Skip to content

Cannot change user's password #649

New issue
New issue
Open
#662
#650
Open
Cannot change user's password#649
#662
#650
@makhovaa

Description

@makhovaa
makhovaa
opened on Sep 15, 2022

Affected Puppet, Ruby, OS and module versions/distributions

  • Puppet: 6.24.0
  • Ruby: 2.5.5p15
  • Distribution: Debian 10.12
  • Module version: v4.1.0

How to reproduce (e.g Puppet code you use)

  1. Create a DB and user with Hiera:
mongodb::mongodb_db:
  'unixtest_db':  # DB name
    user     : unixtest
    password : >
      ENC[PKCS7,MIIBeQYJKoZ ... .+x] # password is password
    roles    :
      - dbOwner

In the manifest we have standard:

# Create Databases + users
  create_resources('mongodb::db', $mongodb_db, {})
  1. Test we can log in with the created user to the DB:
# mongo -u unixtest -p password unixtest_db
MongoDB shell version v5.0.9
connecting to: mongodb://127.0.0.1:27017/unixtest_db?compressors=disabled&gssapiServiceName=mongodb
Implicit session: session { "id" : UUID("37b03869-f8dd-4ab7-a004-55b4882f5aa2") }
MongoDB server version: 5.0.9
Note: Cannot determine if automation is active
unixtesttst:PRIMARY>
  1. Change password in hiera:
mongodb::mongodb_db:
  'unixtest_db':  # DB name
    user     : unixtest
    password : >
      ENC[PKCS7,MIIBeQYJKoZIhvcNA... J] # password is password2
    roles    :
      - dbOwner

  1. Apply the config on the mongo server side. In the puppet client output we have:
    Notice: /Stage[main]/mongodb/Mongodb::Db[unixtest_db]/Mongodb_user[User unixtest on db unixtest_db]/password_hash: defined 'password_hash' as '259ee30be19a726b1e0ce6788ee85822'

  2. Try to log in with a new password (failed):

  3. Try to log in with the old password (successfull):

What are you seeing

After Step 1 authentication succeeds. But after changing to another password it fails:

# mongo -u unixtest -p password2 unixtest_db
MongoDB shell version v5.0.9
connecting to: mongodb://127.0.0.1:27017/unixtest_db?compressors=disabled&gssapiServiceName=mongodb
Error: Authentication failed. :
connect@src/mongo/shell/mongo.js:372:17
@(connect):2:6
exception: connect failed
exiting with code 1

Trying to authenticate using the previous password works:

# mongo -u unixtest -p password unixtest_db
MongoDB shell version v5.0.9
connecting to: mongodb://127.0.0.1:27017/unixtest_db?compressors=disabled&gssapiServiceName=mongodb
Implicit session: session { "id" : UUID("def6181d-5cfe-4801-a3bd-51dd9c8a07f0") }
MongoDB server version: 5.0.9
Note: Cannot determine if automation is active
unixtesttst:PRIMARY>

What behaviour did you expect instead

Be able to log in with a new password

Output log

Any additional information you'd like to impart

MongoDB database server: 5.0.9

In the debug messages I see:

Debug: Executing: '/usr/bin/mongo unixtest_db --quiet --host 127.0.0.1:27017 --eval load('/root/.mongorc.js'); db.runCommand({"updateUser":"unixtest","pwd":"2a7a72f6fc32c68fb479e9530e3c50c6","digestPassword":false})'
Notice: /Stage[main]/mongodb/Mongodb::Db[unixtest_db]/Mongodb_user[User unixtest on db unixtest_db]/password_hash: defined 'password_hash' as '2a7a72f6fc32c68fb479e9530e3c50c6' (corrective)

UPDATE

If I make a terminal command from the puppet-agent debug message and run it I get:

# /usr/bin/mongo unixtest_db  --host 127.0.0.1:27017 --eval "load('/root/.mongorc.js'); db.runCommand({'updateUser':'unixtest','pwd':'259ee30be19a726b1e0ce6788ee85822','digestPassword':false})"
MongoDB shell version v5.0.9
connecting to: mongodb://127.0.0.1:27017/unixtest_db?compressors=disabled&gssapiServiceName=mongodb
Implicit session: session { "id" : UUID("c0da39ca-3616-4494-813e-63d594773843") }
MongoDB server version: 5.0.9
{
        "ok" : 0,
        "errmsg" : "Use of SCRAM-SHA-256 requires undigested passwords",
        "code" : 2,
        "codeName" : "BadValue",
        "$clusterTime" : {
                "clusterTime" : Timestamp(1666875789, 1),
                "signature" : {
                        "hash" : BinData(0,"yc1Y+TaxA+0oJ9CjVyU1ymMTkd8="),
                        "keyId" : NumberLong("7124297124161781766")
                }
        },
        "operationTime" : Timestamp(1666875789, 1)
}

So it tries to use SHA-256 instead of expected SHA-1.

The problem is solved if we add the mechanism parameter to the command:

# /usr/bin/mongo unixtest_db  --host 127.0.0.1:27017 --eval "load('/root/.mongorc.js'); db.runCommand({'updateUser':'unixtest','pwd':'259ee30be19a726b1e0ce6788ee85822','digestPassword':false,'mechanisms':['SCRAM-SHA-1']})"
MongoDB shell version v5.0.9
connecting to: mongodb://127.0.0.1:27017/unixtest_db?compressors=disabled&gssapiServiceName=mongodb
Implicit session: session { "id" : UUID("ae11303d-f545-4feb-b7b2-ffcfb326e079") }
MongoDB server version: 5.0.9
{
        "ok" : 1,
        "$clusterTime" : {
                "clusterTime" : Timestamp(1666876087, 1),
                "signature" : {
                        "hash" : BinData(0,"SUAD/tTZnG2pmdHrTavtYKT/Ahs="),
                        "keyId" : NumberLong("7124297124161781766")
                }
        },
        "operationTime" : Timestamp(1666876087, 1)
}

After that we can log in with a new password.
Working on the fix.

Metadata

Metadata

Assignees

No one assigned

    Labels

    No labels
    No labels

    Type

    No type

    Projects

    No projects

    Milestone

    No milestone

    Relationships

    None yet

    Development

    No branches or pull requests

    Issue actions