[SERVER-10306] Refuse to authenticate / return an authentication-time error for Kerberos users with no roles in the cluster. Created: 23/Jul/13  Updated: 01/Feb/18  Resolved: 30/Nov/15

Status: Closed
Project: Core Server
Component/s: Security
Affects Version/s: None
Fix Version/s: None

Type: Improvement Priority: Major - P3
Reporter: Andy Schwerin Assignee: DO NOT USE - Backlog - Platform Team
Resolution: Done Votes: 0
Labels: None
Remaining Estimate: Not Specified
Time Spent: Not Specified
Original Estimate: Not Specified

Issue Links:
Depends
Related
is related to SERVER-12303 Group, Role-based Authentication/Auth... Closed
Participants:
Case:

 Description   

Currently, if a user is defined externally (say as a Kerberos principal), and the mongo cluster has no knowledge of the user, it is possible to log in as that user, but all actions will be auth denied. It might be preferable for the authentication to fail with Unauthorized or AuthenticationFailed, instead.



 Comments   
Comment by Rahul Dhodapkar [ 30/Nov/15 ]

Since we are introducing external authorization, this is actually the desired behavior.

Previously, even if a user could be authenticated externally, without an explicit entry in the $external authentication database, that user would not have any valid roles. With SERVER-12303 it will be possible to have users with valid roles in mongodb that do not exist in "$external", and there should be no error at authentication time if the user has no roles in the cluster.

Generated at Thu Feb 08 03:22:49 UTC 2024 using Jira 9.7.1#970001-sha1:2222b88b221c4928ef0de3161136cc90c8356a66.