diff options
| author | Amalia Hawkins <amalia.hawkins@10gen.com> | 2014-10-10 17:13:23 -0400 |
|---|---|---|
| committer | Amalia Hawkins <amalia.hawkins@10gen.com> | 2014-10-10 17:13:23 -0400 |
| commit | 8dff7bcaa38a52180eba26793446ee7e2855a1e4 (patch) | |
| tree | dc916956cc2b2a02cf933677011763c820639f4c | |
| parent | b77054789b59c9284df70928c1d0d76770fd5c25 (diff) | |
| download | mongo-8dff7bcaa38a52180eba26793446ee7e2855a1e4.tar.gz | |
Revert "SERVER-15198 Make scramIterationCount user configurable"
This reverts commit bf48f38 and 57e21a1.
| -rw-r--r-- | src/mongo/crypto/mechanism_scram.cpp | 4 | ||||
| -rw-r--r-- | src/mongo/crypto/mechanism_scram.h | 2 | ||||
| -rw-r--r-- | src/mongo/db/auth/authorization_manager.cpp | 4 | ||||
| -rw-r--r-- | src/mongo/db/auth/sasl_options.cpp | 37 | ||||
| -rw-r--r-- | src/mongo/db/auth/sasl_options.h | 1 | ||||
| -rw-r--r-- | src/mongo/db/auth/sasl_scramsha1_server_conversation.cpp | 6 | ||||
| -rw-r--r-- | src/mongo/db/auth/security_key.cpp | 4 | ||||
| -rw-r--r-- | src/mongo/db/commands/user_management_commands.cpp | 9 |
8 files changed, 10 insertions, 57 deletions
diff --git a/src/mongo/crypto/mechanism_scram.cpp b/src/mongo/crypto/mechanism_scram.cpp index d77a0c72b85..1b6eaf88ea9 100644 --- a/src/mongo/crypto/mechanism_scram.cpp +++ b/src/mongo/crypto/mechanism_scram.cpp @@ -139,8 +139,10 @@ namespace scram { &hashLen)); } - BSONObj generateCredentials(const std::string& hashedPassword, int iterationCount) { + BSONObj generateCredentials(const std::string& hashedPassword) { + // TODO: configure the default iteration count via setParameter + const int iterationCount = 10; const int saltLenQWords = 2; // Generate salt diff --git a/src/mongo/crypto/mechanism_scram.h b/src/mongo/crypto/mechanism_scram.h index 19d7e2b1c8b..fc6da4aea9c 100644 --- a/src/mongo/crypto/mechanism_scram.h +++ b/src/mongo/crypto/mechanism_scram.h @@ -69,7 +69,7 @@ namespace scram { * Generates the user salt and the SCRAM secrets storedKey and serverKey as * defined in RFC5802 (server side). */ - BSONObj generateCredentials(const std::string& hashedPassword, int iterationCount); + BSONObj generateCredentials(const std::string& hashedPassword); /* * Computes the ClientProof from SaltedPassword and authMessage (client side). diff --git a/src/mongo/db/auth/authorization_manager.cpp b/src/mongo/db/auth/authorization_manager.cpp index be5024e0a78..1379bdd1797 100644 --- a/src/mongo/db/auth/authorization_manager.cpp +++ b/src/mongo/db/auth/authorization_manager.cpp @@ -48,7 +48,6 @@ #include "mongo/db/auth/authz_manager_external_state.h" #include "mongo/db/auth/privilege.h" #include "mongo/db/auth/role_graph.h" -#include "mongo/db/auth/sasl_options.h" #include "mongo/db/auth/user.h" #include "mongo/db/auth/user_document_parser.h" #include "mongo/db/auth/user_name.h" @@ -779,8 +778,7 @@ namespace { { BSONObjBuilder toSetBuilder(updateBuilder.subobjStart("$set")); toSetBuilder << "credentials" << - BSON("SCRAM-SHA-1" << scram::generateCredentials(hashedPassword, - saslGlobalParams.scramIterationCount)); + BSON("SCRAM-SHA-1" << scram::generateCredentials(hashedPassword)); } uassertStatusOK(externalState->updateOne(txn, diff --git a/src/mongo/db/auth/sasl_options.cpp b/src/mongo/db/auth/sasl_options.cpp index 7261d8b49f0..40fc536656c 100644 --- a/src/mongo/db/auth/sasl_options.cpp +++ b/src/mongo/db/auth/sasl_options.cpp @@ -33,7 +33,6 @@ #include "mongo/base/status.h" #include "mongo/db/server_parameters.h" #include "mongo/util/log.h" -#include "mongo/util/mongoutils/str.h" #include "mongo/util/options_parser/startup_option_init.h" #include "mongo/util/options_parser/startup_options.h" @@ -41,16 +40,11 @@ namespace mongo { SASLGlobalParams saslGlobalParams; - const int defaultScramIterationCount = 10000; - const int minimumScramIterationCount = 5000; - + // Authentication mechanisms supported by default SASLGlobalParams::SASLGlobalParams() { - // Authentication mechanisms supported by default. authenticationMechanisms.push_back("MONGODB-CR"); authenticationMechanisms.push_back("MONGODB-X509"); authenticationMechanisms.push_back("SCRAM-SHA-1"); - // Default iteration count for SCRAM authentication. - scramIterationCount = defaultScramIterationCount; } Status addSASLOptions(moe::OptionSection* options) { @@ -89,7 +83,6 @@ namespace mongo { bool haveHostName = false; bool haveServiceName = false; bool haveAuthdPath = false; - bool haveScramIterationCount = false; // Check our setParameter options first so that these values can be properly overridden via // the command line even though the options have different names. @@ -110,9 +103,6 @@ namespace mongo { else if (parametersIt->first == "saslauthdPath") { haveAuthdPath = true; } - else if (parametersIt->first == "scramIterationCount") { - haveScramIterationCount = true; - } } } @@ -133,10 +123,6 @@ namespace mongo { saslGlobalParams.authdPath = params["security.sasl.saslauthdSocketPath"].as<std::string>(); } - if (params.count("security.sasl.scramIterationCount") && !haveScramIterationCount) { - saslGlobalParams.scramIterationCount = - params["security.sasl.scramIterationCount"].as<int>(); - } return Status::OK(); } @@ -176,25 +162,4 @@ namespace mongo { true, // Change at startup false); // Change at runtime - const std::string scramIterationCountServerParameter = "scramIterationCount"; - class ExportedScramIterationCountParameter : public ExportedServerParameter<int> { - public: - ExportedScramIterationCountParameter(): - ExportedServerParameter<int>(ServerParameterSet::getGlobal(), - scramIterationCountServerParameter, - &saslGlobalParams.scramIterationCount, - true, // Change at startup - true) {} // Change at runtime - - virtual Status validate(const int& newValue) { - if (newValue < minimumScramIterationCount) { - return Status(ErrorCodes::BadValue, mongoutils::str::stream() << - "Invalid value for SCRAM iteration count: " << newValue << - " is less than the minimum SCRAM iteration count, " << - minimumScramIterationCount); - } - return Status::OK(); - } - } scramIterationCountParam; - } // namespace mongo diff --git a/src/mongo/db/auth/sasl_options.h b/src/mongo/db/auth/sasl_options.h index cc649adeeba..77ca66ad1d0 100644 --- a/src/mongo/db/auth/sasl_options.h +++ b/src/mongo/db/auth/sasl_options.h @@ -48,7 +48,6 @@ namespace optionenvironment { std::string hostName; std::string serviceName; std::string authdPath; - int scramIterationCount; SASLGlobalParams(); }; diff --git a/src/mongo/db/auth/sasl_scramsha1_server_conversation.cpp b/src/mongo/db/auth/sasl_scramsha1_server_conversation.cpp index fea81975990..791fe137b11 100644 --- a/src/mongo/db/auth/sasl_scramsha1_server_conversation.cpp +++ b/src/mongo/db/auth/sasl_scramsha1_server_conversation.cpp @@ -158,11 +158,7 @@ namespace mongo { // Generate SCRAM credentials on the fly for mixed MONGODB-CR/SCRAM mode. if (_creds.scram.salt.empty() && !_creds.password.empty()) { - // Use a default value of 5000 for the scramIterationCount when in mixed mode, - // overriding the default value (10000) used for SCRAM mode or the user-given value. - const int mixedModeScramIterationCount = 5000; - BSONObj scramCreds = scram::generateCredentials(_creds.password, - mixedModeScramIterationCount); + BSONObj scramCreds = scram::generateCredentials(_creds.password); _creds.scram.iterationCount = scramCreds[scram::iterationCountFieldName].Int(); _creds.scram.salt = scramCreds[scram::saltFieldName].String(); _creds.scram.storedKey = scramCreds[scram::storedKeyFieldName].String(); diff --git a/src/mongo/db/auth/security_key.cpp b/src/mongo/db/auth/security_key.cpp index 19860e87a9e..dcc0f7866a3 100644 --- a/src/mongo/db/auth/security_key.cpp +++ b/src/mongo/db/auth/security_key.cpp @@ -44,7 +44,6 @@ #include "mongo/db/auth/action_type.h" #include "mongo/db/auth/authorization_manager.h" #include "mongo/db/auth/privilege.h" -#include "mongo/db/auth/sasl_options.h" #include "mongo/db/auth/user.h" #include "mongo/db/server_options.h" #include "mongo/util/log.h" @@ -189,8 +188,7 @@ namespace mongo { credentials.password = mongo::createPasswordDigest( internalSecurity.user->getName().getUser().toString(), str); - BSONObj creds = scram::generateCredentials(credentials.password, - saslGlobalParams.scramIterationCount); + BSONObj creds = scram::generateCredentials(credentials.password); credentials.scram.iterationCount = creds[scram::iterationCountFieldName].Int(); credentials.scram.salt = creds[scram::saltFieldName].String(); credentials.scram.storedKey = creds[scram::storedKeyFieldName].String(); diff --git a/src/mongo/db/commands/user_management_commands.cpp b/src/mongo/db/commands/user_management_commands.cpp index 323ecd98527..1ad96735842 100644 --- a/src/mongo/db/commands/user_management_commands.cpp +++ b/src/mongo/db/commands/user_management_commands.cpp @@ -51,7 +51,6 @@ #include "mongo/db/auth/authorization_session.h" #include "mongo/db/auth/privilege.h" #include "mongo/db/auth/resource_pattern.h" -#include "mongo/db/auth/sasl_options.h" #include "mongo/db/auth/user.h" #include "mongo/db/auth/user_document_parser.h" #include "mongo/db/auth/user_management_commands_parser.h" @@ -439,9 +438,7 @@ namespace mongo { // Add SCRAM credentials for appropriate authSchemaVersions. if (authzVersion > AuthorizationManager::schemaVersion26Final) { - BSONObj scramCred = scram::generateCredentials( - args.hashedPassword, - saslGlobalParams.scramIterationCount); + BSONObj scramCred = scram::generateCredentials(args.hashedPassword); credentialsBuilder.append("SCRAM-SHA-1", scramCred); } else { // Otherwise default to MONGODB-CR. @@ -615,9 +612,7 @@ namespace mongo { // Add SCRAM credentials for appropriate authSchemaVersions if (authzVersion > AuthorizationManager::schemaVersion26Final) { - BSONObj scramCred = scram::generateCredentials( - args.hashedPassword, - saslGlobalParams.scramIterationCount); + BSONObj scramCred = scram::generateCredentials(args.hashedPassword); credentialsBuilder.append("SCRAM-SHA-1",scramCred); } else { // Otherwise default to MONGODB-CR |