Revert "SERVER-48693 Add network counter for cluster authentication"

This reverts commit 24dd72daae9e4cf59ad51910058bc111f20edbff.

6 files changed, 42 insertions, 100 deletions

diff --git a/src/mongo/client/authenticate.h b/src/mongo/client/authenticate.h
index 44d90eae612..ee50f8c8ade 100644
--- a/src/mongo/client/authenticate.h
+++ b/src/mongo/client/authenticate.h
@@ -72,7 +72,6 @@ constexpr auto kMechanismMongoAWS = "MONGODB-AWS"_sd;
 constexpr auto kInternalAuthFallbackMechanism = kMechanismScramSha1;
 
 constexpr auto kSpeculativeAuthenticate = "speculativeAuthenticate"_sd;
-constexpr auto kClusterAuthenticate = "clusterAuthenticate"_sd;
 constexpr auto kAuthenticateCommand = "authenticate"_sd;
 
 /**
diff --git a/src/mongo/db/auth/sasl_commands.cpp b/src/mongo/db/auth/sasl_commands.cpp
index 81d784e64a3..7f4b1010462 100644
--- a/src/mongo/db/auth/sasl_commands.cpp
+++ b/src/mongo/db/auth/sasl_commands.cpp
@@ -335,26 +335,18 @@ bool runSaslStart(OperationContext* opCtx,
     }
 
     std::string principalName;
-    try {
-        auto session =
-            uassertStatusOK(doSaslStart(opCtx, db, cmdObj, &result, &principalName, speculative));
-        const bool isClusterMember = session->getMechanism().isClusterMember();
-        if (isClusterMember) {
-            uassertStatusOK(authCounter.incClusterAuthenticateReceived(mechanismName));
-        }
-        if (session->getMechanism().isSuccess()) {
+    auto swSession = doSaslStart(opCtx, db, cmdObj, &result, &principalName, speculative);
+
+    if (!swSession.isOK() || swSession.getValue()->getMechanism().isSuccess()) {
+        audit::logAuthentication(
+            client, mechanismName, UserName(principalName, db), swSession.getStatus().code());
+        uassertStatusOK(swSession.getStatus());
+        if (swSession.getValue()->getMechanism().isSuccess()) {
             uassertStatusOK(authCounter.incAuthenticateSuccessful(mechanismName));
-            if (isClusterMember) {
-                uassertStatusOK(authCounter.incClusterAuthenticateSuccessful(mechanismName));
-            }
-            audit::logAuthentication(
-                client, mechanismName, UserName(principalName, db), Status::OK().code());
-        } else {
-            AuthenticationSession::swap(client, session);
         }
-    } catch (const AssertionException& ex) {
-        audit::logAuthentication(client, mechanismName, UserName(principalName, db), ex.code());
-        throw;
+    } else {
+        auto session = std::move(swSession.getValue());
+        AuthenticationSession::swap(client, session);
     }
 
     return true;
@@ -416,10 +408,6 @@ bool CmdSaslContinue::run(OperationContext* opCtx,
         if (mechanism.isSuccess()) {
             uassertStatusOK(
                 authCounter.incAuthenticateSuccessful(mechanism.mechanismName().toString()));
-            if (mechanism.isClusterMember()) {
-                uassertStatusOK(authCounter.incClusterAuthenticateSuccessful(
-                    mechanism.mechanismName().toString()));
-            }
         }
     } else {
         AuthenticationSession::swap(client, sessionGuard);
diff --git a/src/mongo/db/auth/sasl_mechanism_registry.h b/src/mongo/db/auth/sasl_mechanism_registry.h
index 0215328d9cb..98f2d8ddae9 100644
--- a/src/mongo/db/auth/sasl_mechanism_registry.h
+++ b/src/mongo/db/auth/sasl_mechanism_registry.h
@@ -155,15 +155,6 @@ public:
     }
 
     /**
-     * Provides logic for determining if a user is a cluster member or an actual client for SASL
-     * authentication mechanisms
-     */
-    bool isClusterMember() const {
-        return _principalName == internalSecurity.user->getName().getUser().toString() &&
-            getAuthenticationDatabase() == internalSecurity.user->getName().getDB();
-    };
-
-    /**
      * Performs a single step of a SASL exchange. Takes an input provided by a client,
      * and either returns an error, or a response to be sent back.
      */
diff --git a/src/mongo/db/commands/authentication_commands.cpp b/src/mongo/db/commands/authentication_commands.cpp
index c3ba51aef15..77f014207fb 100644
--- a/src/mongo/db/commands/authentication_commands.cpp
+++ b/src/mongo/db/commands/authentication_commands.cpp
@@ -44,7 +44,6 @@
 #include "mongo/client/sasl_client_authenticate.h"
 #include "mongo/config.h"
 #include "mongo/db/audit.h"
-#include "mongo/db/auth/authentication_session.h"
 #include "mongo/db/auth/authorization_session.h"
 #include "mongo/db/auth/privilege.h"
 #include "mongo/db/auth/sasl_options.h"
@@ -293,48 +292,48 @@ bool CmdAuthenticate::run(OperationContext* opCtx,
         user = internalSecurity.user->getName();
     }
 
-    try {
-        uassertStatusOK(authCounter.incAuthenticateReceived(mechanism));
-        const bool isClusterMember =
-            opCtx->getClient()->session()->getSSLConfiguration()->isClusterMember(user.getUser());
-        if (isClusterMember) {
-            uassertStatusOK(authCounter.incClusterAuthenticateReceived(mechanism));
-        }
-
-        uassertStatusOK(_authenticate(opCtx, mechanism, user, cmdObj));
-        audit::logAuthentication(opCtx->getClient(), mechanism, user, Status::OK().code());
+    Status status = authCounter.incAuthenticateReceived(mechanism);
+    if (status.isOK()) {
+        status = _authenticate(opCtx, mechanism, user, cmdObj);
+    }
+    audit::logAuthentication(Client::getCurrent(), mechanism, user, status.code());
 
