telefonicaid/fiware-orion

Compiling MongoDB driver with --ssl or --use-sasl-client

Closed this issue · 13 comments

From Luca Silvestry report by email:

Starting from V.3, MongDB has implemented a new security mechanism for user authentication, called SCRAM_SHA1 (http://docs.mongodb.org/manual/core/authentication/#authentication-scram-sha-1)

This improvement has changed the old MONGODB-CR Authentication and is not retro compatible. As a consequence, users created under MongoDB version 3 or higher are forced to the new SCRAM standard, and this requires mongo driver update.

http://docs.mongodb.org/manual/release-notes/3.0-compatibility/#compatibility-driver-versions

Luckily, checking into Orion Github repository, the C++ dirver used is compatible with the new mongo release, but it requires some switches at build time.

Check the following bash history to see what switches are required; it's an output of CB running from command line:

sudo contextBroker -db orion -dbhost x.x.x.x:27017 -dbuser user -dbpwd password

$ INFO@13:46:43 contextBroker.cpp[1411]: Orion Context Broker is running
$ INFO@13:46:43 mongoConnectionPool.cpp[184]: Successful connection to database
$ terminate called after throwing an instance of 'mongo::UserException' what(): SCRAM-SHA-1 mechanism support not compiled into client library. (Some mechanisms require the driver be compiled with the flags --ssl or --use-sasl-client)

This issue is about compiling the driver in that way and evalute that have some impact in the performance. In positive case, that flags could be part of the official build.

(This is "nice2have" while official MongoDB version for Orion stills being 2.6)

Effort: 2 man day

From Luca Silvestry email:

after compiling Orion from source with MongoDB driver compiled using -ssl switch the authentication > against MongoDB 3.0 works.
Test done with this scenario:

  • calling Orion from the command line;
  • no config files has been used/tested;
  • orion not running as a service.

Dear fgalan

I build fiware-orion with mongo-cxx-driver-r3.1.1
However, It has error:
"...//fiware-orion/src/lib/ngsi/Metadata.h:33:35: fatal error: mongo/client/dbclient.h: No such file or directory
#include "mongo/client/dbclient.h"
^
compilation terminated. ....."

How to fix this proplem.

Thanks!

This error seems due to the compiler is looking for a required library it is not installed. Note that according to documentation you should use legacy-1.0.7 and not 3.1.1 for mongo driver dependency.

Thanks fgalan,
I built OK on CentOS_6.
I built orion with legacy-1.0.7 on CentOS_7.2.1511.
When make. I met error:
"[100%] Building CXX object src/app/contextBroker/CMakeFiles/contextBroker.dir/contextBroker.cpp.o
Linking CXX executable contextBroker
/bin/ld: /usr/local/lib/libmongoclient.a(ssl_manager.o): undefined reference to symbol 'SSL_get_error@@libssl.so.10'
/bin/ld: note: 'SSL_get_error@@libssl.so.10' is defined in DSO /lib64/libssl.so.10 so try adding it to the linker command line
/lib64/libssl.so.10: could not read symbols: Invalid operation
collect2: error: ld returned 1 exit status
make[3]: *** [src/app/contextBroker/contextBroker] Error 1

...

How to fix this proplem.
Thanks!

It seem that some library is missing at linking stage, see: "try adding it to the linker command line". In this case, it is not the command line the place where it should be added, but probably in some CMakeList.txt.

Sorry for not being so much precise with this feedbackk... Note that we don't build CB with the mongo driver in this special way (with SSL and so) so our building framework is not adapted to such case. However, it you solve the case modifying the CMakeList.txt files (or any other way) I would be more than happy to know how :) Please, keep posting your feedback in that case.

Thanks!

Since we (I and Hungtv31) could not build CB with mongo driver with SSL, we have set the mongodb standard authentication mechanism back to MONGO-CR. Its not perfect :(, but it's ok for us at the moment.
We are still trying to build it again.
Thanks fgalan!!

i managed to compile without many issues. the point is to compile correctly the legacy mongodb library.

you need to install sasl-devel libs:
yum install cyrus-sasl-devel

compile and install mongodb legacy driver:
scons --use-sasl-client --ssl
sudo scons install --prefix=/usr/local --use-sasl-client --ssl

Im using docker to deploy Orion and mongoDB, but when i try to use auth im getting the same error described here.
(authentication fails: db=admin, username='xxxx', password='*****', expection='SCRAM-SHA-1 mechanism support not compiled into client library. (Some mechanisms require the driver be compiled with the flags --ssl or --use-sasl-client)')
There are any solution for this??
Thanks

@Naff16 probably compiling the MongoDB driver using those flags will solve the issue. It should be a matter of adjusting the scons invokation at this point in the Dockerfile: https://github.com/telefonicaid/fiware-orion/blob/master/docker/Dockerfile#L43

However, note is not the official way of using Orion Context Broker, so you could find some uknown problem. I'd recommend you to test the new setup in deep before using in productive environments.

Documentation explaining how to compile the driver that way is added in PR #3053

We don't know the impact of such compilation from a performance point of view, so we are aren't including it in "official" RPM and binaries. However, the procedure would be enough for these users which give priority SSL/SASL over performance and, under my understanding, this issue could be closed.

It would be great to have feedback from other participants in this disussiong (@hungtv31 @vuasutu @chicco785 @Naff16 ). Thanks!

I suppose you meant "we are NOT including it", correct?

Correct! Sorry for the typo...

After leaving some time (12 days) to get comments with no feedback received, I'm closing the issue.