Cannot change user's password

[makhovaa]

Affected Puppet, Ruby, OS and module versions/distributions

• Puppet: 6.24.0
• Ruby: 2.5.5p15
• Distribution: Debian 10.12
• Module version: v4.1.0

How to reproduce (e.g Puppet code you use)

1. Create a DB and user with Hiera:

mongodb::mongodb_db:
  'unixtest_db':  # DB name
    user     : unixtest
    password : >
      ENC[PKCS7,MIIBeQYJKoZ ... .+x] # password is password
    roles    :
      - dbOwner

In the manifest we have standard:

# Create Databases + users
  create_resources('mongodb::db', $mongodb_db, {})

2. Test we can log in with the created user to the DB:

# mongo -u unixtest -p password unixtest_db
MongoDB shell version v5.0.9
connecting to: mongodb://127.0.0.1:27017/unixtest_db?compressors=disabled&gssapiServiceName=mongodb
Implicit session: session { "id" : UUID("37b03869-f8dd-4ab7-a004-55b4882f5aa2") }
MongoDB server version: 5.0.9
Note: Cannot determine if automation is active
unixtesttst:PRIMARY> 

3. Change password in hiera:

mongodb::mongodb_db:
  'unixtest_db':  # DB name
    user     : unixtest
    password : >
      ENC[PKCS7,MIIBeQYJKoZIhvcNA... J] # password is password2
    roles    :
      - dbOwner

4. Apply the config on the mongo server side. In the puppet client output we have:
   Notice: /Stage[main]/mongodb/Mongodb::Db[unixtest_db]/Mongodb_user[User unixtest on db unixtest_db]/password_hash: defined 'password_hash' as '259ee30be19a726b1e0ce6788ee85822'

5. Try to log in with a new password (failed):

6. Try to log in with the old password (successfull):

What are you seeing

After Step 1 authentication succeeds. But after changing to another password it fails:

# mongo -u unixtest -p password2 unixtest_db
MongoDB shell version v5.0.9
connecting to: mongodb://127.0.0.1:27017/unixtest_db?compressors=disabled&gssapiServiceName=mongodb
Error: Authentication failed. :
connect@src/mongo/shell/mongo.js:372:17
@(connect):2:6
exception: connect failed
exiting with code 1

Trying to authenticate using the previous password works:

# mongo -u unixtest -p password unixtest_db
MongoDB shell version v5.0.9
connecting to: mongodb://127.0.0.1:27017/unixtest_db?compressors=disabled&gssapiServiceName=mongodb
Implicit session: session { "id" : UUID("def6181d-5cfe-4801-a3bd-51dd9c8a07f0") }
MongoDB server version: 5.0.9
Note: Cannot determine if automation is active
unixtesttst:PRIMARY>

What behaviour did you expect instead

Be able to log in with a new password

Output log

Any additional information you'd like to impart

MongoDB database server: 5.0.9

In the debug messages I see:

Debug: Executing: '/usr/bin/mongo unixtest_db --quiet --host 127.0.0.1:27017 --eval load('/root/.mongorc.js'); db.runCommand({"updateUser":"unixtest","pwd":"2a7a72f6fc32c68fb479e9530e3c50c6","digestPassword":false})'
Notice: /Stage[main]/mongodb/Mongodb::Db[unixtest_db]/Mongodb_user[User unixtest on db unixtest_db]/password_hash: defined 'password_hash' as '2a7a72f6fc32c68fb479e9530e3c50c6' (corrective)

UPDATE

If I make a terminal command from the puppet-agent debug message and run it I get:

# /usr/bin/mongo unixtest_db  --host 127.0.0.1:27017 --eval "load('/root/.mongorc.js'); db.runCommand({'updateUser':'unixtest','pwd':'259ee30be19a726b1e0ce6788ee85822','digestPassword':false})"
MongoDB shell version v5.0.9
connecting to: mongodb://127.0.0.1:27017/unixtest_db?compressors=disabled&gssapiServiceName=mongodb
Implicit session: session { "id" : UUID("c0da39ca-3616-4494-813e-63d594773843") }
MongoDB server version: 5.0.9
{
        "ok" : 0,
        "errmsg" : "Use of SCRAM-SHA-256 requires undigested passwords",
        "code" : 2,
        "codeName" : "BadValue",
        "$clusterTime" : {
                "clusterTime" : Timestamp(1666875789, 1),
                "signature" : {
                        "hash" : BinData(0,"yc1Y+TaxA+0oJ9CjVyU1ymMTkd8="),
                        "keyId" : NumberLong("7124297124161781766")
                }
        },
        "operationTime" : Timestamp(1666875789, 1)
} 

So it tries to use SHA-256 instead of expected SHA-1.

The problem is solved if we add the mechanism parameter to the command:

# /usr/bin/mongo unixtest_db  --host 127.0.0.1:27017 --eval "load('/root/.mongorc.js'); db.runCommand({'updateUser':'unixtest','pwd':'259ee30be19a726b1e0ce6788ee85822','digestPassword':false,'mechanisms':['SCRAM-SHA-1']})"
MongoDB shell version v5.0.9
connecting to: mongodb://127.0.0.1:27017/unixtest_db?compressors=disabled&gssapiServiceName=mongodb
Implicit session: session { "id" : UUID("ae11303d-f545-4feb-b7b2-ffcfb326e079") }
MongoDB server version: 5.0.9
{
        "ok" : 1,
        "$clusterTime" : {
                "clusterTime" : Timestamp(1666876087, 1),
                "signature" : {
                        "hash" : BinData(0,"SUAD/tTZnG2pmdHrTavtYKT/Ahs="),
                        "keyId" : NumberLong("7124297124161781766")
                }
        },
        "operationTime" : Timestamp(1666876087, 1)
}

After that we can log in with a new password.
Working on the fix.

[efoft]

I can corfirm, hit the same issue