+    if (!status.isOK()) {
         if (!serverGlobalParams.quiet.load()) {
-            LOGV2(20429,
-                  "Successfully authenticated as principal {user} on {db} from client {client}",
-                  "Successfully authenticated",
-                  "user"_attr = user.getUser(),
-                  "db"_attr = user.getDB(),
-                  "client"_attr = opCtx->getClient()->session()->remote());
-        }
-
-        uassertStatusOK(authCounter.incAuthenticateSuccessful(mechanism));
-        if (isClusterMember) {
-            uassertStatusOK(authCounter.incClusterAuthenticateSuccessful(mechanism));
-        }
-
-        result.append("dbname", user.getDB());
-        result.append("user", user.getUser());
-        return true;
-    } catch (const AssertionException& ex) {
-        auto status = ex.toStatus();
-        auto const client = opCtx->getClient();
-        audit::logAuthentication(Client::getCurrent(), mechanism, user, status.code());
-        if (!serverGlobalParams.quiet.load()) {
+            auto const client = opCtx->getClient();
             LOGV2(20428,
+                  "Failed to authenticate {user} from client {client} with mechanism "
+                  "{mechanism}: {error}",
                   "Failed to authenticate",
                   "user"_attr = user,
                   "client"_attr = client->getRemote(),
                   "mechanism"_attr = mechanism,
                   "error"_attr = status);
         }
-        throw;
+        sleepmillis(saslGlobalParams.authFailedDelay.load());
+        if (status.code() == ErrorCodes::AuthenticationFailed) {
+            // Statuses with code AuthenticationFailed may contain messages we do not wish to
+            // reveal to the user, so we return a status with the message "auth failed".
+            uasserted(ErrorCodes::AuthenticationFailed, "auth failed");
+        } else {
+            uassertStatusOK(status);
+        }
+        return false;
     }
+
+    if (!serverGlobalParams.quiet.load()) {
+        LOGV2(20429,
+              "Successfully authenticated as principal {user} on {db} from client {client}",
+              "Successfully authenticated",
+              "user"_attr = user.getUser(),
+              "db"_attr = user.getDB(),
+              "client"_attr = opCtx->getClient()->session()->remote());
+    }
+
+    uassertStatusOK(authCounter.incAuthenticateSuccessful(mechanism));
+    result.append("dbname", user.getDB());
+    result.append("user", user.getUser());
+    return true;
 }
 
 Status CmdAuthenticate::_authenticate(OperationContext* opCtx,
diff --git a/src/mongo/db/stats/counters.cpp b/src/mongo/db/stats/counters.cpp
index 4180275393b..63a0b6eb66d 100644
--- a/src/mongo/db/stats/counters.cpp
+++ b/src/mongo/db/stats/counters.cpp
@@ -244,24 +244,6 @@ Status AuthCounter::incAuthenticateSuccessful(const std::string& mechanism) try
                           << " which is not enabled"};
 }
 
-Status AuthCounter::incClusterAuthenticateReceived(const std::string& mechanism) try {
-    _mechanisms.at(mechanism).clusterAuthenticate.received.fetchAndAddRelaxed(1);
-    return Status::OK();
-} catch (const std::out_of_range&) {
-    return {ErrorCodes::BadValue,
-            str::stream() << "Received authentication for mechanism " << mechanism
-                          << " which is unknown or not enabled"};
-}
-
-Status AuthCounter::incClusterAuthenticateSuccessful(const std::string& mechanism) try {
-    _mechanisms.at(mechanism).clusterAuthenticate.successful.fetchAndAddRelaxed(1);
-    return Status::OK();
-} catch (const std::out_of_range&) {
-    return {ErrorCodes::BadValue,
-            str::stream() << "Received authentication for mechanism " << mechanism
-                          << " which is not enabled"};
-}
-
 /**
  * authentication: {
  *   "mechanisms": {
@@ -293,16 +275,6 @@ void AuthCounter::append(BSONObjBuilder* b) {
         }
 
         {
-            const auto received = it.second.clusterAuthenticate.received.load();
-            const auto successful = it.second.clusterAuthenticate.successful.load();
-
-            BSONObjBuilder clusterAuthBuilder(mechBuilder.subobjStart(auth::kClusterAuthenticate));
-            clusterAuthBuilder.append("received", received);
-            clusterAuthBuilder.append("successful", successful);
-            clusterAuthBuilder.done();
-        }
-
-        {
             const auto received = it.second.authenticate.received.load();
             const auto successful = it.second.authenticate.successful.load();
 
diff --git a/src/mongo/db/stats/counters.h b/src/mongo/db/stats/counters.h
index a202746be03..9b10cb2a049 100644
--- a/src/mongo/db/stats/counters.h
+++ b/src/mongo/db/stats/counters.h
@@ -226,9 +226,6 @@ public:
     Status incAuthenticateReceived(const std::string& mechanism);
     Status incAuthenticateSuccessful(const std::string& mechanism);
 
-    Status incClusterAuthenticateReceived(const std::string& mechanism);
-    Status incClusterAuthenticateSuccessful(const std::string& mechanism);
-
     void append(BSONObjBuilder*);
 
     void initializeMechanismMap(const std::vector<std::string>&);
@@ -243,10 +240,6 @@ private:
             AtomicWord<long long> received;
             AtomicWord<long long> successful;
         } authenticate;
-        struct {
-            AtomicWord<long long> received;
-            AtomicWord<long long> successful;
-        } clusterAuthenticate;
     };
     using MechanismMap = std::map<std::string, MechanismData>;