Summary
This project will deprecate the ability for clients to authenticate to MongoDB as multiple users, with the intent to remove it in the next LTS release of the product.
Motivation
Historically, administrators were expected to create distinct sets of users in different databases, and delegate management responsibilities to per-database user administrators. To support this functionality, it has been possible to authenticate as two separate users from two different databases simultaneously. Clients authenticated as two users would possess the union of privileges possessed by both users.
Clients no longer take advantage of this behaviour. For each connection they establish, compliant drivers authenticate exactly once using credentials provided in their configuration, which precludes multi-user authentication. Drivers automatically create implicit Logical Sessions which are incompatible with multi-user authentication. Attempting to use both features at the same time will result in an error.
Support for multi-user authentication complicates the server's authorization logic, and makes it harder for implementers of the server's wire protocol to understand the authorization model. We should deprecate this behaviour with the intent to remove it in an upcoming release.
Cast of Characters
- Product Owner:
- Project Lead:
- Program Manager:
- Drivers Contact:
Documentation
Scope Document
Technical Design Document