[JAVA-2117] Document how to use connection string with multiple credentials Created: 17/Feb/16 Updated: 31/Jan/18 Resolved: 31/Jan/18 |
|
| Status: | Closed |
| Project: | Java Driver |
| Component/s: | Documentation |
| Affects Version/s: | 3.0.0 |
| Fix Version/s: | None |
| Type: | Improvement | Priority: | Major - P3 |
| Reporter: | James Blackburn | Assignee: | Unassigned |
| Resolution: | Won't Fix | Votes: | 0 |
| Labels: | None | ||
| Remaining Estimate: | Not Specified | ||
| Time Spent: | Not Specified | ||
| Original Estimate: | Not Specified | ||
| Issue Links: |
|
||||||||
| Description |
|
The MongoClient constructor in Java currently has:
The former allows connecting using a URI, which is standard and supported by all drivers, but doesn't support custom credentials per database. Previously we had API like:
... authenticate seems to have been removed from the 3.x Java driver. But is still avail in other drivers (e.g. pymongo). We've read: But this seems to deal with single credentials for a Mongo instance. What's the recommended way of using multiple database credentials with the Java driver? |
| Comments |
| Comment by Jeffrey Yemin [ 31/Jan/18 ] | |||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
|
As multiple credentials for a single MongoClient has been deprecated as of the 3.6 release, closing this as Won't Fix as it's no longer a recommended configuration, and will be unsupported in a future release. | |||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
| Comment by Jeffrey Yemin [ 31/Jan/18 ] | |||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
|
Linked to | |||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
| Comment by James Blackburn [ 19/Feb/16 ] | |||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
|
We have approximately 400 databases in our main cluster. In Mongo 2.4 with db level permissioning, we had credentials per database. The app only tried to authenticate to the database when it needed to do so (rather than eagerly authenticating to all databases). As we're upgrading to MongoDB 3.x we're moving to the new driver. Note that in the Python world, we have code that looks like this: | |||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
| Comment by Jeffrey Yemin [ 19/Feb/16 ] | |||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
|
As a consequence of privilege delegation in MongoDB, a MongoClient must eagerly authenticate all credentials that it has been provided. It does not know whether a user has been granted a privilege in another database (e.g. a user defined in database "db1" may have been granted a privilege to read from database "db2"). We could certainly improve the MongoSecurityException message to include information about the credential which failed authentication. Can you tell us how many credentials/databases you actually have? If it's a small number, one option is to create a separate MongoClient for each. Please see the driver authentication specification for more information. | |||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
| Comment by James Blackburn [ 19/Feb/16 ] | |||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
|
It looks like the code eagerly eagerly performs authentication against all databases passed in, rather than doing this lazily as DBs are used. Previously we were able to selectively authenticate to different databases based on access, which might change dynamically during run. Also if any of the credentials are wrong the the client blows up, but I have no idea which of the N credentials is wrong. I have some code trying to access a collection:
Meanwhile the cluster monitor code blows up because a single cred isn't correct (for a DB I'm not using) - and I don't have any idea which DB is at fault.
| |||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
| Comment by Jeffrey Yemin [ 17/Feb/16 ] | |||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
|
I agree. I changed the issue type to Improvement and added the Documentation component. We'll try to get this in the next release of the docs. | |||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
| Comment by James Blackburn [ 17/Feb/16 ] | |||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
|
Many thanks, will try that. Would be great if that were in the docs. | |||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
| Comment by Jeffrey Yemin [ 17/Feb/16 ] | |||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
|
If you still want to use a connection string for everything but credentials, here's one way to do it:
|