An arbiter should return an empty list of supported SASL mechanisms

XMLWordPrintableJSON

    • Type: Improvement
    • Resolution: Unresolved
    • Priority: Major - P3
    • None
    • Affects Version/s: None
    • Component/s: Security
    • Server Security
    • None
    • 3
    • None
    • None
    • None
    • None
    • None
    • None
    • None

      Currently, to determine whether a server supports authentication, a driver has to call isMaster to see if the server is an arbiter, and then only initiate authentication if it's not. This will become a problem if isMaster is itself put behind authentication.

      Another way would be to make an arbiter return an empty list of supported mechanisms from the saslStart command, which makes sense because currently arbiters do not support any mechanisms. saslStart may need to return if the server is an arbiter.

      So instead of:

      > db.runCommand({"saslStart" : 1, mechanism : "SCRAM-SHA1"})
      {
      	"supportedMechanisms" : [
      		"MONGODB-CR",
      		"MONGODB-X509",
      		"SCRAM-SHA-1"
      	],
      	"ok" : 0,
      	"code" : 2,
      	"errmsg" : "Unsupported mechanism SCRAM-SHA1"
      }
      

      respond

      > db.runCommand({"saslStart" : 1, mechanism : "SCRAM-SHA1"})
      {
      	"supportedMechanisms" : [],
      	"ok" : 0,
      	"code" : 2,
      	"errmsg" : "Unsupported mechanism SCRAM-SHA1"
      }
      

              Assignee:
              [DO NOT USE] Backlog - Security Team
              Reporter:
              Jeffrey Yemin
              Votes:
              0 Vote for this issue
              Watchers:
              8 Start watching this issue

                Created:
                Updated: