[JAVA-3896] Support authentication credential rotation Created: 24/Nov/20  Updated: 21/Jun/23  Resolved: 21/Jun/23

Status: Closed
Project: Java Driver
Component/s: Security
Affects Version/s: None
Fix Version/s: None

Type: Improvement Priority: Major - P3
Reporter: Frank Derwin (Inactive) Assignee: Unassigned
Resolution: Won't Do Votes: 3
Labels: rp-track
Remaining Estimate: Not Specified
Time Spent: Not Specified
Original Estimate: Not Specified

Issue Links:
Issue split
split from DRIVERS-1463 Support authentication credential rot... Closed
Related
Case:

 Description   

The driver should provide support for rotating authentication credentials:

  • The customer may opt to rotate a specific credential (a password, client keytab, or a re-issued client certificate - when your private key will be the old one or a new one and the certificate will always be updated), or both the username and its credential
  • drivers must support authentication hooks/override methods to handle custom logic. For example: when an external vault processes the password change, it will have a delay before the SCRAM / PLAIN password gets changed in the MongoDB Server / LDAP server. The customer-provided code will take care of this.
  • Once a MongoDB connection went through the authentication step, the driver no longer needs a credential. However, we must allow for customers to choose between two following scenarios: a) drain the existing connections ASAP and create a bunch of new ones using a new credential; b) keep the existing connections as long as needed, potentially until the next restart of the MongoDB Server instance or until the application code decides to re-authenticate using them.


 Comments   
Comment by Jeffrey Yemin [ 21/Jun/23 ]

FYI, this was closed because we're converging on an OIDC-based solution to credential rotation.

Comment by PM Bot [ 21/Jun/23 ]

DRIVERS-1463 has been closed as Won't Do, closing this ticket as the same.

Comment by Mark Paluch [ 22/Aug/22 ]

FWIW, a MongoCredentialProvider providing MongoCredential could be a neat approach to let a component produce a credentials object once the driver wants to authenticate with a server. A MongoCredentialProvider could be e.g. implemented by Spring Cloud Vault to provide a backend that rotates credentials on the server side and provides the updated credentials to the application.

Comment by Peter Lewis [ 24/Jun/21 ]

This is also an issue for us. Compliance to ISO 27001 requires that we rotate our credentials, but there is no effective "hook" to allow those java client connections that previously authenticated with old credentials to reauthenticate with the new credentials.

Restarting the application is not acceptable, unfortunately (such as via pod restart, for example), so we need a way of gracefully continuing a connection without resorting to workarounds. Is there a way of extending the connection listener (or something similar) to trap authentication errors and allow reauthentication once the connection has been established (and then later experiences a failure)?

 

Generated at Thu Feb 08 09:00:43 UTC 2024 using Jira 9.7.1#970001-sha1:2222b88b221c4928ef0de3161136cc90c8356a66.