New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
feat(DRIVERS-1803): add new canonicalize host name opts #1135
Conversation
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Overall looks reasonable. Some clarification required along with fixing the Python sample impl.
reversed = do a reverse DNS lookup for address | ||
if reversed: | ||
if forwardAndReverse: | ||
reversed = do a reverse DNS lookup for address |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
CANONICALIZE_HOST_NAME
is currently equivalent to forwardAndReverse
. This PR changes it to mean forward
. Is that the correct behaviour? Why are we potentially breaking backward compat?
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
As well the Python impl below does not take true
versus forward
versus forwardAndReverse
into account. It still implements the old pseudo code where only true
was applicable and had the same meaning as forwardAndReverse
.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Given that we are asking drivers to implement (or wrap libgssapi) to canonicalize host names, do we want to add some host name canonicalization tests to ensure that drivers are performing canonicalization correctly? It seems dangerous to leave this behaviour testing up to each driver individually as it may give rise to differences in implementation.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Good catch. I was basing this off the Node implementation which doesn't do the reverse lookup so I'll update to make forwardAndReverse the default. Also yes I will add some more tests as well and ping you when the changes are made.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
I've updated to default true
to being "forwardAndReverse", updated the python impl, and added spec test for raising an error on invalid values.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
The Java driver calls java.net.InetAddress#getByName(java.lang.String), followed by java.net.InetAddress#getCanonicalHostName. I think that's the equivalent of forwardAndReverse.... Can you confirm?
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Yes that is the equivalent of forwardAndReverse.
source/auth/auth.rst
Outdated
@@ -468,7 +468,7 @@ mechanism_properties | |||
Hostname Canonicalization | |||
````````````````````````` | |||
|
|||
If CANONICALIZE_HOST_NAME is true, the client MUST canonicalize the name of each host it uses for authentication. There are two options. First, if the client's underlying GSSAPI library provides hostname canonicalization, the client MAY rely on it. For example, MIT Kerberos has `a configuration option for canonicalization <https://web.mit.edu/kerberos/krb5-1.13/doc/admin/princ_dns.html#service-principal-canonicalization>`_. | |||
If CANONICALIZE_HOST_NAME is true, "forward", or "forwardAndReverse", the client MUST canonicalize the name of each host it uses for authentication. There are two options. First, if the client's underlying GSSAPI library provides hostname canonicalization, the client MAY rely on it. For example, MIT Kerberos has `a configuration option for canonicalization <https://web.mit.edu/kerberos/krb5-1.13/doc/admin/princ_dns.html#service-principal-canonicalization>`_. |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
What are the valid values for CANONICALIZE_HOST_NAME
. Based on this statement, valid values include true
, "forward"
, and "forwardAndReverse"
. I assume false
would also be valid. In the spec tests below, "none"
is also used.
Should true/false be deprecated? If not, should false
or "none"
be used when disabling canonicalization.
What is the expected behaviour for an unknown value like "off"
or "on"
? Should an error be raised? Should it default to true? Or false? My concern here is what if someone uses "forwardReverse"
rather than "forwardAndReverse"
by mistake? Or if they type "foward"
(misspelling)?
We should clearly enumerate the allowed values for CANONICALIZE_HOST_NAMES
and specify whether an error or warning should be raised for unknown values.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
I've called out now all valid values in the spec for CANONICALIZE_HOST_NAME
and specified that drivers MUST error if the value provided is not one of them. I've decided not to deprecate true
and false
and just say that drivers MAY allow them, since I figured many apps may depend on true
and false
and not want to change them as these changes were driven by the dev tools team.
Node reference impl: mongodb/node-mongodb-native#3131 |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Looking good. Just one main outstanding question around MAY/MUST and tests.
@@ -460,7 +460,7 @@ mechanism_properties | |||
Drivers MUST allow the user to specify a different service name. The default is "mongodb". | |||
|
|||
CANONICALIZE_HOST_NAME | |||
Drivers MAY allow the user to request canonicalization of the hostname. This might be required when the hosts report different hostnames than what is used in the kerberos database. The default is "false". | |||
Drivers MAY allow the user to request canonicalization of the hostname. This might be required when the hosts report different hostnames than what is used in the kerberos database. The value is a string of either "none", "forward", or "forwardAndReverse". "none" is the default and performs no canonicalization. "forward" performs a forward DNS lookup to canonicalize the hostname. "forwardAndReverse" performs a forward DNS lookup and then a reverse lookup on that value to canonicalize the hostname. The driver MUST error if any lookup errors or returns no results. Drivers MAY decide to also keep the legacy boolean values where `true` equals the "forwardAndReverse" behaviour and `false` equals "none". |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Thank you for explicitly specifying the options. I agree that keeping the legacy boolean values makes sense for backwards compatibility. However you say "Driver MAY decide to also keep the legacy boolean values" but later on have tests requiring this behaviour. We have to either require drivers to accept the boolean values or remove the test that asserts that boolean values work.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
I've gone and removed those tests now for the MAY wording.
} | ||
} | ||
}, | ||
{ | ||
"description": "should accept true as hostname canonicalization (GSSAPI)", |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
See comment above. We can only include this test if drivers "MUST" accept boolean values. Right now they "MAY" and any driver not accepting boolean values would fail this test.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
I've removed the tests now for true/false values.
@@ -2,7 +2,7 @@ | |||
"tests": [ | |||
{ | |||
"description": "Valid auth options are parsed correctly (GSSAPI)", | |||
"uri": "mongodb://foo:bar@example.com/?authMechanism=GSSAPI&authMechanismProperties=SERVICE_NAME:other,CANONICALIZE_HOST_NAME:true,SERVICE_HOST:example.com&authSource=$external", | |||
"uri": "mongodb://foo:bar@example.com/?authMechanism=GSSAPI&authMechanismProperties=SERVICE_NAME:other,CANONICALIZE_HOST_NAME:forwar,SERVICE_HOST:example.comd&authSource=$external", |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
forwar => forward
example.comd => example.com
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Fixed.
@@ -1,7 +1,7 @@ | |||
tests: | |||
- | |||
description: "Valid auth options are parsed correctly (GSSAPI)" | |||
uri: "mongodb://foo:bar@example.com/?authMechanism=GSSAPI&authMechanismProperties=SERVICE_NAME:other,CANONICALIZE_HOST_NAME:true,SERVICE_HOST:example.com&authSource=$external" | |||
uri: "mongodb://foo:bar@example.com/?authMechanism=GSSAPI&authMechanismProperties=SERVICE_NAME:other,CANONICALIZE_HOST_NAME:forwar,SERVICE_HOST:example.comd&authSource=$external" |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
forwar => forward
example.comd => example.com
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Fixed.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
LGTM
For GSSAPI this updates the values accepted in the
CANONICALIZE_HOST_NAME
auth mechanism properties. These new values are:Drivers may also continue to support the old boolean values if desired in addition to these new values.
true
is equivalent to "forwardAndReverse" andfalse
is equivalent to "none".Node reference impl: mongodb/node-mongodb-native#3131