Uploaded image for project: 'Drivers'
  1. Drivers
  2. DRIVERS-1889

Ability to use different Service Name on the driver for Kerberos Authentication

    XMLWordPrintableJSON

Details

    • Icon: Improvement Improvement
    • Resolution: Done
    • Icon: Major - P3 Major - P3
    • None
    • None
    • None
    • MongoDB 2.4.1
    • $i18n.getText("admin.common.words.hide")
      Key Status/Resolution FixVersion
      NODE-45 Done
      PYTHON-524 Done 2.6
      PERL-236 Done 0.702.1
      PHP-845 Done 1.5.0, 1.5.0alpha1
      CSHARP-749 Done 1.9
      JAVA-845 Done 2.12.0, 3.0.0
      CDRIVER-220 Done 0.92.0
      RUBY-530 Done 1.10.0, 1.11.0
      $i18n.getText("admin.common.words.show")
      #scriptField, #scriptField *{ border: 1px solid black; } #scriptField{ border-collapse: collapse; } #scriptField td { text-align: center; /* Center-align text in table cells */ } #scriptField td.key { text-align: left; /* Left-align text in the Key column */ } #scriptField a { text-decoration: none; /* Remove underlines from links */ border: none; /* Remove border from links */ } /* Add green background color to cells with FixVersion */ #scriptField td.hasFixVersion { background-color: #00FF00; /* Green color code */ } /* Center-align the first row headers */ #scriptField th { text-align: center; } Key Status/Resolution FixVersion NODE-45 Done PYTHON-524 Done 2.6 PERL-236 Done 0.702.1 PHP-845 Done 1.5.0, 1.5.0alpha1 CSHARP-749 Done 1.9 JAVA-845 Done 2.12.0, 3.0.0 CDRIVER-220 Done 0.92.0 RUBY-530 Done 1.10.0, 1.11.0

    Description

      It is desirable for the drivers to support the capability to use an alternative Service Name. This is frequently a requirement of role segregation as mandated by regulation such as Sarbanes-Oxley.

      Kerberos has the notion of a Service Principal Name, or SPN. The SPN consists of a Service Name and a fully qualified domain name (FQDN). So, an example SPN is mongodb/localhost:8920. In this example, the FQDN is localhost:8920 and the Service Name is mongodb.

      The need identified in this ticket is to support an alternative Service Name. In the above example, for instance, it would be to change "mongodb" to "fluffy".

      The Drivers Authentication spec has this detailed out here: https://wiki.10gen.com/display/10GEN/Driver+Authentication.

      The two places you'll need to make changes are:

      1. In section 5.1 where we need a map for additional mechanism parameters.
        • in particular, the additional mechanism parameter necessary would be for the service name.
      2. In section 6.1 where we need a way to provide the service on the connection string. It will take the form of "gssapiServiceName" with the value being the service name to use.

      Attachments

        Activity

          People

            Unassigned Unassigned
            barrie Barrie Segal
            Votes:
            0 Vote for this issue
            Watchers:
            4 Start watching this issue

            Dates

              Created:
              Updated:
              Resolved: