-
Type: Improvement
-
Resolution: Won't Do
-
Priority: Major - P3
-
None
-
Affects Version/s: None
-
Component/s: None
-
None
-
Server Security
-
Security 2023-05-15, Security 2023-05-29, Security 2023-06-12, Security 2023-06-26, Security 2023-07-10, Security 2023-07-24, Security 2023-08-07, Security 2023-08-21, Security 2023-09-04
-
(copied to CRM)
When using AWS IAM for external authentication, it is important to ensure that a mongod or mongos are capable of returning distinct error codes to the caller in the event of authentication failures (such as incorrect username or password), or transient authentication sub-system failure (such as AWS IAM not being available), as well as other potential causes.
Currently an AuthenticationFailed / code: 18 is returned regardless of the source of the IAM authentication failure, which can make it challenging for downstream consumers (using MongoDB Drivers) to differentiate these failures and action them differently.
Drivers must currently clear connection pools and mark servers as unusable when authentication fails as an error code of 18 can only be interpreted as credentials being invalid.
More granular error details (perhaps using errorLabels) would allow Drivers to action AWS IAM authentication failures differently - such as retrying authentication failures due to server-side timeouts instead of clearing the connection pools and forcing connections to be re-established.
- related to
-
SERVER-62053 Add retry for errors in AWS server-side conversation
- Closed