Uploaded image for project: 'Core Server'
  1. Core Server
  2. SERVER-9685

Support three authentication modes, change default to "disabled".

    XMLWordPrintable

    Details

    • Operating System:
      ALL

      Description

      MongoDB currently supports two authentication modes. For lack of accepted terms, call them "mandatory" and "optional". In "mandatory" mode, operations perform access control checks, and these checks frequently require a logged in user with specific assigned roles in order to succeed. In "optional" mode, no access control checks are performed, but users may still authenticate to the server, if they care to. The "optional" mode is the default in 2.5.0 and prior.

      This work item introduces an additional authentication mode, "disabled", in which authentication commands are not even available. Clients attempting authentication will receive error responses, unconditionally. This will be the new default mode, in order to make misconfigurations easier to detect. The "optional" mode will be preserved and as necessary enhanced to support rolling upgrades from "disabled" to "mandatory."

      If a user exists but auth is not turned on you currently don't get an error message:

      > db.auth("scott", "foo")
      Error: 18 { code: 18, ok: 0.0, errmsg: "auth fails" }
      0
      > db.addUser("scott", "foo")
      {
      	"user" : "scott",
      	"readOnly" : false,
      	"pwd" : "220567d3c24155e4b570a7de08911aad",
      	"_id" : ObjectId("51928dc902eff8bcb5ae8638")
      }
      > db.auth("scott", "foo") // this should error.
      1

        Attachments

          Issue Links

            Activity

              People

              Assignee:
              backlog-server-security Backlog - Security Team
              Reporter:
              scotthernandez Scott Hernandez
              Participants:
              Votes:
              0 Vote for this issue
              Watchers:
              7 Start watching this issue

                Dates

                Created:
                Updated:
                Resolved: