Revert "SERVER-15198 Make scramIterationCount user configurable"

This reverts commit bf48f38 and 57e21a1.

5 files changed, 4 insertions, 48 deletions

diff --git a/src/mongo/db/auth/authorization_manager.cpp b/src/mongo/db/auth/authorization_manager.cpp
index be5024e0a78..1379bdd1797 100644
--- a/src/mongo/db/auth/authorization_manager.cpp
+++ b/src/mongo/db/auth/authorization_manager.cpp
@@ -48,7 +48,6 @@
 #include "mongo/db/auth/authz_manager_external_state.h"
 #include "mongo/db/auth/privilege.h"
 #include "mongo/db/auth/role_graph.h"
-#include "mongo/db/auth/sasl_options.h"
 #include "mongo/db/auth/user.h"
 #include "mongo/db/auth/user_document_parser.h"
 #include "mongo/db/auth/user_name.h"
@@ -779,8 +778,7 @@ namespace {
         {
             BSONObjBuilder toSetBuilder(updateBuilder.subobjStart("$set"));
             toSetBuilder << "credentials" <<
-                            BSON("SCRAM-SHA-1" << scram::generateCredentials(hashedPassword,
-                                        saslGlobalParams.scramIterationCount));
+                            BSON("SCRAM-SHA-1" << scram::generateCredentials(hashedPassword));
         }
 
         uassertStatusOK(externalState->updateOne(txn,
diff --git a/src/mongo/db/auth/sasl_options.cpp b/src/mongo/db/auth/sasl_options.cpp
index 7261d8b49f0..40fc536656c 100644
--- a/src/mongo/db/auth/sasl_options.cpp
+++ b/src/mongo/db/auth/sasl_options.cpp
@@ -33,7 +33,6 @@
 #include "mongo/base/status.h"
 #include "mongo/db/server_parameters.h"
 #include "mongo/util/log.h"
-#include "mongo/util/mongoutils/str.h"
 #include "mongo/util/options_parser/startup_option_init.h"
 #include "mongo/util/options_parser/startup_options.h"
 
@@ -41,16 +40,11 @@ namespace mongo {
 
     SASLGlobalParams saslGlobalParams;
 
-    const int defaultScramIterationCount = 10000;
-    const int minimumScramIterationCount = 5000;
-
+    // Authentication mechanisms supported by default
     SASLGlobalParams::SASLGlobalParams() {
-        // Authentication mechanisms supported by default.
         authenticationMechanisms.push_back("MONGODB-CR");
         authenticationMechanisms.push_back("MONGODB-X509");
         authenticationMechanisms.push_back("SCRAM-SHA-1");
-        // Default iteration count for SCRAM authentication.
-        scramIterationCount = defaultScramIterationCount;
     }
 
     Status addSASLOptions(moe::OptionSection* options) {
@@ -89,7 +83,6 @@ namespace mongo {
         bool haveHostName = false;
         bool haveServiceName = false;
         bool haveAuthdPath = false;
-        bool haveScramIterationCount = false;
 
         // Check our setParameter options first so that these values can be properly overridden via
         // the command line even though the options have different names.
@@ -110,9 +103,6 @@ namespace mongo {
                 else if (parametersIt->first == "saslauthdPath") {
                     haveAuthdPath = true;
                 }
-                else if (parametersIt->first == "scramIterationCount") {
-                    haveScramIterationCount = true;
-                }
             }
         }
 
@@ -133,10 +123,6 @@ namespace mongo {
             saslGlobalParams.authdPath =
                 params["security.sasl.saslauthdSocketPath"].as<std::string>();
         }
-        if (params.count("security.sasl.scramIterationCount") && !haveScramIterationCount) {
-            saslGlobalParams.scramIterationCount =
-                params["security.sasl.scramIterationCount"].as<int>();
-        }
 
         return Status::OK();
     }
@@ -176,25 +162,4 @@ namespace mongo {
                                                               true, // Change at startup
                                                               false); // Change at runtime
 
-    const std::string scramIterationCountServerParameter = "scramIterationCount";
-    class ExportedScramIterationCountParameter : public ExportedServerParameter<int> {
-    public:
-        ExportedScramIterationCountParameter():
-            ExportedServerParameter<int>(ServerParameterSet::getGlobal(),
-                                         scramIterationCountServerParameter,
-                                         &saslGlobalParams.scramIterationCount,
-                                         true,    // Change at startup
-                                         true) {} // Change at runtime
-
-        virtual Status validate(const int& newValue) {
-            if (newValue < minimumScramIterationCount) {
-                return Status(ErrorCodes::BadValue, mongoutils::str::stream() <<
-                              "Invalid value for SCRAM iteration count: " << newValue <<
-                              " is less than the minimum SCRAM iteration count, " <<
-                              minimumScramIterationCount);
-            }
-            return Status::OK();
-        }
-    } scramIterationCountParam;
-
 } // namespace mongo
diff --git a/src/mongo/db/auth/sasl_options.h b/src/mongo/db/auth/sasl_options.h
index cc649adeeba..77ca66ad1d0 100644
--- a/src/mongo/db/auth/sasl_options.h
+++ b/src/mongo/db/auth/sasl_options.h
@@ -48,7 +48,6 @@ namespace optionenvironment {
         std::string hostName;
         std::string serviceName;
         std::string authdPath;
-        int scramIterationCount;
 
         SASLGlobalParams();
     };
diff --git a/src/mongo/db/auth/sasl_scramsha1_server_conversation.cpp b/src/mongo/db/auth/sasl_scramsha1_server_conversation.cpp
index fea81975990..791fe137b11 100644
--- a/src/mongo/db/auth/sasl_scramsha1_server_conversation.cpp
+++ b/src/mongo/db/auth/sasl_scramsha1_server_conversation.cpp
@@ -158,11 +158,7 @@ namespace mongo {
 
         // Generate SCRAM credentials on the fly for mixed MONGODB-CR/SCRAM mode.
         if (_creds.scram.salt.empty() && !_creds.password.empty()) {
-            // Use a default value of 5000 for the scramIterationCount when in mixed mode,
-            // overriding the default value (10000) used for SCRAM mode or the user-given value.
-            const int mixedModeScramIterationCount = 5000;
-            BSONObj scramCreds = scram::generateCredentials(_creds.password,
-                                                            mixedModeScramIterationCount);
+            BSONObj scramCreds = scram::generateCredentials(_creds.password);
             _creds.scram.iterationCount = scramCreds[scram::iterationCountFieldName].Int();
             _creds.scram.salt = scramCreds[scram::saltFieldName].String();
             _creds.scram.storedKey = scramCreds[scram::storedKeyFieldName].String();
diff --git a/src/mongo/db/auth/security_key.cpp b/src/mongo/db/auth/security_key.cpp
index 19860e87a9e..dcc0f7866a3 100644
--- a/src/mongo/db/auth/security_key.cpp
+++ b/src/mongo/db/auth/security_key.cpp
@@ -44,7 +44,6 @@
 #include "mongo/db/auth/action_type.h"
 #include "mongo/db/auth/authorization_manager.h"
 #include "mongo/db/auth/privilege.h"
-#include "mongo/db/auth/sasl_options.h"
 #include "mongo/db/auth/user.h"
 #include "mongo/db/server_options.h"
 #include "mongo/util/log.h"
@@ -189,8 +188,7 @@ namespace mongo {
         credentials.password = mongo::createPasswordDigest(
                 internalSecurity.user->getName().getUser().toString(), str);
 
-        BSONObj creds = scram::generateCredentials(credentials.password,
-                                                   saslGlobalParams.scramIterationCount);
+        BSONObj creds = scram::generateCredentials(credentials.password);
         credentials.scram.iterationCount = creds[scram::iterationCountFieldName].Int();
         credentials.scram.salt = creds[scram::saltFieldName].String();
         credentials.scram.storedKey = creds[scram::storedKeyFieldName].String();