scram-sha-1 User

Question

scram-sha-1 User

Closed this issue 3 years ago · 11 comments

How can we create users with SCRAM-SHA-1 authentication mechanism?

Answer 1 · 2020-10-21T09:08:41.000Z

Hi @rgherta
does this documentation: https://github.com/mongodb/mongodb-kubernetes-operator/blob/master/docs/users.md help?

Answer 2 · 2020-11-13T12:50:15.000Z

Hello @irajdeep

Current version allows only SHA-256 that is better secured, it makes sense, but still the same mongo version supports both.

The cluster-configuration.json file that is mounted to the mongodb-agent contains the database configuration including the 2 arrays with supported hash functions.

It looks like we must add this item "SCRAM-SHA-1" in the 2 arrays created by scram_enabler.go but I do not know if there is some other logic in the middle of this and if you plan to do it or not.

Answer 3 · 2021-01-23T19:02:35.000Z

The workaround mentioned by @rgherta can be automated using a MutatingAdmissionWebhook.
This repository does just that: https://github.com/andreasevers/mongodb-operator-scram-sha-1-mutatingadmissionwebhook

Answer 4 · 2021-04-23T01:58:21.000Z

This issue is being marked stale because it has been open for 60 days with no activity. Please comment if this issue is still affecting you. If there is no change, this issue will be closed in 30 days.

Answer 5 · 2021-04-23T07:38:55.000Z

Hi all,

Bumping this topic to know if there are any plan to add SCRAM-SHA-1 support directly in the operator ? Honestly, since this auth mechanism is supported and not deprecated by MongoDB, I don't this why the operator should prevent its use.

Support for SCRAM-SHA-1 would help in migrating old applications not yet supporting SCRAM-SHA-256. Relying on a mutating webhook workaround feels a bit odd.

Thanks

Answer 6 · 2021-04-23T09:35:46.000Z

with scram-sha-1 the operator will see a better adoption by legacy systems running in private clusters.

Answer 7 · 2021-06-24T01:48:34.000Z

This issue is being marked stale because it has been open for 60 days with no activity. Please comment if this issue is still affecting you. If there is no change, this issue will be closed in 30 days.

Answer 8 · 2021-07-12T17:24:15.000Z

I guess I'm the first to report that feature is still not supported in 0.7.0 even if announced in release notes...

{"t":{"$date":"2021-07-12T17:22:28.484+00:00"},"s":"I",  "c":"ACCESS",   "id":20249,   "ctx":"conn35649","msg":"Authentication failed","attr":{"mechanism":"SCRAM-SHA-1","principalName":"rt","authenticationDatabase":"rt","client":"100.64.0.30:44118","result":"BadValue: SCRAM-SHA-1 authentication is disabled"}}

The error message is the very same as before upgrade.

Containers:
  mongodb-kubernetes-operator:
    Container ID:  containerd://8401da467efd26639f12dc61d8a46eae957477fe07d23376b49e5af9eb90fa7d
    Image:         quay.io/mongodb/mongodb-kubernetes-operator:0.7.0
    Image ID:      quay.io/mongodb/mongodb-kubernetes-operator@sha256:e19ae43539521f0350fb71684757dc535fc989deb75f3789cd84b782489eda80
    Port:          <none>
    Host Port:     <none>
    Command:
      /usr/local/bin/entrypoint
    State:          Running
      Started:      Mon, 12 Jul 2021 11:15:31 +0000
    Ready:          True
    Restart Count:  0
    Limits:
      cpu:     1100m
      memory:  1Gi
    Requests:
      cpu:     500m
      memory:  200Mi
    Environment:
      WATCH_NAMESPACE:             default (v1:metadata.namespace)
      POD_NAME:                    mongodb-kubernetes-operator-957dff59d-kqmzh (v1:metadata.name)
      OPERATOR_NAME:               mongodb-kubernetes-operator
      AGENT_IMAGE:                 quay.io/mongodb/mongodb-agent:11.0.5.6963-1
      VERSION_UPGRADE_HOOK_IMAGE:  quay.io/mongodb/mongodb-kubernetes-operator-version-upgrade-post-start-hook:1.0.2
      READINESS_PROBE_IMAGE:       quay.io/mongodb/mongodb-kubernetes-readinessprobe:1.0.4
      MONGODB_IMAGE:               mongo
      MONGODB_REPO_URL:            docker.io
    Mounts:
      /var/run/secrets/kubernetes.io/serviceaccount from kube-api-access-kcz2v (ro)

Answer 9 · 2021-07-13T09:02:18.000Z

hi @bodomic2,

I just tried deploying a MongoDB Replica Set with SCRAM-SHA-1 successfully using operator 0.7.0

I'll report here the specs used, if it still doesn't work for you please open a new issue:

kubectl get mdbc -o yaml (omitting metadata and status here)

apiVersion: v1
items:
- apiVersion: mongodbcommunity.mongodb.com/v1
  kind: MongoDBCommunity
  metadata:
    name: example-mongodb
    namespace: mongodb
  spec:
    members: 3
    security:
      authentication:
        ignoreUnknownUsers: true
        modes:
        - SCRAM-SHA-1
    type: ReplicaSet
    users:
    - db: admin
      name: my-user
      passwordSecretRef:
        name: my-user-password
      roles:
      - db: admin
        name: clusterAdmin
      - db: admin
        name: userAdminAnyDatabase
      scramCredentialsSecretName: my-scram
    version: 4.2.6

Answer 10 · 2021-07-13T12:05:49.000Z

Thanks for your answer, @bznein!
Definitely it was my mistake to assume modes: SCRAM will serve for both SHA-1 and SHA-256 modes...
After re-applying the updated configuration I have two issues:

Replica set has descended to only one member (number 0) - I've already reported it in other issues, this makes me spend several hours on each iteration, recreating the whole k8s cluster from scratch. I encounter this issue every single configuration update.
Error message in mongodb log has changed to:

"result":"AuthenticationFailed: Unable to use SCRAM-SHA-1 based authentication for user without any SCRAM-SHA-1 credentials registered"

It seems I need to recreate user secrets somehow, however, I have not found any differences I need to make to secret itself, I believe it is encrypted on cluster level, not on 'mongodb operator with SHA-1' level...

Answer 11 · 2021-07-26T11:27:04.000Z

The SHA-1 authentication has been added to the release v0.7.0
More info about this release here.