[SERVER-15588] An arbiter should return an empty list of supported SASL mechanisms - MongoDB Jira

XML

Word

Printable

JSON

Details

Type: Improvement
Status: Backlog
Priority: Major - P3
Resolution: Unresolved
Affects Version/s: None
Fix Version/s: None
Component/s: Security
Labels:
- platforms-re-triaged

Assigned Teams:

Security

Description

Currently, to determine whether a server supports authentication, a driver has to call isMaster to see if the server is an arbiter, and then only initiate authentication if it's not. This will become a problem if isMaster is itself put behind authentication.

Another way would be to make an arbiter return an empty list of supported mechanisms from the saslStart command, which makes sense because currently arbiters do not support any mechanisms. saslStart may need to return if the server is an arbiter.

So instead of:

> db.runCommand({"saslStart" : 1, mechanism : "SCRAM-SHA1"})

	"supportedMechanisms" : [

		"MONGODB-CR",

		"MONGODB-X509",

		"SCRAM-SHA-1"

],

	"ok" : 0,

	"code" : 2,

	"errmsg" : "Unsupported mechanism SCRAM-SHA1"

respond

> db.runCommand({"saslStart" : 1, mechanism : "SCRAM-SHA1"})

	"supportedMechanisms" : [],

	"ok" : 0,

	"code" : 2,

	"errmsg" : "Unsupported mechanism SCRAM-SHA1"

Attachments

Issue Links

is related to

SERVER-5479 Arbiter in authenticated replica set should allow and require login/auth for admin-only operations

Backlog

SERVER-12143 Make some unauthenticated commands require auth

Closed

Activity

People

Assignee:: Backlog - Security Team

Reporter:: Jeffrey Yemin

Participants:: Backlog - Security Team, David Golden, Jeffrey Yemin

Votes:: 0 Vote for this issue

Watchers:: 8 Start watching this issue

Dates

Created:: Oct 09 2014 06:54:14 PM UTC

Updated:: Dec 06 2022 05:00:17 AM UTC