search

rueckstiess / mtools

A collection of scripts to set up MongoDB test environments and parse and visualize MongoDB log files.
Apache License 2.0
1.89k stars 403 forks source link

mlaunch: Confusing override of default SASL/SCRAM mechanisms when creating users #879

Closed matthewdale closed 2 years ago

matthewdale commented 2 years ago

There is currently a check that explicitly prevents creating a SCRAM-SHA-256 user credential for newer server versions:

if v >= 7:
    # Until drivers have implemented SCRAM-SHA-256, use old mechanism.
    opts = {'mechanisms': ['SCRAM-SHA-1']}

Now that all official MongoDB drivers support SASL/SCRAM mechanism SCRAM-SHA-256 (see DRIVERS-439), that logic is unnecessary and results in confusing server configurations that deviate from the expected defaults.

Expected behavior

  1. Create a new standalone deployment using MongoDB v5.0.0 with auth enabled. 
    mlaunch init \
--dir /path/to/data/5.0.0 \
--single \
--binarypath $(m bin 5.0.0)  \
--auth
  2. List users from the admin.system.users collection: 
    mongosh "mongodb://user:password@localhost:27017/admin" --quiet --eval "db.system.users.find()"

Expect that listed users have credentials for both SCRAM-SHA-1 and SCRAM-SHA-256 mechanisms:

[
  {
    _id: 'admin.user',
    userId: UUID("83cd5740-51e5-454d-8c27-1248fc443c38"),
    user: 'user',
    db: 'admin',
    credentials: {
      'SCRAM-SHA-1': {
        iterationCount: 10000,
        salt: <REDACTED>,
        storedKey: <REDACTED>,
        serverKey: <REDACTED>
      },
      'SCRAM-SHA-256': {
        iterationCount: 15000,
        salt: <REDACTED>,
        storedKey: <REDACTED>,
        serverKey: <REDACTED>
      }
    },
    roles: [
      { role: 'readWriteAnyDatabase', db: 'admin' },
      { role: 'clusterAdmin', db: 'admin' },
      { role: 'dbAdminAnyDatabase', db: 'admin' },
      { role: 'userAdminAnyDatabase', db: 'admin' }
    ]
  }
]

Actual/current behavior

  1. Create a new standalone using MongoDB v5.0.0 with auth enabled. 
    mlaunch init \
--dir /path/to/data/5.0.0 \
--single \
--binarypath $(m bin 5.0.0)  \
--auth
  2. List users from the admin.system.users collection: 
    mongosh "mongodb://user:password@localhost:27017/admin" --quiet --eval "db.system.users.find()"

Listed users only have credentials for SCRAM-SHA-1 mechanism:

[
  {
    _id: 'admin.user',
    userId: UUID("83cd5740-51e5-454d-8c27-1248fc443c38"),
    user: 'user',
    db: 'admin',
    credentials: {
      'SCRAM-SHA-1': {
        iterationCount: 10000,
        salt: <REDACTED>,
        storedKey: <REDACTED>,
        serverKey: <REDACTED>
      }
    },
    roles: [
      { role: 'readWriteAnyDatabase', db: 'admin' },
      { role: 'clusterAdmin', db: 'admin' },
      { role: 'dbAdminAnyDatabase', db: 'admin' },
      { role: 'userAdminAnyDatabase', db: 'admin' }
    ]
  }
]