feat(DRIVERS-1803): add new canonicalize host name opts #1135
There are no files selected for viewing
| Original file line number | Diff line number | Diff line change |
|---|---|---|
|
|
@@ -460,7 +460,7 @@ mechanism_properties | |
| Drivers MUST allow the user to specify a different service name. The default is "mongodb". | ||
|
|
||
| CANONICALIZE_HOST_NAME | ||
| Drivers MAY allow the user to request canonicalization of the hostname. This might be required when the hosts report different hostnames than what is used in the kerberos database. The value is a string of either "none", "forward", or "forwardAndReverse". "none" is the default and performs no canonicalization. "forward" performs a forward DNS lookup to canonicalize the hostname. "forwardAndReverse" performs a forward DNS lookup and then a reverse lookup on that value to canonicalize the hostname. The driver MUST error if any lookup errors or returns no results. Drivers MAY decide to also keep the legacy boolean values where `true` equals the "forwardAndReverse" behaviour and `false` equals "none". | ||
|
|
||
| SERVICE_REALM | ||
| Drivers MAY allow the user to specify a different realm for the service. This might be necessary to support cross-realm authentication where the user exists in one realm and the service in another. | ||
|
|
@@ -471,7 +471,11 @@ mechanism_properties | |
| Hostname Canonicalization | ||
| ````````````````````````` | ||
|
|
||
| Valid values for CANONICALIZE_HOST_NAME are `true`, `false`, "none", "forward", "forwardAndReverse". If a value is provided that does not match one of these the driver MUST raise an error. | ||
|
|
||
| If CANONICALIZE_HOST_NAME is `false`, "none", or not provided, the driver MUST NOT canonicalize the host name. | ||
|
|
||
| If CANONICALIZE_HOST_NAME is `true`, "forward", or "forwardAndReverse", the client MUST canonicalize the name of each host it uses for authentication. There are two options. First, if the client's underlying GSSAPI library provides hostname canonicalization, the client MAY rely on it. For example, MIT Kerberos has `a configuration option for canonicalization <https://web.mit.edu/kerberos/krb5-1.13/doc/admin/princ_dns.html#service-principal-canonicalization>`_. | ||
|
|
||
| Second, the client MAY implement its own canonicalization. If so, the canonicalization algorithm MUST be:: | ||
|
|
||
|
|
@@ -489,8 +493,8 @@ Second, the client MAY implement its own canonicalization. If so, the canonicali | |
| # Unspecified which CNAME is used if > 1. | ||
| host = one of the records in cnames | ||
|
|
||
| if forwardAndReverse or true: | ||
| reversed = do a reverse DNS lookup for address | ||
|
There was a problem hiding this comment.
There was a problem hiding this comment. As well the Python impl below does not take There was a problem hiding this comment. Given that we are asking drivers to implement (or wrap libgssapi) to canonicalize host names, do we want to add some host name canonicalization tests to ensure that drivers are performing canonicalization correctly? It seems dangerous to leave this behaviour testing up to each driver individually as it may give rise to differences in implementation. There was a problem hiding this comment. Good catch. I was basing this off the Node implementation which doesn't do the reverse lookup so I'll update to make forwardAndReverse the default. Also yes I will add some more tests as well and ping you when the changes are made. There was a problem hiding this comment. I've updated to default There was a problem hiding this comment. The Java driver calls java.net.InetAddress#getByName(java.lang.String), followed by java.net.InetAddress#getCanonicalHostName. I think that's the equivalent of forwardAndReverse.... Can you confirm? There was a problem hiding this comment. Yes that is the equivalent of forwardAndReverse. |
||
| canonicalized = lowercase(reversed) | ||
| else: | ||
| canonicalized = lowercase(host) | ||
|
|
@@ -503,23 +507,25 @@ For example, here is a Python implementation of this algorithm using ``getaddrin | |
| import sys | ||
|
|
||
|
|
||
| def canonicalize(host, mode): | ||
| # Get a CNAME for host, if any. | ||
| af, socktype, proto, canonname, sockaddr = getaddrinfo( | ||
| host, None, 0, 0, IPPROTO_TCP, AI_CANONNAME)[0] | ||
|
|
||
| print('address from getaddrinfo: [%s]' % (sockaddr[0],)) | ||
| print('canonical name from getaddrinfo: [%s]' % (canonname,)) | ||
|
|
||
| if (mode == true or mode == 'forwardAndReverse'): | ||
| try: | ||
| # NI_NAMEREQD requests an error if getnameinfo fails. | ||
| name = getnameinfo(sockaddr, NI_NAMEREQD) | ||
| except gaierror as exc: | ||
| print('getname info failed: "%s"' % (exc,)) | ||
| return canonname.lower() | ||
| return name[0].lower() | ||
| else: | ||
| return canonname.lower() | ||
|
|
||
|
|
||
| canonicalized = canonicalize(sys.argv[1]) | ||
| print('canonicalized: [%s]' % (canonicalized,)) | ||
|
|
@@ -1063,7 +1069,7 @@ authSource | |
| authMechanismProperties=PROPERTY_NAME:PROPERTY_VALUE,PROPERTY_NAME2:PROPERTY_VALUE2 | ||
| A generic method to set mechanism properties in the connection string. | ||
|
|
||
| For example, to set REALM and CANONICALIZE_HOST_NAME, the option would be ``authMechanismProperties=CANONICALIZE_HOST_NAME:forward,SERVICE_REALM:AWESOME``. | ||
|
|
||
| gssapiServiceName (deprecated) | ||
| An alias for ``authMechanismProperties=SERVICE_NAME:mongodb``. | ||
|
|
||
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Thank you for explicitly specifying the options. I agree that keeping the legacy boolean values makes sense for backwards compatibility. However you say "Driver MAY decide to also keep the legacy boolean values" but later on have tests requiring this behaviour. We have to either require drivers to accept the boolean values or remove the test that asserts that boolean values work.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
I've gone and removed those tests now for the MAY wording.