Info
I'm able to easily reproduce the issue from SERVER-58591 on v6.0:
{"t":{"$date":"2022-09-06T17:15:51.971+10:00"},"s":"I", "c":"ACCESS",
"id":5286202, "ctx":"conn24","msg":"Different user name was supplied to saslSupportedMechs","attr":{"error":{"code":17,"codeName":"ProtocolError","errmsg":"Attempt to switch database target during SASL authentication from __system@local to @$external"}}}
{"t":{"$date":"2022-09-06T17:15:51.971+10:00"},"s":"I", "c":"ACCESS",
"id":20429,
"ctx":"conn24","msg":"Successfully authenticated","attr":{"client":"127.0.0.1:34638","mechanism":"MONGODB-X509","user":"CN=*.domain.net,OU=mongodb,O=MongoDB,L=Sydney,ST=NSW,C=AU","db":"$external"}}
I don't think there is anything wrong with the config as user connections are not required for the issue to manifest.
This looks to be a benign issue as I don't see any functional problems with how the cluster is operating. But the fact that it is raised as an error is concerning the users.
Top User Comments
spencer.jackson@10gen.com commented on Tue, 25 Oct 2022 16:41:06 +0000:
I just did some digging into SERVER-70242 and realized that these are probably the same issue. I'm going to close this ticket in favor of SERVER-70242, because that ticket has root cause and potential mitigations in its description.
Steps to Reproduce
1. Create cluster
mlaunch init --replicaset --nodes 1 --sharded 1 --config 1 --csrs --tlsCAFile CA.pem --tlsMode preferTLS --tlsCertificateKeyFile server.pem --bind_ip_all --clusterAuthMode x509 --setParameter authenticationMechanisms=PLAIN,SCRAM-SHA-256,SCRAM-SHA-1
2. Connect:
mongo --tls --tlsCertificateKeyFile server.pem --tlsCAFile CA.pem --authenticationMechanism MONGODB-X509 --authenticationDatabase '$external'
3. In my case mlaunch is failing to add shard. So need to run the following manually:
sh.addShard("shard01/localhost:27018")
4. In the log of the shard process observe the error as in the description. User connections are not required
