Breaking: Remove support for specifying MONGODB-AWS authentication properties explicitly

XMLWordPrintableJSON

    • Needed
    • Hide

      Summary of necessary driver changes

      • Drivers must remove the ability to specify AWS credentials in the URI or MongoClient options. Drivers may decide to deprecate options in the URI or client options in the manner of their choosing.
      • AWS_ACCESS_KEY_ID must no longer be valid as a username in the URI or as a client option and must raise an exception if provided when the auth mechanism is MONGODB-AWS
      • AWS_SECRET_ACCESS_KEY must no longer be valid as a password in the URI or as a client option and must raise an exception if provided when the auth mechanism is MONGODB-AWS
      • AWS_SESSION_TOKEN must be deprecated in a minor version as an auth mechanism property and then removed in a major.

      Commits for syncing spec/prose tests
      (and/or refer to an existing language POC if needed)

      Context for other referenced/linked tickets

      •  
      Show
      Summary of necessary driver changes Drivers must remove the ability to specify AWS credentials in the URI or MongoClient options. Drivers may decide to deprecate options in the URI or client options in the manner of their choosing. AWS_ACCESS_KEY_ID must no longer be valid as a username in the URI or as a client option and must raise an exception if provided when the auth mechanism is MONGODB-AWS AWS_SECRET_ACCESS_KEY must no longer be valid as a password in the URI or as a client option and must raise an exception if provided when the auth mechanism is MONGODB-AWS AWS_SESSION_TOKEN must be deprecated in a minor version as an auth mechanism property and then removed in a major. Commits for syncing spec/prose tests (and/or refer to an existing language POC if needed) Drivers must sync the legacy auth spec tests (connection-string.yml/json) to https://github.com/mongodb/specifications/commit/2a836942e9d474e0441e97abbfe79890a09a0822 Drivers must remove Case 1 for the MONGODB-AWS prose tests where URI credentials take precedence over other AWS authentication methods. Drivers must update their usage of aws_tester.py in drivers-evergreen-tools to include the --nouri CLI option. Context for other referenced/linked tickets  
    • $i18n.getText("admin.common.words.hide")
      Key Status/Resolution FixVersion
      CDRIVER-6056 Backlog
      CXX-3314 Backlog
      CSHARP-5651 Ready for Work
      GODRIVER-3614 Backlog 3.0.0
      JAVA-5919 Backlog
      NODE-7046 Fixed 7.0.0
      PYTHON-5445 Backlog 5.0
      PHPLIB-1692 Backlog
      RUBY-3686 Backlog 3.0.0
      RUST-2248 Backlog 4.0.0
      $i18n.getText("admin.common.words.show")
      #scriptField, #scriptField *{ border: 1px solid black; } #scriptField{ border-collapse: collapse; } #scriptField td { text-align: center; /* Center-align text in table cells */ } #scriptField td.key { text-align: left; /* Left-align text in the Key column */ } #scriptField a { text-decoration: none; /* Remove underlines from links */ border: none; /* Remove border from links */ } /* Add green background color to cells with FixVersion */ #scriptField td.hasFixVersion { background-color: #00FF00; /* Green color code */ } #scriptField td.willNotDo { background-color: #FF0000; /* Red color code */ } /* Center-align the first row headers */ #scriptField th { text-align: center; } Key Status/Resolution FixVersion CDRIVER-6056 Backlog CXX-3314 Backlog CSHARP-5651 Ready for Work GODRIVER-3614 Backlog 3.0.0 JAVA-5919 Backlog NODE-7046 Fixed 7.0.0 PYTHON-5445 Backlog 5.0 PHPLIB-1692 Backlog RUBY-3686 Backlog 3.0.0 RUST-2248 Backlog 4.0.0

      Summary

      Remove support for specifying MONGODB-AWS authentication properties explicitly from both the connection string and MongoCredential constructor (or equivalent).  The end result would be an API like:

      • Connection string: mongodb+srv://<host>/?authMechanism=MONGODB-AWS
      • MongoCredential constructor: MongoCredential.createAwsCredential()

      As with any breaking API change, the existing API would have to go through a deprecation cycle before it's removed.

      Motivation

      Who is the affected end user?

      Application developers

      How does this affect the end user?

      Application developers are confused by the existing API, where accessKeyId, secretKey, and sessionToken can by explicitly specified in the connection string or MongoCredential constructor.  It's almost never what you want to do in a production setting, since almost everyone wants to use some sort of temporary, expirable credential, and specifying it explicitly doesn't allow for that.  The end result is that authentication initially succeeds, but when the session token expires, it starts to fail, and users are confused.  Then we have to explain to them about the AWS SDK, which they often aren't even aware of despite our documentation, and the result is an unhappy customer that has wasted a lot of time.

      We've even seen cases where customers think they have to recycle their entire MongoClient every few minutes in order to use AWS authentication.

      How likely is it that this problem or use case will occur?

      Fairly likely

      If the problem does occur, what are the consequences and how severe are they?

      Loss of availability when the session token expires is the most likely consequence of mis-use of our current API.

      Is this issue urgent?

      Important but not urgent

      Is this ticket required by a downstream team?

      No

      Is this ticket only for tests?

      No

      Acceptance Criteria

      • Update drivers-evergreen-tools aws_tester.py to accept a new command line argument to not add credentials to the MONGODB_URI. This script when the parameter is set must put the credentials in environment variables. Note in the auth spec that drivers removing the URI credentials feature must update their CI to use the new argument.
      • Update Spec:
        • Update credential fetching order for MONGODB-AWS in the auth spec to remove URI from the first spot.
        • Note in the URI section from the MONGODB-AWS auth section in the auth spec that it is no longer to be present.
        • Note that AWS_SESSION_TOKEN from auth mech properties in the MONGODB-AWS section in the auth spec is to be removed.
        • Add new URI tests for corresponding error conditions and note that drivers implementing this change must skip the legacy connection string auth specs where MONGODB-AWS with credentials are in the URI
      • Add a note on drivers being able to choose how to deprecate the URI options and AWS_SESSION_TOKEN option in their manner of choosing.
      • Create separate drivers ticket to remove the legacy URI MONGODB-AWS tests (DRIVERS-3297)
      • (CLOUDP-349246) Update the connection string/instruction given by the Atlas UI is (currently: mongodb+srv://<AWS access key>:<AWS secret key>@foo.mongodb.net/?authSource=%24external&authMechanism=MONGODB-AWS&retryWrites=true&w=majority&authMechanismProperties=AWS_SESSION_TOKEN:<session token (for AWS IAM Roles)>&appName=test-aws-connection-string).
      • (DOCSP-54437) Update the authMechanism and authMechanismProperties documentation here: https://www.mongodb.com/docs/manual/reference/connection-string-options/#mongodb-urioption-urioption.authMechanism

            Assignee:
            Durran Jordan
            Reporter:
            Jeffrey Yemin
            Daria Pardue Daria Pardue
            Alex Bevilacqua Alex Bevilacqua
            Votes:
            0 Vote for this issue
            Watchers:
            8 Start watching this issue

              Created:
              Updated: