Uploaded image for project: 'Core Server'
  1. Core Server
  2. SERVER-32974

Enhance createUser and updateUser to support SCRAM-SHA-256

    • Type: Icon: Improvement Improvement
    • Resolution: Fixed
    • Priority: Icon: Major - P3 Major - P3
    • 3.7.3
    • Affects Version/s: None
    • Component/s: Admin, Security
    • None
    • Minor Change

      Add the string "SCRAM-SHA-256" to the authenticationMechanisms setParameter.

      Both createUser and updateUser will be given a new optional argument, named mechanisms which will accept an Array of Strings. “SCRAM-SHA-1” and “SCRAM-SHA-256” are permissible values in this Array. This flag allows administrators to control which mechanisms may be used to authenticate as a specified user. Administrators testing their applications or attempting to meet compliance goals may configure users to support different subsets of mechanisms, or remove support for particular mechanisms.

      The mechanisms flag may only be used when FCV is 3.7. createUser and updateUser will only produce SCRAM-SHA-1 credentials when the FCV is not 3.7.

      When either createUser or updateUser would generate a user document containing SCRAM-SHA-256 credentials, they shall ensure that the user's username has been prepared as a stored string with SASLPrep. If the username has not been properly prepared, the command shall return an error. If the server is not in FCV 3.7, but the server would generate SCRAM-SHA-256 credentials otherwise, these commands will still return an error if the provided user name has not been properly prepared.

      Invocations with password and mechanism
      When mechanisms is provided to a createUser invocation with a password, the command will use the provided password to generate user documents containing credentials for the specified mechanism(s). The mechanisms in the mechanisms field must be a subset of the mechanisms enumerated in the authenticationMechanisms setParameter.

      When mechanisms is provided to an updateUser invocation containing a password, the command will use the password to generate credentials for the specified mechanism(s) and replace the user document’s existing credentials with them. If a specified mechanism is unrecognized, the command will fail with an error without modifying the user’s document. The mechanisms in the mechanisms field must be a subset of the mechanisms enumerated in the authenticationMechanisms setParameter.

      Invocations with password only
      When createUser or updateUser are invoked with a password and without the mechanisms field, the commands will use the provided password to generate user documents containing credentials for all mechanisms enumerated in the authenticationMechanisms setParameter, if the server's current FCV is 3.7. Otherwise, the generated user documents will only contain credentials for SCRAM-SHA-1.

      Invocations with mechanism only
      When mechanisms is provided to updateUser without a password, if the listed mechanisms are a subset of the mechanisms supported by the target user’s credentials, all mechanisms not listed will be removed from the user's credentials. If the mechanisms field is empty or not a subset, an error will be emitted and the user shall be left unmodified. If the mechanisms field contains unrecognized mechanisms, the command shall fail with an error if the unrecognized mechanisms are not supported by the target user’s credentials. If the mechanisms field only contains unrecognized fields, the command shall fail with an error.

            Assignee:
            sara.golemon@mongodb.com Sara Golemon
            Reporter:
            spencer.jackson@mongodb.com Spencer Jackson
            Votes:
            0 Vote for this issue
            Watchers:
            4 Start watching this issue

              Created:
              Updated:
              Resolved: