Skip to content

How can we improve the Operational Tooling MongoDB provides?

← Ops Tools

MongoDB Agent (Automation Module): don't attempt to auth with `net.tls.clusterFile` / `net.tls.certificateKeyFile` and use Agent X.509 cert

Problem Statement,
What is the problem? MongoDB Agent (Automation Module) attempts to auth with net.tls.clusterFile / net.tls.certificateKeyFile X.509 certificate first, pretending it is a Replica Set member.

Why is this a problem? MongoDB Server process logs are flooded by unnecessary noise from such MongoDB Agent (Automation Module) auth attempts pretending it is Replica Set member. MongoDB Server will always log Replica Set member auth certificate usage outside of internal MongoDB Server client (https://github.com/mongodb/mongo/blob/6212e50e73dd032b448a514fe6893c6490a28a9f/src/mongo/db/commands/authentication_commands.cpp#L294-L300),

Example,
{"t":{"$date":"2021-05-10T11:08:03.110+0000"},"s":"W", "c":"ACCESS", "id":20430, "ctx":"conn116","msg":"Client isn't a mongod or mongos, but is connecting with a certificate with cluster membership"}

Proposal,
* Don't attempt to auth with X.509 certificate from net.tls.clusterFile / net.tls.certificateKeyFile MongoDB Server parameters and use MongoDB Agent X.509 certificate configured.

10 votes

We're glad you're here

Please sign in to leave feedback
Signed in as (Sign out)
Close
Close

We’ll send you updates on this idea

Alexey shared this idea  ·   ·  Report…  ·  Admin →
How important is this to you?

We're glad you're here

Please sign in to leave feedback
Signed in as (Sign out)
Close
Close

We're glad you're here

Please sign in to leave feedback
Signed in as (Sign out)
Close
Close
Submitting...
An error occurred while saving the comment
  • Sergey commented  ·   ·  Report

    there is a similar issue when automation agent tries to connect as SCRAM-SHA-1 even if it's disabled and fails. I will add it here to group all authentication issues for automation agent.

    ```Testing auth with username __system db=local to ***:27017 (local=false) connectMode=SingleConnect ipversion=0 tls=true
    [2021-09-09T10:25:22.801+1000] [.info] [cm/mongoclientservice/mongoclientservice.go:func1:1603] [10:25:22.801] Returning false for checkAuth on connParams=***:27017 (local=false) because we believe err is an auth failed error err=connection() : auth error: sasl conversation error: unable to authenticate using mechanism "SCRAM-SHA-1": (AuthenticationFailed) Authentication failed. (topology.ConnectionError)
    [2021-09-09T10:25:22.801+1000] [.info] [cm/mongoctl/processctl.go:GetKeyHashes:1881] <RS_***_3> [10:25:22.801] Unable to successfully auth to ***:27017 (local=false) using desired auth key

    2021-09-08T23:11:51.625+1000 I ACCESS [conn1967736] SASL SCRAM-SHA-1 authentication failed for __system on local from client ***:50742 ; AuthenticationFailed: ###
    ```

Ops Tools: Automation

Categories

Feedback and Knowledge Base

(thinking…)