Uploaded image for project: 'Drivers'
  1. Drivers
  2. DRIVERS-568

Make some unauthenticated commands require auth

    XMLWordPrintableJSON

Details

    • Improvement
    • Status: Closed
    • Major - P3
    • Resolution: Won't Fix
    • None
    • None
    • None

    Description

      There are currently 19 commands that do not require authentication. Several of these commands has no use case before an successful authentication has been performed.

      To reduce the unauthenticated API surface without introducing any complexity into the auth system we should introduce commands that require authentication but not authorization.

      The following commands should only be runnable after a successful authentication (with any user, even a user with no roles):
      availableQueryOptions, buildinfo, copydbgetnonce, features, forceerror, getoptime, isdbgrid, isMaster*, listCommands, logout, whatsmyuri

      *isMaster is used by several drivers before performing any authentication so this change will require driver adoption.

      The following commands should be kept as they are:
      _isSelf, authenticate, connectionStatus, getLastError, getnonce, getPrevError, ping, resetError

      Attachments

        Issue Links

          Activity

            People

              Unassigned Unassigned
              greg.mckeon@mongodb.com Gregory McKeon (Inactive)
              Votes:
              0 Vote for this issue
              Watchers:
              4 Start watching this issue

              Dates

                Created:
                Updated:
                Resolved: