pwd: 'pwd', roles: [], mechanisms: ['SCRAM-SHA test.createUser( {user: 'user', pwd: 'pwd', roles: [], mechanisms: ['SCRAM-SHA-1', 'SCRAM-SHA-256']}); -// Count the number of authentications performed during setup -const expected = - assert.commandWorked(admin.runCommand({serverStatus: 1})).security.authentication.mechanisms; +// admin.auth() above provides an initial count for SCRAM-SHA-256 +const expected = { + 'SCRAM-SHA-256': { + received: 1, + successful: 1, + }, +}; function assertStats() { const mechStats = assert.commandWorked(admin.runCommand({serverStatus: 1})) .security.authentication.mechanisms; Object.keys(expected).forEach(function(mech) { try { - assert.eq(mechStats[mech].authenticate.received, expected[mech].authenticate.received); - assert.eq(mechStats[mech].authenticate.successful, - expected[mech].authenticate.successful); - assert.eq(mechStats[mech].clusterAuthenticate.received, - expected[mech].clusterAuthenticate.received); - assert.eq(mechStats[mech].clusterAuthenticate.successful, - expected[mech].clusterAuthenticate.successful); + assert.eq(mechStats[mech].authenticate.received, expected[mech].received); + assert.eq(mechStats[mech].authenticate.successful, expected[mech].successful); } catch (e) { print("Mechanism: " + mech); print("mechStats: " + tojson(mechStats)); @@ -46,42 +39,23 @@ function assertStats() { }); } -function assertSuccess(creds, mech, db = test) { - assert.eq(db.auth(creds), true); - if (db !== admin) { - db.logout(); +function assertSuccess(creds, mech) { + if (expected[mech] === undefined) { + expected[mech] = {received: 0, successful: 0}; } - ++expected[mech].authenticate.received; - ++expected[mech].authenticate.successful; - assertStats(); -} - -function assertFailure(creds, mech, db = test) { - assert.eq(db.auth(creds), false); - ++expected[mech].authenticate.received; + assert.eq(test.auth(creds), true); + test.logout(); + ++expected[mech].received; + ++expected[mech].successful; assertStats(); } -function assertSuccessInternal() { - const mech = "SCRAM-SHA-1"; - // asCluster exiting cleanly indicates successful auth - assert.eq(authutil.asCluster(replTest.nodes, keyfile, () => true), true); - ++expected[mech].authenticate.received; - ++expected[mech].authenticate.successful; - ++expected[mech].clusterAuthenticate.received; - ++expected[mech].clusterAuthenticate.successful; - // we have to re-auth as admin to get stats, which are validated at the end of assertSuccess - assertSuccess({user: 'admin', pwd: 'pwd'}, 'SCRAM-SHA-256', admin); -} - -function assertFailureInternal() { - const mech = "SCRAM-SHA-1"; - // If asCluster fails, it explodes. - assert.throws(authutil.asCluster, [replTest.nodes, badKeyfile, () => true]); - ++expected[mech].authenticate.received; - ++expected[mech].clusterAuthenticate.received; - // we have to re-auth as admin to get stats, which are validated at the end of assertSuccess - assertSuccess({user: 'admin', pwd: 'pwd'}, 'SCRAM-SHA-256', admin); +function assertFailure(creds, mech) { + if (expected[mech] === undefined) { + expected[mech] = {received: 0, successful: 0}; + } + assert.eq(test.auth(creds), false); + ++expected[mech].received; assertStats(); } @@ -112,16 +86,9 @@ assertFailure({user: 'user', pwd: 'haxx', mechanism: 'SCRAM-SHA-1'}, 'SCRAM-SHA- assertFailure({user: 'user1', pwd: 'pwd', mechanism: 'SCRAM-SHA-256'}, 'SCRAM-SHA-256'); assertFailure({user: 'user256', pwd: 'pwd', mechanism: 'SCRAM-SHA-1'}, 'SCRAM-SHA-1'); -// Cluster auth counter checks. -assertSuccessInternal(); -assertFailureInternal(); - -// Need to auth as admin one more time to get final stats. -admin.auth('admin', 'pwd'); - const finalStats = assert.commandWorked(admin.runCommand({serverStatus: 1})).security.authentication.mechanisms; -replTest.stopSet(); +MongoRunner.stopMongod(mongod); printjson(finalStats); })(); diff --git a/jstests/auth/speculative-auth-replset.js b/jstests/auth/speculative-auth-replset.js index d6f9a52c03a..dfa985321a3 100644 --- a/jstests/auth/speculative-auth-replset.js +++ b/jstests/auth/speculative-auth-replset.js @@ -39,17 +39,14 @@ const mechStats = printjson(mechStats); assert(mechStats['SCRAM-SHA-256'] !== undefined); Object.keys(mechStats).forEach(function(mech) { - const specStats = mechStats[mech].speculativeAuthenticate; - const clusterStats = mechStats[mech].clusterAuthenticate; + const stats = mechStats[mech].speculativeAuthenticate; if (mech === 'SCRAM-SHA-256') { - assert.gte(specStats.received, 2); - assert.gte(clusterStats.received, 2); + assert.gte(stats.received, 2); } else { - assert.eq(specStats.received, 0); + assert.eq(stats.received, 0); } - assert.eq(specStats.received, specStats.successful); - assert.eq(clusterStats.received, clusterStats.successful); + assert.eq(stats.received, stats.successful); }); test(baseURI); diff --git a/jstests/auth/speculative-auth-sharding.js b/jstests/auth/speculative-auth-sharding.js index d8bcae94ed9..008eafac08d 100644 --- a/jstests/auth/speculative-auth-sharding.js +++ b/jstests/auth/speculative-auth-sharding.js @@ -20,37 +20,26 @@ let lastStats = assert.commandWorked(admin.runCommand({serverStatus: 1})).security.authentication.mechanisms; jsTest.log('Inintial stats: ' + lastStats); -function test(uri, incrMech, isClusterAuth = false) { +function test(uri, incrMech) { jsTest.log('Connecting to: ' + uri); assert.eq(runMongoProgram('mongo', uri, '--eval', ';'), 0); const stats = assert.commandWorked(admin.runCommand({serverStatus: 1})) .security.authentication.mechanisms; - try { - assert.eq(Object.keys(lastStats).length, Object.keys(stats).length); - Object.keys(lastStats).forEach(function(mech) { - const inc = (mech === incrMech) ? 1 : 0; - const clusterInc = (mech === incrMech && isClusterAuth) ? 1 : 0; - - const specBefore = lastStats[mech].speculativeAuthenticate; - const specAfter = stats[mech].speculativeAuthenticate; - assert.eq(specAfter.received, specBefore.received + inc); - assert.eq(specAfter.successful, specBefore.successful + inc); - - const clusterBefore = lastStats[mech].clusterAuthenticate; - const clusterAfter = stats[mech].clusterAuthenticate; - assert.eq(clusterAfter.received, clusterBefore.received + clusterInc); - assert.eq(clusterAfter.successful, clusterBefore.successful + clusterInc); - - const allBefore = lastStats[mech].authenticate; - const allAfter = stats[mech].authenticate; - assert.eq(allAfter.received, allBefore.received + inc); - assert.eq(allAfter.successful, allBefore.successful + inc); - }); - } catch (e) { - print("Stats: " + tojson(stats)); - throw e; - } + assert.eq(Object.keys(lastStats).length, Object.keys(stats).length); + Object.keys(lastStats).forEach(function(mech) { + const inc = (mech == incrMech) ? 1 : 0; + + const specBefore = lastStats[mech].speculativeAuthenticate; + const specAfter = stats[mech].speculativeAuthenticate; + assert.eq(specAfter.received, specBefore.received + inc); + assert.eq(specAfter.successful, specBefore.successful + inc); + + const allBefore = lastStats[mech].authenticate; + const allAfter = stats[mech].authenticate; + assert.eq(allAfter.received, allBefore.received + inc); + assert.eq(allAfter.successful, allBefore.successful + inc); + }); lastStats = stats; } @@ -59,10 +48,6 @@ const baseURI = 'mongodb://admin:pwd@' + st.s.host + '/admin'; test(baseURI, fallbackMech); test(baseURI + '?authMechanism=SCRAM-SHA-1', 'SCRAM-SHA-1'); test(baseURI + '?authMechanism=SCRAM-SHA-256', 'SCRAM-SHA-256'); -const systemPass = cat(keyfile).replace(/\s/g, ''); -test('mongodb://__system:' + systemPass + '@' + st.s.host + '/admin?authMechanisms=SCRAM-SHA-256', - 'SCRAM-SHA-256', - true); admin.logout(); st.stop(); diff --git a/jstests/auth/speculative-sasl-start.js b/jstests/auth/speculative-sasl-start.js index 1518cceeb01..8db5d03dcb7 100644 --- a/jstests/auth/speculative-sasl-start.js +++ b/jstests/auth/speculative-sasl-start.js @@ -3,8 +3,7 @@ (function() { 'use strict'; -const keyFile = 'jstests/libs/key1'; -const mongod = MongoRunner.runMongod({auth: '', keyFile: keyFile}); +const mongod = MongoRunner.runMongod({auth: ''}); const admin = mongod.getDB('admin'); admin.createUser( @@ -36,22 +35,10 @@ assertStats(function(mechStats) { }); }); -// No "intra-cluster" auth attempts yet. -assertStats(function(mechStats) { - Object.keys(mechStats).forEach(function(mech) { - const stats = mechStats[mech].clusterAuthenticate; - assert.eq(stats.received, 0); - assert.eq(stats.successful, 0); - }); -}); - -function expectN(mechStats, mech, N1, M1, N2 = 0, M2 = 0) { - const specStats = mechStats[mech].speculativeAuthenticate; - const clusterStats = mechStats[mech].clusterAuthenticate; - assert.eq(N1, specStats.received); - assert.eq(M1, specStats.successful); - assert.eq(N2, clusterStats.received); - assert.eq(M2, clusterStats.successful); +function expectN(mechStats, mech, N, M) { + const stats = mechStats[mech].speculativeAuthenticate; + assert.eq(N, stats.received); + assert.eq(M, stats.successful); } const baseOKURI = 'mongodb://admin:pwd@localhost:' + mongod.port + '/admin'; @@ -110,16 +97,5 @@ mongod.getDB('test').createUser({user: 'alice', pwd: 'secret', roles: []}); test('mongodb://alice:secret@localhost:' + mongod.port + '/test', true); assertStats((s) => expectN(s, 'SCRAM-SHA-256', 7, 3)); -// Test "intra-cluster" speculative authentication. -const systemPass = cat(keyFile).replace(/\s/g, ''); -test('mongodb://__system:' + systemPass + '@localhost:' + mongod.port + '/admin' + - '?authMechanism=SCRAM-SHA-256', - true); -assertStats((s) => expectN(s, 'SCRAM-SHA-256', 8, 4, 1, 1)); -test('mongodb://__system:hunter2@localhost:' + mongod.port + '/admin' + - '?authMechanism=SCRAM-SHA-256', - false); -assertStats((s) => expectN(s, 'SCRAM-SHA-256', 9, 4, 3, 1)); - MongoRunner.stopMongod(mongod); })(); diff --git a/jstests/ssl/auth-counters.js b/jstests/ssl/auth-counters.js index 04274ef8578..6eaafa3735e 100644 --- a/jstests/ssl/auth-counters.js +++ b/jstests/ssl/auth-counters.js @@ -3,13 +3,11 @@ (function() { 'use strict'; -const x509 = "MONGODB-X509"; const mongod = MongoRunner.runMongod({ auth: '', tlsMode: 'requireTLS', tlsCertificateKeyFile: 'jstests/libs/server.pem', tlsCAFile: 'jstests/libs/ca.pem', - clusterAuthMode: "x509", }); const admin = mongod.getDB('admin'); const external = mongod.getDB('$external'); @@ -22,79 +20,46 @@ external.createUser({user: X509USER, roles: []}); // This test ignores counters for SCRAM-SHA-*. // For those, see jstests/auth/auth-counters.js -const expected = assert.commandWorked(admin.runCommand({serverStatus: 1})) - .security.authentication.mechanisms[x509]; +const expected = { + received: 0, + successful: 0 +}; function assertStats() { const mechStats = assert.commandWorked(admin.runCommand({serverStatus: 1})) - .security.authentication.mechanisms[x509]; - try { - assert.eq(mechStats.authenticate.received, expected.authenticate.received); - assert.eq(mechStats.authenticate.successful, expected.authenticate.successful); - assert.eq(mechStats.clusterAuthenticate.received, expected.clusterAuthenticate.received); - assert.eq(mechStats.clusterAuthenticate.successful, - expected.clusterAuthenticate.successful); - } catch (e) { - print("mechStats: " + tojson(mechStats)); - print("expected: " + tojson(expected)); - throw e; - } + .security.authentication.mechanisms['MONGODB-X509'] + .authenticate; + assert.eq(mechStats.received, expected.received); + assert.eq(mechStats.successful, expected.successful); } function assertSuccess(creds) { assert.eq(external.auth(creds), true); external.logout(); - ++expected.authenticate.received; - ++expected.authenticate.successful; + ++expected.received; + ++expected.successful; assertStats(); } function assertFailure(creds) { assert.eq(external.auth(creds), false); - ++expected.authenticate.received; - assertStats(); -} - -function assertSuccessInternal() { - assert.eq(runMongoProgram("mongo", - "--tls", - "--port", - mongod.port, - "--tlsCertificateKeyFile", - "jstests/libs/server.pem", - "--tlsCAFile", - "jstests/libs/ca.pem", - "--authenticationDatabase", - "$external", - "--authenticationMechanism", - "MONGODB-X509", - "--eval", - ";"), - 0); - ++expected.authenticate.received; - ++expected.authenticate.successful; - ++expected.clusterAuthenticate.received; - ++expected.clusterAuthenticate.successful; + ++expected.received; assertStats(); } // User from certificate should work. -assertSuccess({mechanism: x509}); +assertSuccess({mechanism: 'MONGODB-X509'}); // Explicitly named user. -assertSuccess({user: X509USER, mechanism: x509}); - -// Cluster auth counter checks. -// We can't test failures with the __system user without the handshake failing, -// which won't increment the counters. -assertSuccessInternal(); +assertSuccess({user: X509USER, mechanism: 'MONGODB-X509'}); // Fails once the user no longer exists. external.dropUser(X509USER); -assertFailure({mechanism: x509}); +assertFailure({mechanism: 'MONGODB-X509'}); const finalStats = assert.commandWorked(admin.runCommand({serverStatus: 1})).security.authentication.mechanisms; MongoRunner.stopMongod(mongod); + printjson(finalStats); })(); diff --git a/jstests/ssl/speculative-auth-replset.js b/jstests/ssl/speculative-auth-replset.js index d23ad32802b..3c10b53b678 100644 --- a/jstests/ssl/speculative-auth-replset.js +++ b/jstests/ssl/speculative-auth-replset.js @@ -37,16 +37,13 @@ const mechStats = printjson(mechStats); assert(mechStats['MONGODB-X509'] !== undefined); Object.keys(mechStats).forEach(function(mech) { - const specStats = mechStats[mech].speculativeAuthenticate; - const clusterStats = mechStats[mech].clusterAuthenticate; + const stats = mechStats[mech].speculativeAuthenticate; if (mech === 'MONGODB-X509') { - assert.gte(specStats.received, 2); - assert.gte(clusterStats.received, 2); + assert.gte(stats.received, 2); } else { - assert.eq(specStats.received, 0); + assert.eq(stats.received, 0); } - assert.eq(specStats.received, specStats.successful); - assert.eq(clusterStats.received, clusterStats.successful); + assert.eq(stats.received, stats.successful); }); admin.logout(); diff --git a/jstests/ssl/speculative-auth-sharding.js b/jstests/ssl/speculative-auth-sharding.js index 7a198c7983b..56af5fddaca 100644 --- a/jstests/ssl/speculative-auth-sharding.js +++ b/jstests/ssl/speculative-auth-sharding.js @@ -55,17 +55,6 @@ assert.eq(runMongoProgram('mongo', '--eval', ';'), 0); -assert.eq(runMongoProgram('mongo', - uri, - '--tls', - '--tlsCertificateKeyFile', - SERVER_CERT, - '--tlsCAFile', - CA_CERT, - '--tlsAllowInvalidHostnames', - '--eval', - ';'), - 0); const authStats = assert.commandWorked(admin.runCommand({serverStatus: 1})) .security.authentication.mechanisms['MONGODB-X509']; @@ -74,20 +63,14 @@ jsTest.log('Authenticated stats: ' + tojson(authStats)); // Got and succeeded an additional speculation. const initSpec = initialStats.speculativeAuthenticate; const authSpec = authStats.speculativeAuthenticate; -assert.eq(authSpec.received, initSpec.received + 2); -assert.eq(authSpec.successful, initSpec.successful + 2); +assert.eq(authSpec.received, initSpec.received + 1); +assert.eq(authSpec.successful, initSpec.successful + 1); // Got and succeeded an additional auth. const initAuth = initialStats.authenticate; const authAuth = authStats.authenticate; -assert.eq(authAuth.received, initAuth.received + 2); -assert.eq(authAuth.successful, initAuth.successful + 2); - -// Got