[SERVER-10306] Refuse to authenticate / return an authentication-time error for Kerberos users with no roles in the cluster. Created: 23/Jul/13 Updated: 01/Feb/18 Resolved: 30/Nov/15 |
|
| Status: | Closed |
| Project: | Core Server |
| Component/s: | Security |
| Affects Version/s: | None |
| Fix Version/s: | None |
| Type: | Improvement | Priority: | Major - P3 |
| Reporter: | Andy Schwerin | Assignee: | DO NOT USE - Backlog - Platform Team |
| Resolution: | Done | Votes: | 0 |
| Labels: | None | ||
| Remaining Estimate: | Not Specified | ||
| Time Spent: | Not Specified | ||
| Original Estimate: | Not Specified | ||
| Issue Links: |
|
||||||||||||
| Participants: | |||||||||||||
| Case: | (copied to CRM) | ||||||||||||
| Description |
|
Currently, if a user is defined externally (say as a Kerberos principal), and the mongo cluster has no knowledge of the user, it is possible to log in as that user, but all actions will be auth denied. It might be preferable for the authentication to fail with Unauthorized or AuthenticationFailed, instead. |
| Comments |
| Comment by Rahul Dhodapkar [ 30/Nov/15 ] |
|
Since we are introducing external authorization, this is actually the desired behavior. Previously, even if a user could be authenticated externally, without an explicit entry in the $external authentication database, that user would not have any valid roles. With |