Graylog cannot authenticate on MongoDB if password contains the sign +

[frantz45]

Expected Behavior

Graylog should authenticate on MongoDB

Current Behavior

Graylog does not authenticate on MongoDB

Possible Solution

Choose a password without the sign +

Steps to Reproduce (for bugs)

1. Enable authentication on MongoDB
2. Restart MongoDB service
3. Create a MongoDB user with the sign + in the password
4. Configure mongodb_uri = mongodb://grayloguser:secret+@localhost:27017/graylog
5. Restart Graylog
6. Graylog's logs (server.log) say "Authentication failed on MongoDB error code 18"
7. Try to connect to MongoDB from bash with the same mongodb_uri and it works:
   mongo mongodb://grayloguser:secret+@localhost:27017/graylog

MongoDB doc does not say the sign + needs to be encoded:
If the username or password includes the at sign @, colon :, slash /, or the percent sign % character, use percent encoding.
https://docs.mongodb.com/manual/reference/connection-string/

Context

Puppet automatically chooses a password for the graylog MongoDB user. + was in the charset used.

Your Environment

• Graylog Version: 2.4.6
• Elasticsearch Version: 5.6
• MongoDB Version: 3.6.6
• Operating System: CentOS 7
• Browser version: Firefox ESR

[mariussturm]

Hi @frantz45,
thanks for the report! This is a bug in the mongodb library version we use for 3.0. The issue was already fixed upstream here: mongodb/mongo-java-driver@4a44f05
I have created a PR to get this into Graylog 3.0.1 #5736

[mariussturm]

@frantz45 unfortunately we can't jump easily to a more recent mongo-java-driver version. For now the user needs to escape plus signs by hand with this string: %2B.

We will add this to the examples in the default configuration.

[bernd]

Since we have a (documented #5795) workaround now, I will close this ticket. The underlying issue is not fixed, but will be fixed once we update the MongoDB driver.