[SERVER-12143] Make some unauthenticated commands require auth Created: 17/Dec/13  Updated: 07/Feb/23  Resolved: 25/Jul/19

Status: Closed
Project: Core Server
Component/s: Security
Affects Version/s: 2.5.4
Fix Version/s: None

Type: Improvement Priority: Major - P3
Reporter: Andreas Nilsson Assignee: Spencer Jackson
Resolution: Won't Fix Votes: 5
Labels: 26qa, platforms-re-triaged, security
Remaining Estimate: Not Specified
Time Spent: Not Specified
Original Estimate: Not Specified

Issue Links:
Depends
depends on DRIVERS-90 drivers must authenticate before call... Closed
depends on SERVER-5479 Arbiter in authenticated replica set ... Backlog
depends on SERVER-13698 Add roles and privileges to connectio... Closed
is depended on by DRIVERS-568 Make some unauthenticated commands re... Closed
Duplicate
is duplicated by SERVER-13166 Enabled authentication still allows r... Closed
is duplicated by SERVER-15293 Anonymous connections are allowed eve... Closed
Related
related to SERVER-15588 An arbiter should return an empty lis... Backlog
is related to SERVER-5479 Arbiter in authenticated replica set ... Backlog
is related to SERVER-34653 don't even parse requiresAuth command... Closed
Sprint: Security 2019-07-29
Participants:
Case:

 Description   

There are currently 19 commands that do not require authentication. Several of these commands has no use case before an successful authentication has been performed.

To reduce the unauthenticated API surface without introducing any complexity into the auth system we should introduce commands that require authentication but not authorization.

The following commands should only be runnable after a successful authentication (with any user, even a user with no roles):
availableQueryOptions, buildinfo, copydbgetnonce, features, forceerror, getoptime, isdbgrid, isMaster*, listCommands, logout, whatsmyuri

*isMaster is used by several drivers before performing any authentication so this change will require driver adoption.

The following commands should be kept as they are:
_isSelf, authenticate, connectionStatus, getLastError, getnonce, getPrevError, ping, resetError



 Comments   
Comment by Spencer Jackson [ 25/Jul/19 ]

I'm closing this ticket out. As of 4.0, the Typed Command project prevents parsing for unannotated commands on unauthenticated connections. Commands such as but not limited to ping, isMaster, saslStart, and saslContinue, are annotated such that they may be invoked by unauthenticated clients. isMaster is now sometimes a prerequisite for authentication when negotiating SASL mechanisms, and is used to negotiate wire protocol compression, and set client metadata.

Comment by David Golden [ 28/Mar/18 ]

Now that isMaster is used for SCRAM mechanism negotiation as of SERVER-32965, isMaster must NOT require authentication and should be removed from the list of commands under consideration for this ticket.

Comment by Paul A. Mosser [ 30/Nov/17 ]

Is anything happening in regard to this issue? Any changes planned in upcoming releases? Our preference would be that connections are rejected for any non-authenticated users, but it appears that that would be a major design shift, and, I'm assuming, is not even open for consideration?

Comment by David Golden [ 23/Apr/14 ]

An idea: when unauthenticated, could we have isMaster return a subset of information that communicates server capabilities, but omits sensitive information (e.g. network topology)?

Comment by Bernie Hackett [ 23/Apr/14 ]

*isMaster is used by several drivers before performing any authentication so this change will require driver adoption.

SERVER-5479 will have to be fixed before this change can be made.

Comment by Scott Hernandez (Inactive) [ 21/Jan/14 ]

No, the commands have a return status/message. GLE is for (no-response) writes (update/insert/delete) not commands which are synchronous and return their errors.

Comment by Andreas Nilsson [ 21/Jan/14 ]

Do you never have to do getLastError on the authenticate or getnonce calls?

Comment by Scott Hernandez (Inactive) [ 21/Jan/14 ]

Seems like connectionStatus, getLastError, getPrevError, ping, and resetError should all go into "authenticated" commands, not open list.

Generated at Thu Feb 08 03:27:43 UTC 2024 using Jira 9.7.1#970001-sha1:2222b88b221c4928ef0de3161136cc90c8356a66.