-
Type:
Improvement
-
Resolution: Unresolved
-
Priority:
Major - P3
-
None
-
Affects Version/s: None
-
Component/s: Security
-
Server Security
Currently, to determine whether a server supports authentication, a driver has to call isMaster to see if the server is an arbiter, and then only initiate authentication if it's not. This will become a problem if isMaster is itself put behind authentication.
Another way would be to make an arbiter return an empty list of supported mechanisms from the saslStart command, which makes sense because currently arbiters do not support any mechanisms. saslStart may need to return if the server is an arbiter.
So instead of:
> db.runCommand({"saslStart" : 1, mechanism : "SCRAM-SHA1"})
{
"supportedMechanisms" : [
"MONGODB-CR",
"MONGODB-X509",
"SCRAM-SHA-1"
],
"ok" : 0,
"code" : 2,
"errmsg" : "Unsupported mechanism SCRAM-SHA1"
}
respond
> db.runCommand({"saslStart" : 1, mechanism : "SCRAM-SHA1"})
{
"supportedMechanisms" : [],
"ok" : 0,
"code" : 2,
"errmsg" : "Unsupported mechanism SCRAM-SHA1"
}
- is related to
-
-
- Backlog
-
-
-
- Closed
-