The current cluster authentication keyfile solution has some room for improvement including
- It is difficult/impossible to change the keyfile in a running system
- All cluster members use the same keyfile
- The password contained in the keyfile is in cleartext as described in the original ticket.
As part of implementing x.509 authentication for clients, introduce the possibility to use x.509 for internal cluster authentication. The keyfile solution will be kept on (for now).
Original ticket: "The keyfile used for replica sets (defined by the keyFile entry in the coinfiguartion file) should not contain a simple clear text entry. This should be encrypted or stored by some other method as at present this means it would be possible for someone to access data by setting up a new replica set member using this key. It is also a general compliance issue for any password or key to be stored in a file in clear text."