Loading...

XML

Word

Printable

JSON

Type: Improvement
Resolution: Unresolved
Priority: Major - P3
Fix Version/s: None
Affects Version/s: None
Component/s: Security
Labels:
- platforms-re-triaged

Assigned Teams:

Server Security
Confidence Status:
None
Work Order:
3

Aha! Reference:
None
Tracking Level:
None
Risk Status:
None
Exec Notes:
None
Goal Name:
None
Goal Link:
None

Currently, to determine whether a server supports authentication, a driver has to call isMaster to see if the server is an arbiter, and then only initiate authentication if it's not. This will become a problem if isMaster is itself put behind authentication.

Another way would be to make an arbiter return an empty list of supported mechanisms from the saslStart command, which makes sense because currently arbiters do not support any mechanisms. saslStart may need to return if the server is an arbiter.

So instead of:

> db.runCommand({"saslStart" : 1, mechanism : "SCRAM-SHA1"})
{
	"supportedMechanisms" : [
		"MONGODB-CR",
		"MONGODB-X509",
		"SCRAM-SHA-1"
	],
	"ok" : 0,
	"code" : 2,
	"errmsg" : "Unsupported mechanism SCRAM-SHA1"
}

respond

> db.runCommand({"saslStart" : 1, mechanism : "SCRAM-SHA1"})
{
	"supportedMechanisms" : [],
	"ok" : 0,
	"code" : 2,
	"errmsg" : "Unsupported mechanism SCRAM-SHA1"
}

is related to

SERVER-5479 Arbiter in authenticated replica set should allow and require login/auth for admin-only operations

Backlog

SERVER-12143 Make some unauthenticated commands require auth

Closed

Assignee:: [DO NOT USE] Backlog - Security Team
Reporter:: Jeffrey Yemin
Participants:: [DO NOT USE] Backlog - Security Team, David Golden, Jeffrey Yemin
Votes:: 0 Vote for this issue
Watchers:: 8 Start watching this issue

Created:: Oct 09 2014 06:54:14 PM UTC
Updated:: Dec 06 2022 05:00:17 AM UTC

Details

Description

Attachments

Issue Links

Activity

People

Dates