Uploaded image for project: 'Drivers'
  1. Drivers
  2. DRIVERS-166

Implement the SCRAM-SHA-1 SASL Mechanism

XMLWordPrintableJSON

    • Type: Icon: Task Task
    • Resolution: Done
    • Priority: Icon: Major - P3 Major - P3
    • None
    • Component/s: None
    • Labels:
      None
    • $i18n.getText("admin.common.words.hide")
      Key Status/Resolution FixVersion
      CSHARP-990 Done 1.10
      PYTHON-706 Done 2.8, 3.0
      JAVA-828 Done 2.13.0, 3.0.0
      CDRIVER-404 Done 1.1.0
      RUBY-791 Done 1.12, 2.0.0
      NODE-230 Done 2.0, 1.4.11, 1.4.13
      PERL-408 Done 0.706.0.0, 1.0.0
      PHP-1161 Done 1.6.0RC1, 1.6.0
      CXX-298 Done legacy-1.0.0-rc1
      JAVA-1461 Done 2.13.0, 3.0.0
      PYTHON-764 Done 2.8, 3.0
      $i18n.getText("admin.common.words.show")
      #scriptField, #scriptField *{ border: 1px solid black; } #scriptField{ border-collapse: collapse; } #scriptField td { text-align: center; /* Center-align text in table cells */ } #scriptField td.key { text-align: left; /* Left-align text in the Key column */ } #scriptField a { text-decoration: none; /* Remove underlines from links */ border: none; /* Remove border from links */ } /* Add green background color to cells with FixVersion */ #scriptField td.hasFixVersion { background-color: #00FF00; /* Green color code */ } /* Center-align the first row headers */ #scriptField th { text-align: center; } Key Status/Resolution FixVersion CSHARP-990 Done 1.10 PYTHON-706 Done 2.8, 3.0 JAVA-828 Done 2.13.0, 3.0.0 CDRIVER-404 Done 1.1.0 RUBY-791 Done 1.12, 2.0.0 NODE-230 Done 2.0, 1.4.11, 1.4.13 PERL-408 Done 0.706.0.0, 1.0.0 PHP-1161 Done 1.6.0RC1, 1.6.0 CXX-298 Done legacy-1.0.0-rc1 JAVA-1461 Done 2.13.0, 3.0.0 PYTHON-764 Done 2.8, 3.0

      Server 2.8 will be implementing SCRAM-SHA-1 as a new authentication mechanism. Eventually, it will become the default mechanism in the server and MONGODB-CR will be removed.

      As such, all drivers will need to support SCRAM-SHA-1 for the 2.8 release. RFC 5802 describes the mechanism and how it should be implemented.

      To support authentication upgrades from older versions of MongoDB to 2.8 drivers will use the following algorithm:

      • If the application specifies a particular authMechanism (e.g. MONGODB-CR) the driver will continue to honor it.
      • If the application provides a user and password, or calls the driver's authenticate method, but provides no explicit authMechanism the following applies:
        • The server's maxWireVersion is being bumped to 3 for MongoDB 2.8 - See SERVER-15330
        • If the server's maxWireVersion >= 3 the driver will use SCRAM-SHA-1 (i.e. the driver's default mechanism is SCRAM-SHA-1)
        • If the server's maxWireVersion < 3 the driver will use MONGODB-CR (i.e. the driver's default mechanism remains MONGODB-CR)

      MongoDB 2.8 will always support SCRAM-SHA-1 if at least MONGODB-CR was specified in --authenticationMechanisms, so drivers do not have to "try and fall back". If SCRAM credentials don't yet exist for a user the server will create them on-the-fly when the driver uses SCRAM-SHA-1 for mechanism.

      Note - RFC 5802 SCRAM is relatively new (2010). The version of cyrus-sasl that ships with RHEL/CentOS 5/6 and Amazon Linux (2.1.23) does not support SCRAM at all. Drivers can not use cyrus-sasl to implement SCRAM-SHA-1 and will have to write native implementations. If your language runtime or standard library provides an implementation of HMAC and SHA1 this is not difficult following the RFC. See the python driver implementation for one example.

            Assignee:
            craig.wilson@mongodb.com Craig Wilson
            Reporter:
            craig.wilson@mongodb.com Craig Wilson
            Votes:
            0 Vote for this issue
            Watchers:
            15 Start watching this issue

              Created:
              Updated:
              Resolved: