Don't mask authentication failure details.

These changes should make it easier to debug kerberos configuration issues on the client and server.

Author: behackett

doc/changelog.rst

@@ -13,6 +13,10 @@ Important new features:
 - Support for delegated and role based authentication.
 - New GEOSPHERE (2dsphere) and HASHED index constants.
 
+.. note:: :meth:`~pymongo.database.Database.authenticate` now raises a
+ subclass of :class:`~pymongo.errors.PyMongoError` if authentication
+ fails due to invalid credentials or configuration issues.
+
 Issues Resolved
 ...............
 

pymongo/auth.py

@@ -28,7 +28,7 @@
  HAVE_KERBEROS = False
 
 from bson.son import SON
-from pymongo.errors import OperationFailure
+from pymongo.errors import ConfigurationError, OperationFailure
 
 
 MECHANISMS = ('MONGODB-CR', 'GSSAPI')
@@ -164,8 +164,8 @@ def authenticate(credentials, sock_info, cmd_func):
  # Use a dict for this when we support more mechanisms.
  if mechanism == 'GSSAPI':
  if not HAVE_KERBEROS:
- raise OperationFailure('The "kerberos" module must be '
- 'installed to use GSSAPI authentication.')
+ raise ConfigurationError('The "kerberos" module must be '
+  'installed to use GSSAPI authentication.')
  _authenticate_gssapi(username, sock_info, cmd_func)
  else:
  _authenticate_mongo_cr(username, password, source, sock_info, cmd_func)

pymongo/database.py

@@ -704,6 +704,12 @@ def authenticate(self, name, password=None,
  :data:`~pymongo.auth.MECHANISMS` for options.
  Defaults to MONGODB-CR (MongoDB Challenge Response protocol)
 
+ .. versionchanged:: 2.5
+ Added the `source` and `mechanism` parameters. :meth:`authenticate`
+ now raises a subclass of :class:`~pymongo.errors.PyMongoError` if
+ authentication fails due to invalid credentials or configuration
+ issues.
+
  .. mongodoc:: authenticate
  """
  if not isinstance(name, basestring):
@@ -717,13 +723,10 @@ def authenticate(self, name, password=None,
  "of %s" % (basestring.__name__,))
  common.validate_auth_mechanism('mechanism', mechanism)
 
- try:
- credentials = (source or self.name, unicode(name),
- password and unicode(password) or None, mechanism)
- self.connection._cache_credentials(self.name, credentials)
- return True
- except OperationFailure:
- return False
+ credentials = (source or self.name, unicode(name),
+ password and unicode(password) or None, mechanism)
+ self.connection._cache_credentials(self.name, credentials)
+ return True
 
  def logout(self):
  """Deauthorize use of this database for this client instance.

pymongo/mongo_client.py

@@ -350,8 +350,8 @@ def __init__(self, host=None, port=None, max_pool_size=10,
  unicode(password), mechanism)
  try:
  self._cache_credentials(source, credentials)
- except OperationFailure:
- raise ConfigurationError("authentication failed")
+ except OperationFailure, exc:
+ raise ConfigurationError(str(exc))
 
  def _cached(self, dbname, coll, index):
  """Test if `index` is cached.

pymongo/mongo_replica_set_client.py

@@ -530,8 +530,8 @@ def __init__(self, hosts_or_uri=None, max_pool_size=10,
  unicode(password), mechanism)
  try:
  self._cache_credentials(source, credentials)
- except OperationFailure:
- raise ConfigurationError("authentication failed")
+ except OperationFailure, exc:
+ raise ConfigurationError(str(exc))
 
  # Start the monitor after we know the configuration is correct.
  if monitor_class:

test/test_auth.py

@@ -240,8 +240,9 @@ def test_delegated_auth(self):
  self.assertRaises(OperationFailure,
  self.client.pymongo_test2.foo.find_one)
  # Auth must occur on the db where the user is defined.
- self.assertFalse(self.client.pymongo_test2.authenticate('user',
- 'pass'))
+ self.assertRaises(OperationFailure,
+ self.client.pymongo_test2.authenticate,
+ 'user', 'pass')
  # Auth directly
  self.assertTrue(self.client.pymongo_test.authenticate('user', 'pass'))
  self.assertTrue(self.client.pymongo_test2.foo.find_one())

test/test_database.py

@@ -319,22 +319,27 @@ def test_authenticate_add_remove_user(self):
  self.assertRaises(TypeError, db.authenticate, 5, "password")
  self.assertRaises(TypeError, db.authenticate, "mike", 5)
 
- self.assertFalse(db.authenticate("mike", "not a real password"))
- self.assertFalse(db.authenticate("faker", "password"))
+ self.assertRaises(OperationFailure,
+ db.authenticate, "mike", "not a real password")
+ self.assertRaises(OperationFailure,
+ db.authenticate, "faker", "password")
  self.assertTrue(db.authenticate("mike", "password"))
  self.assertTrue(db.authenticate(u"mike", u"password"))
  db.logout()
 
  db.remove_user("mike")
- self.assertFalse(db.authenticate("mike", "password"))
+ self.assertRaises(OperationFailure,
+ db.authenticate, "mike", "password")
 
- self.assertFalse(db.authenticate("Gustave", u"Dor\xe9"))
+ self.assertRaises(OperationFailure,
+ db.authenticate, "Gustave", u"Dor\xe9")
  db.add_user("Gustave", u"Dor\xe9")
  self.assertTrue(db.authenticate("Gustave", u"Dor\xe9"))
  db.logout()
 
  db.add_user("Gustave", "password")
- self.assertFalse(db.authenticate("Gustave", u"Dor\xe9"))
+ self.assertRaises(OperationFailure,
+ db.authenticate, "Gustave", u"Dor\xe9")
  self.assertTrue(db.authenticate("Gustave", u"password"))
  db.logout()