and succeeded intra-cluster auth. -const initCluster = initialStats.clusterAuthenticate; -const authCluster = authStats.clusterAuthenticate; -assert.eq(authCluster.received, initCluster.received + 1); -assert.eq(authCluster.successful, initCluster.successful + 1); +assert.eq(authAuth.received, initAuth.received + 1); +assert.eq(authAuth.successful, initAuth.successful + 1); ///////////////////////////////////////////////////////////////////////////// diff --git a/jstests/ssl/speculative-authenticate.js b/jstests/ssl/speculative-authenticate.js index 492469466df..41b7139230f 100644 --- a/jstests/ssl/speculative-authenticate.js +++ b/jstests/ssl/speculative-authenticate.js @@ -8,7 +8,6 @@ const mongod = MongoRunner.runMongod({ tlsMode: 'requireTLS', tlsCertificateKeyFile: 'jstests/libs/server.pem', tlsCAFile: 'jstests/libs/ca.pem', - clusterAuthMode: "x509", }); const admin = mongod.getDB('admin'); const external = mongod.getDB('$external'); @@ -33,19 +32,6 @@ function test(uri) { assert.eq(0, x509); } -function testInternal(uri) { - const x509 = runMongoProgram('mongo', - '--tls', - '--tlsCAFile', - 'jstests/libs/ca.pem', - '--tlsCertificateKeyFile', - 'jstests/libs/server.pem', - uri, - '--eval', - ';'); - assert.eq(0, x509); -} - function assertStats(cb) { const mechStats = assert.commandWorked(admin.runCommand({serverStatus: 1})) .security.authentication.mechanisms; @@ -78,23 +64,5 @@ assertStats(function(mechStats) { assert.eq(stats.successful, 1); }); -// We haven't done any cluster auth yet, so clusterAuthenticate counts should be 0 -assertStats(function(mechStats) { - const stats = mechStats['MONGODB-X509'].clusterAuthenticate; - assert.eq(stats.received, 0); - assert.eq(stats.successful, 0); -}); - -// Connect intra-cluster with speculation. -testInternal(baseURI + '?authMechanism=MONGODB-X509'); -assertStats(function(mechStats) { - const specStats = mechStats['MONGODB-X509'].speculativeAuthenticate; - const clusterStats = mechStats['MONGODB-X509'].clusterAuthenticate; - assert.eq(specStats.received, 2); - assert.eq(specStats.successful, 2); - assert.eq(clusterStats.received, 1); - assert.eq(clusterStats.successful, 1); -}); - MongoRunner.stopMongod(mongod); })(); diff --git a/src/mongo/client/authenticate.h b/src/mongo/client/authenticate.h index 44d90eae612..ee50f8c8ade 100644 --- a/src/mongo/client/authenticate.h +++ b/src/mongo/client/authenticate.h @@ -72,7 +72,6 @@ constexpr auto kMechanismMongoAWS = "MONGODB-AWS"_sd; constexpr auto kInternalAuthFallbackMechanism = kMechanismScramSha1; constexpr auto kSpeculativeAuthenticate = "speculativeAuthenticate"_sd; -constexpr auto kClusterAuthenticate = "clusterAuthenticate"_sd; constexpr auto kAuthenticateCommand = "authenticate"_sd; /** diff --git a/src/mongo/db/auth/sasl_commands.cpp b/src/mongo/db/auth/sasl_commands.cpp index 81d784e64a3..7f4b1010462 100644 --- a/src/mongo/db/auth/sasl_commands.cpp +++ b/src/mongo/db/auth/sasl_commands.cpp @@ -335,26 +335,18 @@ bool runSaslStart(OperationContext* opCtx, } std::string principalName; - try { - auto session = - uassertStatusOK(doSaslStart(opCtx, db, cmdObj, &result, &principalName, speculative)); - const bool isClusterMember = session->getMechanism().isClusterMember(); - if (isClusterMember) { - uassertStatusOK(authCounter.incClusterAuthenticateReceived(mechanismName)); - } - if (session->getMechanism().isSuccess()) { + auto swSession = doSaslStart(opCtx, db, cmdObj, &result, &principalName, speculative); + + if (!swSession.isOK() || swSession.getValue()->getMechanism().isSuccess()) { + audit::logAuthentication( + client, mechanismName, UserName(principalName, db), swSession.getStatus().code()); + uassertStatusOK(swSession.getStatus()); + if (swSession.getValue()->getMechanism().isSuccess()) { uassertStatusOK(authCounter.incAuthenticateSuccessful(mechanismName)); - if (isClusterMember) { - uassertStatusOK(authCounter.incClusterAuthenticateSuccessful(mechanismName)); - } - audit::logAuthentication( - client, mechanismName, UserName(principalName, db), Status::OK().code()); - } else { - AuthenticationSession::swap(client, session); } - } catch (const AssertionException& ex) { - audit::logAuthentication(client, mechanismName, UserName(principalName, db), ex.code()); - throw; + } else { + auto session = std::move(swSession.getValue()); + AuthenticationSession::swap(client, session); } return true; @@ -416,10 +408,6 @@ bool CmdSaslContinue::run(OperationContext* opCtx, if (mechanism.isSuccess()) { uassertStatusOK( authCounter.incAuthenticateSuccessful(mechanism.mechanismName().toString())); - if (mechanism.isClusterMember()) { - uassertStatusOK(authCounter.incClusterAuthenticateSuccessful( - mechanism.mechanismName().toString())); - } } } else { AuthenticationSession::swap(client, sessionGuard); diff --git a/src/mongo/db/auth/sasl_mechanism_registry.h b/src/mongo/db/auth/sasl_mechanism_registry.h index 0215328d9cb..98f2d8ddae9 100644 --- a/src/mongo/db/auth/sasl_mechanism_registry.h +++ b/src/mongo/db/auth/sasl_mechanism_registry.h @@ -155,15 +155,6 @@ public: } /** - * Provides logic for determining if a user is a cluster member or an actual client for SASL - * authentication mechanisms - */ - bool isClusterMember() const { - return _principalName == internalSecurity.user->getName().getUser().toString() && - getAuthenticationDatabase() == internalSecurity.user->getName().getDB(); - }; - - /** * Performs a single step of a SASL exchange. Takes an input provided by a client, * and either returns an error, or a response to be sent back. */ diff --git a/src/mongo/db/commands/authentication_commands.cpp b/src/mongo/db/commands/authentication_commands.cpp index c3ba51aef15..77f014207fb 100644 --- a/src/mongo/db/commands/authentication_commands.cpp +++ b/src/mongo/db/commands/authentication_commands.cpp @@ -44,7 +44,6 @@ #include "mongo/client/sasl_client_authenticate.h" #include "mongo/config.h" #include "mongo/db/audit.h" -#include "mongo/db/auth/authentication_session.h" #include "mongo/db/auth/authorization_session.h" #include "mongo/db/auth/privilege.h" #include "mongo/db/auth/sasl_options.h" @@ -293,48 +292,48 @@ bool CmdAuthenticate::run(OperationContext* opCtx, user = internalSecurity.user->getName(); } - try { - uassertStatusOK(authCounter.incAuthenticateReceived(mechanism)); - const bool isClusterMember = - opCtx->getClient()->session()->getSSLConfiguration()->isClusterMember(user.getUser()); - if (isClusterMember) { - uassertStatusOK(authCounter.incClusterAuthenticateReceived(mechanism)); - } - - uassertStatusOK(_authenticate(opCtx, mechanism, user, cmdObj)); - audit::logAuthentication(opCtx->getClient(), mechanism, user, Status::OK().code()); + Status status = authCounter.incAuthenticateReceived(mechanism); + if (status.isOK()) { + status = _authenticate(opCtx, mechanism, user, cmdObj); + } + audit::logAuthentication(Client::getCurrent(), mechanism, user, status.code()); + if (!status.isOK()) { if (!serverGlobalParams.quiet.load()) { - LOGV2(20429, - "Successfully authenticated as principal {user} on {db} from client {client}", - "Successfully authenticated", - "user"_attr = user.getUser(), - "db"_attr = user.getDB(), - "client"_attr = opCtx->getClient()->session()->remote()); - } - - uassertStatusOK(authCounter.incAuthenticateSuccessful(mechanism)); - if (isClusterMember) { - uassertStatusOK(authCounter.incClusterAuthenticateSuccessful(mechanism)); - } - - result.append("dbname", user.getDB()); - result.append("user", user.getUser()); - return true; - } catch (const AssertionException& ex) { - auto status = ex.toStatus(); - auto const client = opCtx->getClient(); - audit::logAuthentication(Client::getCurrent(), mechanism, user, status.code()); - if (!serverGlobalParams.quiet.load()) { + auto const client = opCtx->getClient(); LOGV2(20428, + "Failed to authenticate {user} from client {client} with mechanism " + "{mechanism}: {error}", "Failed to authenticate", "user"_attr = user, "client"_attr = client->getRemote(), "mechanism"_attr = mechanism, "error"_attr = status); } - throw; + sleepmillis(saslGlobalParams.authFailedDelay.load()); + if (status.code() == ErrorCodes::AuthenticationFailed) { + // Statuses with code AuthenticationFailed may contain messages we do not wish to + // reveal to the user, so we return a status with the message "auth failed". + uasserted(ErrorCodes::AuthenticationFailed, "auth failed"); + } else { + uassertStatusOK(status); + } + return false; } + + if (!serverGlobalParams.quiet.load()) { + LOGV2(20429, + "Successfully authenticated as principal {user} on {db} from client {client}", + "Successfully authenticated", + "user"_attr = user.getUser(), + "db"_attr = user.getDB(), + "client"_attr = opCtx->getClient()->session()->remote()); + } + + uassertStatusOK(authCounter.incAuthenticateSuccessful(mechanism)); + result.append("dbname", user.getDB()); + result.append("user", user.getUser()); + return true; } Status CmdAuthenticate::_authenticate(OperationContext* opCtx, diff --git a/src/mongo/db/stats/counters.cpp b/src/mongo/db/stats/counters.cpp index 4180275393b..63a0b6eb66d 100644 --- a/src/mongo/db/stats/counters.cpp +++ b/src/mongo/db/stats/counters.cpp @@ -244,24 +244,6 @@ Status AuthCounter::incAuthenticateSuccessful(const std::string& mechanism) try << " which is not enabled"}; } -Status AuthCounter::incClusterAuthenticateReceived(const std::string& mechanism) try { - _mechanisms.at(mechanism).clusterAuthenticate.received.fetchAndAddRelaxed(1); - return Status::OK(); -} catch (const std::out_of_range&) { - return {ErrorCodes::BadValue, - str::stream() << "Received authentication for mechanism " << mechanism - << " which is unknown or not enabled"}; -} - -Status AuthCounter::incClusterAuthenticateSuccessful(const std::string& mechanism) try { - _mechanisms.at(mechanism).clusterAuthenticate.successful.fetchAndAddRelaxed(1); - return Status::OK(); -} catch (const std::out_of_range&) { - return {ErrorCodes::BadValue, - str::stream() << "Received authentication for mechanism " << mechanism - << " which is not enabled"}; -} - /** * authentication: { * "mechanisms": { @@ -293,16 +275,6 @@ void AuthCounter::append(BSONObjBuilder* b) { } { - const auto received = it.second.clusterAuthenticate.received.load(); - const auto successful = it.second.clusterAuthenticate.successful.load(); - - BSONObjBuilder clusterAuthBuilder(mechBuilder.subobjStart(auth::kClusterAuthenticate)); - clusterAuthBuilder.append("received", received); - clusterAuthBuilder.append("successful", successful); - clusterAuthBuilder.done(); - } - - { const auto received = it.second.authenticate.received.load(); const auto successful = it.second.authenticate.successful.load(); diff --git a/src/mongo/db/stats/counters.h b/src/mongo/db/stats/counters.h index a202746be03..9b10cb2a049 100644 --- a/src/mongo/db/stats/counters.h +++ b/src/mongo/db/stats/counters.h @@ -226,9 +226,6 @@ public: Status incAuthenticateReceived(const std::string& mechanism); Status incAuthenticateSuccessful(const std::string& mechanism); - Status incClusterAuthenticateReceived(const std::string& mechanism); - Status incClusterAuthenticateSuccessful(const std::string& mechanism); - void append(BSONObjBuilder*); void initializeMechanismMap(const std::vector<std::string>&); @@ -243,10 +240,6 @@ private: AtomicWord<long long> received; AtomicWord<long long> successful; } authenticate; - struct { - AtomicWord<long long> received; - AtomicWord<long long> successful; - } clusterAuthenticate; }; using MechanismMap = std::map<std::string, MechanismData>; |