diff options
| author | Sara Golemon <sara.golemon@mongodb.com> | 2017-12-08 19:00:43 -0500 |
|---|---|---|
| committer | Sara Golemon <sara.golemon@mongodb.com> | 2017-12-19 00:31:11 -0500 |
| commit | 5a781806537d7710c3b895e450df2307b8861b69 (patch) | |
| tree | 5d61ce68b1b869b460e426aa7ca1b16620bc514c /src/mongo | |
| parent | a5463eebace42e0970cdb28507d6b00d1c982f18 (diff) | |
| download | mongo-5a781806537d7710c3b895e450df2307b8861b69.tar.gz | |
SERVER-32231 Remove MONGODB-CR
Diffstat (limited to 'src/mongo')
| -rw-r--r-- | src/mongo/db/auth/sasl_plain_server_conversation.cpp | 33 | ||||
| -rw-r--r-- | src/mongo/db/auth/sasl_scramsha1_server_conversation.cpp | 14 | ||||
| -rw-r--r-- | src/mongo/db/auth/security_key.cpp | 10 | ||||
| -rw-r--r-- | src/mongo/db/auth/user.h | 3 | ||||
| -rw-r--r-- | src/mongo/db/auth/user_document_parser.cpp | 30 | ||||
| -rw-r--r-- | src/mongo/db/auth/user_document_parser_test.cpp | 2 | ||||
| -rw-r--r-- | src/mongo/db/commands/user_management_commands.cpp | 34 | ||||
| -rw-r--r-- | src/mongo/db/db.cpp | 23 |
8 files changed, 37 insertions, 112 deletions
diff --git a/src/mongo/db/auth/sasl_plain_server_conversation.cpp b/src/mongo/db/auth/sasl_plain_server_conversation.cpp index 416e70ad739..0c574a7f7fd 100644 --- a/src/mongo/db/auth/sasl_plain_server_conversation.cpp +++ b/src/mongo/db/auth/sasl_plain_server_conversation.cpp @@ -106,27 +106,18 @@ StatusWith<bool> SaslPLAINServerConversation::step(StringData inputData, std::st std::string authDigest = createPasswordDigest(_user, pwd->c_str()); - if (!creds.password.empty()) { - // Handle schemaVersion26Final (MONGODB-CR/SCRAM mixed mode) - if (authDigest != creds.password) { - return StatusWith<bool>(ErrorCodes::AuthenticationFailed, - mongoutils::str::stream() << "Incorrect user name or password"); - } - } else { - // Handle schemaVersion28SCRAM (SCRAM only mode) - std::string decodedSalt = base64::decode(creds.scram.salt); - scram::SCRAMSecrets secrets = scram::generateSecrets(scram::SCRAMPresecrets( - authDigest, - std::vector<std::uint8_t>(reinterpret_cast<const std::uint8_t*>(decodedSalt.c_str()), - reinterpret_cast<const std::uint8_t*>(decodedSalt.c_str()) + - 16), - creds.scram.iterationCount)); - if (creds.scram.storedKey != - base64::encode(reinterpret_cast<const char*>(secrets->storedKey.data()), - secrets->storedKey.size())) { - return StatusWith<bool>(ErrorCodes::AuthenticationFailed, - mongoutils::str::stream() << "Incorrect user name or password"); - } + // Handle schemaVersion28SCRAM (SCRAM only mode) + std::string decodedSalt = base64::decode(creds.scram.salt); + scram::SCRAMSecrets secrets = scram::generateSecrets(scram::SCRAMPresecrets( + authDigest, + std::vector<std::uint8_t>(reinterpret_cast<const std::uint8_t*>(decodedSalt.c_str()), + reinterpret_cast<const std::uint8_t*>(decodedSalt.c_str()) + 16), + creds.scram.iterationCount)); + if (creds.scram.storedKey != + base64::encode(reinterpret_cast<const char*>(secrets->storedKey.data()), + secrets->storedKey.size())) { + return StatusWith<bool>(ErrorCodes::AuthenticationFailed, + mongoutils::str::stream() << "Incorrect user name or password"); } *outputData = ""; diff --git a/src/mongo/db/auth/sasl_scramsha1_server_conversation.cpp b/src/mongo/db/auth/sasl_scramsha1_server_conversation.cpp index 98469c1137d..39ac502bcac 100644 --- a/src/mongo/db/auth/sasl_scramsha1_server_conversation.cpp +++ b/src/mongo/db/auth/sasl_scramsha1_server_conversation.cpp @@ -42,7 +42,6 @@ #include "mongo/util/base64.h" #include "mongo/util/log.h" #include "mongo/util/mongoutils/str.h" -#include "mongo/util/password_digest.h" #include "mongo/util/sequence_util.h" #include "mongo/util/text.h" @@ -189,19 +188,6 @@ StatusWith<bool> SaslSCRAMSHA1ServerConversation::_firstStep(std::vector<string> "on servers started without a --keyFile parameter"); } - // Generate SCRAM credentials on the fly for mixed MONGODB-CR/SCRAM mode. - if (_creds.scram.salt.empty() && !_creds.password.empty()) { - // Use a default value of 5000 for the scramIterationCount when in mixed mode, - // overriding the default value (10000) used for SCRAM mode or the user-given value. - const int mixedModeScramIterationCount = 5000; - BSONObj scramCreds = - scram::generateCredentials(_creds.password, mixedModeScramIterationCount); - _creds.scram.iterationCount = scramCreds[scram::iterationCountFieldName].Int(); - _creds.scram.salt = scramCreds[scram::saltFieldName].String(); - _creds.scram.storedKey = scramCreds[scram::storedKeyFieldName].String(); - _creds.scram.serverKey = scramCreds[scram::serverKeyFieldName].String(); - } - // Generate server-first-message // Create text-based nonce as base64 encoding of a binary blob of length multiple of 3 const int nonceLenQWords = 3; diff --git a/src/mongo/db/auth/security_key.cpp b/src/mongo/db/auth/security_key.cpp index 8e1dfe46e00..f9d0445e65f 100644 --- a/src/mongo/db/auth/security_key.cpp +++ b/src/mongo/db/auth/security_key.cpp @@ -70,14 +70,14 @@ bool setUpSecurityKey(const string& filename) { return false; } - // Generate MONGODB-CR and SCRAM credentials for the internal user based on + // Generate SCRAM-SHA-1 credentials for the internal user based on // the keyfile. User::CredentialData credentials; - credentials.password = + const auto password = mongo::createPasswordDigest(internalSecurity.user->getName().getUser().toString(), str); - BSONObj creds = scram::generateCredentials(credentials.password, - saslGlobalParams.scramIterationCount.load()); + BSONObj creds = + scram::generateCredentials(password, saslGlobalParams.scramIterationCount.load()); credentials.scram.iterationCount = creds[scram::iterationCountFieldName].Int(); credentials.scram.salt = creds[scram::saltFieldName].String(); credentials.scram.storedKey = creds[scram::storedKeyFieldName].String(); @@ -94,7 +94,7 @@ bool setUpSecurityKey(const string& filename) { << saslCommandUserFieldName << internalSecurity.user->getName().getUser() << saslCommandPasswordFieldName - << credentials.password + << password << saslCommandDigestPasswordFieldName << false)); } diff --git a/src/mongo/db/auth/user.h b/src/mongo/db/auth/user.h index 8deead28046..8ea5b18631c 100644 --- a/src/mongo/db/auth/user.h +++ b/src/mongo/db/auth/user.h @@ -69,9 +69,8 @@ public: std::string storedKey; }; struct CredentialData { - CredentialData() : password(""), scram(), isExternal(false) {} + CredentialData() : scram(), isExternal(false) {} - std::string password; SCRAMCredentials scram; bool isExternal; }; diff --git a/src/mongo/db/auth/user_document_parser.cpp b/src/mongo/db/auth/user_document_parser.cpp index b171a7d8d48..ee2ff308dbd 100644 --- a/src/mongo/db/auth/user_document_parser.cpp +++ b/src/mongo/db/auth/user_document_parser.cpp @@ -57,7 +57,6 @@ const std::string READONLY_FIELD_NAME = "readOnly"; const std::string CREDENTIALS_FIELD_NAME = "credentials"; const std::string ROLE_NAME_FIELD_NAME = "role"; const std::string ROLE_DB_FIELD_NAME = "db"; -const std::string MONGODB_CR_CREDENTIAL_FIELD_NAME = "MONGODB-CR"; const std::string SCRAM_CREDENTIAL_FIELD_NAME = "SCRAM-SHA-1"; const std::string MONGODB_EXTERNAL_CREDENTIAL_FIELD_NAME = "external"; constexpr StringData AUTHENTICATION_RESTRICTIONS_FIELD_NAME = "authenticationRestrictions"_sd; @@ -136,15 +135,8 @@ Status V2UserDocumentParser::checkValidUserDocument(const BSONObj& doc) const { } } else { BSONElement scramElement = credentialsObj[SCRAM_CREDENTIAL_FIELD_NAME]; - BSONElement mongoCRElement = credentialsObj[MONGODB_CR_CREDENTIAL_FIELD_NAME]; - if (!mongoCRElement.eoo()) { - if (mongoCRElement.type() != String || mongoCRElement.valueStringData().empty()) { - return _badValue( - "MONGODB-CR credential must to be a non-empty string" - ", if present"); - } - } else if (!scramElement.eoo()) { + if (!scramElement.eoo()) { if (scramElement.type() != Object) { return _badValue("SCRAM credential must be an object, if present"); } @@ -200,13 +192,10 @@ Status V2UserDocumentParser::initializeUserCredentialsFromUserDocument( } } else { BSONElement scramElement = credentialsElement.Obj()[SCRAM_CREDENTIAL_FIELD_NAME]; - BSONElement mongoCRCredentialElement = - credentialsElement.Obj()[MONGODB_CR_CREDENTIAL_FIELD_NAME]; - if (scramElement.eoo() && mongoCRCredentialElement.eoo()) { + if (scramElement.eoo()) { return Status(ErrorCodes::UnsupportedFormat, - "User documents must provide credentials for SCRAM-SHA-1 " - "or MONGODB-CR authentication"); + "User documents must provide credentials for SCRAM-SHA-1"); } if (!scramElement.eoo()) { @@ -227,19 +216,6 @@ Status V2UserDocumentParser::initializeUserCredentialsFromUserDocument( uassert(17504, "Missing SCRAM storedKey", !credentials.scram.storedKey.empty()); } - if (!mongoCRCredentialElement.eoo()) { - if (mongoCRCredentialElement.type() != String || - mongoCRCredentialElement.valueStringData().empty()) { - return Status(ErrorCodes::UnsupportedFormat, - "MONGODB-CR credentials must be non-empty strings"); - } else { - credentials.password = mongoCRCredentialElement.String(); - if (credentials.password.empty()) { - return Status(ErrorCodes::UnsupportedFormat, - "User documents must provide authentication credentials"); - } - } - } credentials.isExternal = false; } } else { diff --git a/src/mongo/db/auth/user_document_parser_test.cpp b/src/mongo/db/auth/user_document_parser_test.cpp index f04639fef48..f11fb005aad 100644 --- a/src/mongo/db/auth/user_document_parser_test.cpp +++ b/src/mongo/db/auth/user_document_parser_test.cpp @@ -296,7 +296,6 @@ TEST_F(V2UserDocumentParsing, V2CredentialExtraction) { << "test" << "credentials" << credentials))); - ASSERT(user->getCredentials().password.empty()); ASSERT(!user->getCredentials().scram.storedKey.empty()); ASSERT(!user->getCredentials().isExternal); @@ -309,7 +308,6 @@ TEST_F(V2UserDocumentParsing, V2CredentialExtraction) { << "$external" << "credentials" << BSON("external" << true)))); - ASSERT(user->getCredentials().password.empty()); ASSERT(user->getCredentials().isExternal); } diff --git a/src/mongo/db/commands/user_management_commands.cpp b/src/mongo/db/commands/user_management_commands.cpp index 0161222dce9..5a4419bedff 100644 --- a/src/mongo/db/commands/user_management_commands.cpp +++ b/src/mongo/db/commands/user_management_commands.cpp @@ -690,14 +690,10 @@ public: // Must be an external user credentialsBuilder.append("external", true); } else { - // Add SCRAM credentials for appropriate authSchemaVersions. - if (authzVersion > AuthorizationManager::schemaVersion26Final) { - BSONObj scramCred = scram::generateCredentials( - args.hashedPassword, saslGlobalParams.scramIterationCount.load()); - credentialsBuilder.append("SCRAM-SHA-1", scramCred); - } else { // Otherwise default to MONGODB-CR. - credentialsBuilder.append("MONGODB-CR", args.hashedPassword); - } + // Add SCRAM credentials. + BSONObj scramCred = scram::generateCredentials( + args.hashedPassword, saslGlobalParams.scramIterationCount.load()); + credentialsBuilder.append("SCRAM-SHA-1", scramCred); } credentialsBuilder.done(); @@ -804,21 +800,11 @@ public: if (args.hasHashedPassword) { BSONObjBuilder credentialsBuilder(updateSetBuilder.subobjStart("credentials")); - AuthorizationManager* authzManager = getGlobalAuthorizationManager(); - int authzVersion; - Status status = authzManager->getAuthorizationVersion(opCtx, &authzVersion); - if (!status.isOK()) { - return appendCommandStatus(result, status); - } + // Add SCRAM credentials. + BSONObj scramCred = scram::generateCredentials( + args.hashedPassword, saslGlobalParams.scramIterationCount.load()); + credentialsBuilder.append("SCRAM-SHA-1", scramCred); - // Add SCRAM credentials for appropriate authSchemaVersions - if (authzVersion > AuthorizationManager::schemaVersion26Final) { - BSONObj scramCred = scram::generateCredentials( - args.hashedPassword, saslGlobalParams.scramIterationCount.load()); - credentialsBuilder.append("SCRAM-SHA-1", scramCred); - } else { // Otherwise default to MONGODB-CR - credentialsBuilder.append("MONGODB-CR", args.hashedPassword); - } credentialsBuilder.done(); } @@ -2459,14 +2445,14 @@ public: if (create) { audit::logCreateUser(Client::getCurrent(), userName, - userObj["credentials"].Obj().hasField("MONGODB-CR"), + userObj["credentials"].Obj().hasField("SCRAM-SHA-1"), userObj.hasField("customData") ? &customData : NULL, roles, authenticationRestrictions); } else { audit::logUpdateUser(Client::getCurrent(), userName, - userObj["credentials"].Obj().hasField("MONGODB-CR"), + userObj["credentials"].Obj().hasField("SCRAM-SHA-1"), userObj.hasField("customData") ? &customData : NULL, &roles, authenticationRestrictions); diff --git a/src/mongo/db/db.cpp b/src/mongo/db/db.cpp index b6ad9f7bdd2..eeb41cd5666 100644 --- a/src/mongo/db/db.cpp +++ b/src/mongo/db/db.cpp @@ -874,24 +874,13 @@ ExitCode _initAndListen(int listenPort) { exitCleanly(EXIT_NEED_UPGRADE); } - if (foundSchemaVersion < AuthorizationManager::schemaVersion26Final) { - log() << "Auth schema version is incompatible: " - << "User and role management commands require auth data to have " - << "at least schema version " << AuthorizationManager::schemaVersion26Final - << " but found " << foundSchemaVersion << ". In order to upgrade " - << "the auth schema, first downgrade MongoDB binaries to version " - << "2.6 and then run the authSchemaUpgrade command."; - exitCleanly(EXIT_NEED_UPGRADE); - } - if (foundSchemaVersion <= AuthorizationManager::schemaVersion26Final) { - log() << startupWarningsLog; - log() << "** WARNING: This server is using MONGODB-CR, a deprecated authentication " - << "mechanism." << startupWarningsLog; - log() << "** Support will be dropped in a future release." - << startupWarningsLog; - log() << "** See http://dochub.mongodb.org/core/3.0-upgrade-to-scram-sha-1" - << startupWarningsLog; + log() << "This server is using MONGODB-CR, an authentication mechanism which " + << "has been removed from MongoDB 3.8. In order to upgrade the auth schema, " + << "first downgrade MongoDB binaries to version 3.6 and then run the " + << "authSchemaUpgrade command. " + << "See http://dochub.mongodb.org/core/3.0-upgrade-to-scram-sha-1"; + exitCleanly(EXIT_NEED_UPGRADE); } } else if (globalAuthzManager->isAuthEnabled()) { error() << "Auth must be disabled when starting without auth schema validation"; |