[DRIVERS-568] Make some unauthenticated commands require auth - MongoDB Jira

XML

Word

Printable

JSON

Details

Type: Improvement
Status: Closed
Priority: Major - P3
Resolution: Won't Fix
Fix Version/s: None
Component/s: None
Labels:
None

Description

There are currently 19 commands that do not require authentication. Several of these commands has no use case before an successful authentication has been performed.

To reduce the unauthenticated API surface without introducing any complexity into the auth system we should introduce commands that require authentication but not authorization.

The following commands should only be runnable after a successful authentication (with any user, even a user with no roles):
availableQueryOptions, buildinfo, copydbgetnonce, features, forceerror, getoptime, isdbgrid, isMaster*, listCommands, logout, whatsmyuri

*isMaster is used by several drivers before performing any authentication so this change will require driver adoption.

The following commands should be kept as they are:
_isSelf, authenticate, connectionStatus, getLastError, getnonce, getPrevError, ping, resetError

Attachments

Issue Links

depends on

SERVER-12143 Make some unauthenticated commands require auth

Closed

Activity

People

Assignee:: Unassigned

Reporter:: Gregory McKeon (Inactive)

Votes:: 0 Vote for this issue

Watchers:: 4 Start watching this issue

Dates

Created:: Aug 24 2018 08:21:42 PM UTC

Updated:: Sep 10 2019 02:14:54 PM UTC

Resolved:: Sep 10 2019 02:14:54 PM UTC