Uploaded image for project: 'Core Server'
  1. Core Server
  2. SERVER-10683

Support Kerberos authentication for split, cross-realm domain environments



    • Type: New Feature
    • Status: Open
    • Priority: Major - P3
    • Resolution: Unresolved
    • Affects Version/s: None
    • Fix Version/s: Backlog
    • Component/s: Security
    • Labels:
    • Environment:
      Windows, Linux


      MongoDB servers currently support cross-realm authentication in the sense that a user must be defined in the system.users collection for each domain they may authenticate and hold a credential for. For example, if you have a MongoDB server in the DOMAIN.COM realm, and a user, "u" can login into in the DOMAIN.COM and OTHER.DOMAIN.COM realms, user documents

      { user: "u@OTHER.DOMAIN.COM", userSource: "$external", ... }


      { user: "u@DOMAIN.COM", userSource: "$external", ... }

      must exist in the system.users collection for "u" to authenticate successfully and acquire privileges to perform operations. This creates the potential for the same user, "u" in this case, to exist on the same database with different roles and privileges.

      There a several options available for solving this problem:
      1. Support mapping multiple Kerberos principals to a single MongoDB user.

      2. Support realm/domain as a multi-valued field within the user document so that multiple, but not necessarily all, realms are accepted as an identity in the authentication phase.

      3. Leverage user-defined roles (2.6 and higher) to map user to a defined set of privileges. Changes in user privileges are made only to the role. This lessens the the chance of an out of sync condition but still requires multiple user entries, which is the crux of the issue for admins managing large numbers of users.

      4. Other options.




            • Votes:
              0 Vote for this issue
              5 Start watching this issue


              • Created: