-
Type: Epic
-
Resolution: Won't Do
-
Priority: Major - P3
-
None
-
Component/s: Security
-
None
-
Not Needed
-
To Do
-
Support authentication credential rotation
-
100
The driver should provide support for rotating authentication credentials:
- The customer may opt to rotate a specific credential (a password, client keytab, or a re-issued client certificate - when your private key will be the old one or a new one and the certificate will always be updated), or both the username and its credential
- Drivers must support authentication hooks/override methods to handle custom logic. For example: when an external vault processes the password change, it will have a delay before the SCRAM / PLAIN password gets changed in the MongoDB Server / LDAP server. The customer-provided code will take care of this.
- Once a MongoDB connection went through the authentication step, the driver no longer needs a credential. However, we must allow for customers to choose between two following scenarios: a) drain the existing connections ASAP and create a bunch of new ones using a new credential; b) keep the existing connections as long as needed, potentially until the next restart of the MongoDB Server instance or until the application code decides to re-authenticate using them.
- split to
-
JAVA-3896 Support authentication credential rotation
- Closed