Uploaded image for project: 'Drivers'
  1. Drivers
  2. DRIVERS-1463

Support authentication credential rotation

    • Type: Icon: Epic Epic
    • Resolution: Won't Do
    • Priority: Icon: Major - P3 Major - P3
    • None
    • Component/s: Security
    • None
    • Not Needed
    • To Do
    • Support authentication credential rotation
    • 100
    • $i18n.getText("admin.common.words.hide")
      Key Status/Resolution FixVersion
      JAVA-3896 Won't Do
      $i18n.getText("admin.common.words.show")
      #scriptField, #scriptField *{ border: 1px solid black; } #scriptField{ border-collapse: collapse; } #scriptField td { text-align: center; /* Center-align text in table cells */ } #scriptField td.key { text-align: left; /* Left-align text in the Key column */ } #scriptField a { text-decoration: none; /* Remove underlines from links */ border: none; /* Remove border from links */ } /* Add green background color to cells with FixVersion */ #scriptField td.hasFixVersion { background-color: #00FF00; /* Green color code */ } /* Center-align the first row headers */ #scriptField th { text-align: center; } Key Status/Resolution FixVersion JAVA-3896 Won't Do

      The driver should provide support for rotating authentication credentials:

      • The customer may opt to rotate a specific credential (a password, client keytab, or a re-issued client certificate - when your private key will be the old one or a new one and the certificate will always be updated), or both the username and its credential
      • Drivers must support authentication hooks/override methods to handle custom logic. For example: when an external vault processes the password change, it will have a delay before the SCRAM / PLAIN password gets changed in the MongoDB Server / LDAP server. The customer-provided code will take care of this.
      • Once a MongoDB connection went through the authentication step, the driver no longer needs a credential. However, we must allow for customers to choose between two following scenarios: a) drain the existing connections ASAP and create a bunch of new ones using a new credential; b) keep the existing connections as long as needed, potentially until the next restart of the MongoDB Server instance or until the application code decides to re-authenticate using them.

            Assignee:
            rachelle.palmer@mongodb.com Rachelle Palmer
            Reporter:
            frank.derwin@mongodb.com Frank Derwin (Inactive)
            Votes:
            1 Vote for this issue
            Watchers:
            9 Start watching this issue

              Created:
              Updated:
              Resolved: