diff options
| author | Andreas Nilsson <andreas.nilsson@10gen.com> | 2014-12-16 14:48:44 -0500 |
|---|---|---|
| committer | Andreas Nilsson <andreas.nilsson@10gen.com> | 2014-12-17 11:24:57 -0500 |
| commit | 1045c5a2c204632a453dc68e1abb870a31fdc25b (patch) | |
| tree | cd5db5fc274e62d41e770cdfc1da4e567b97de06 /src/mongo | |
| parent | 0c0fd893733ee8b60aed993e1ddbabac468bc89f (diff) | |
| download | mongo-1045c5a2c204632a453dc68e1abb870a31fdc25b.tar.gz | |
SERVER-16534 SCRAM-SHA-1 should always be enabled for internal user
Diffstat (limited to 'src/mongo')
| -rw-r--r-- | src/mongo/db/auth/sasl_commands.cpp | 6 | ||||
| -rw-r--r-- | src/mongo/db/auth/sasl_scramsha1_server_conversation.cpp | 21 |
2 files changed, 21 insertions, 6 deletions
diff --git a/src/mongo/db/auth/sasl_commands.cpp b/src/mongo/db/auth/sasl_commands.cpp index 60a8747ba26..1890d3ba54b 100644 --- a/src/mongo/db/auth/sasl_commands.cpp +++ b/src/mongo/db/auth/sasl_commands.cpp @@ -218,8 +218,10 @@ namespace { if (!status.isOK()) return status; - - if (!sequenceContains(saslGlobalParams.authenticationMechanisms, mechanism)) { + if (!sequenceContains(saslGlobalParams.authenticationMechanisms, mechanism) && + mechanism != "SCRAM-SHA-1") { + // Always allow SCRAM-SHA-1 to pass to the first sasl step since we need to + // handle internal user authentication, SERVER-16534 result->append(saslCommandMechanismListFieldName, saslGlobalParams.authenticationMechanisms); return Status(ErrorCodes::BadValue, diff --git a/src/mongo/db/auth/sasl_scramsha1_server_conversation.cpp b/src/mongo/db/auth/sasl_scramsha1_server_conversation.cpp index 7d49126c116..b36aded8b1a 100644 --- a/src/mongo/db/auth/sasl_scramsha1_server_conversation.cpp +++ b/src/mongo/db/auth/sasl_scramsha1_server_conversation.cpp @@ -37,11 +37,13 @@ #include "mongo/crypto/crypto.h" #include "mongo/crypto/mechanism_scram.h" +#include "mongo/db/auth/sasl_options.h" #include "mongo/platform/random.h" #include "mongo/util/base64.h" #include "mongo/util/log.h" #include "mongo/util/mongoutils/str.h" #include "mongo/util/password_digest.h" +#include "mongo/util/sequence_util.h" #include "mongo/util/text.h" namespace mongo { @@ -131,9 +133,6 @@ namespace mongo { "Incorrect SCRAM-SHA-1 client nonce: " << input[2]); } - // add client-first-message-bare to _authMessage - _authMessage += input[1] + "," + input[2] + ","; - _user = input[1].substr(2); if (!authzId.empty() && _user != authzId) { return StatusWith<bool>(ErrorCodes::BadValue, mongoutils::str::stream() << @@ -141,13 +140,27 @@ namespace mongo { } decodeSCRAMUsername(_user); + + // SERVER-16534, SCRAM-SHA-1 must be enabled for authenticating the internal user, so that + // cluster members may communicate with each other. Hence ignore disabled auth mechanism + // for the internal user. + UserName user(_user, _saslAuthSession->getAuthenticationDatabase()); + if (!sequenceContains(saslGlobalParams.authenticationMechanisms, "SCRAM-SHA-1") && + user != internalSecurity.user->getName()) { + return StatusWith<bool>(ErrorCodes::BadValue, + "SCRAM-SHA-1 authentication is disabled"); + } + + // add client-first-message-bare to _authMessage + _authMessage += input[1] + "," + input[2] + ","; + std::string clientNonce = input[2].substr(2); // The authentication database is also the source database for the user. User* userObj; Status status = _saslAuthSession->getAuthorizationSession()->getAuthorizationManager(). acquireUser(_saslAuthSession->getOpCtxt(), - UserName(_user, _saslAuthSession->getAuthenticationDatabase()), + user, &userObj); if (!status.isOK()) { |