[SERVER-12143] Make some unauthenticated commands require auth Created: 17/Dec/13 Updated: 07/Feb/23 Resolved: 25/Jul/19 |
|
| Status: | Closed |
| Project: | Core Server |
| Component/s: | Security |
| Affects Version/s: | 2.5.4 |
| Fix Version/s: | None |
| Type: | Improvement | Priority: | Major - P3 |
| Reporter: | Andreas Nilsson | Assignee: | Spencer Jackson |
| Resolution: | Won't Fix | Votes: | 5 |
| Labels: | 26qa, platforms-re-triaged, security | ||
| Remaining Estimate: | Not Specified | ||
| Time Spent: | Not Specified | ||
| Original Estimate: | Not Specified | ||
| Issue Links: |
|
||||||||||||||||||||||||||||||||||||||||||||||||
| Sprint: | Security 2019-07-29 | ||||||||||||||||||||||||||||||||||||||||||||||||
| Participants: | |||||||||||||||||||||||||||||||||||||||||||||||||
| Case: | (copied to CRM) | ||||||||||||||||||||||||||||||||||||||||||||||||
| Description |
|
There are currently 19 commands that do not require authentication. Several of these commands has no use case before an successful authentication has been performed. To reduce the unauthenticated API surface without introducing any complexity into the auth system we should introduce commands that require authentication but not authorization. The following commands should only be runnable after a successful authentication (with any user, even a user with no roles): *isMaster is used by several drivers before performing any authentication so this change will require driver adoption. The following commands should be kept as they are: |
| Comments |
| Comment by Spencer Jackson [ 25/Jul/19 ] |
|
I'm closing this ticket out. As of 4.0, the Typed Command project prevents parsing for unannotated commands on unauthenticated connections. Commands such as but not limited to ping, isMaster, saslStart, and saslContinue, are annotated such that they may be invoked by unauthenticated clients. isMaster is now sometimes a prerequisite for authentication when negotiating SASL mechanisms, and is used to negotiate wire protocol compression, and set client metadata. |
| Comment by David Golden [ 28/Mar/18 ] |
|
Now that isMaster is used for SCRAM mechanism negotiation as of |
| Comment by Paul A. Mosser [ 30/Nov/17 ] |
|
Is anything happening in regard to this issue? Any changes planned in upcoming releases? Our preference would be that connections are rejected for any non-authenticated users, but it appears that that would be a major design shift, and, I'm assuming, is not even open for consideration? |
| Comment by David Golden [ 23/Apr/14 ] |
|
An idea: when unauthenticated, could we have isMaster return a subset of information that communicates server capabilities, but omits sensitive information (e.g. network topology)? |
| Comment by Bernie Hackett [ 23/Apr/14 ] |
SERVER-5479 will have to be fixed before this change can be made. |
| Comment by Scott Hernandez (Inactive) [ 21/Jan/14 ] |
|
No, the commands have a return status/message. GLE is for (no-response) writes (update/insert/delete) not commands which are synchronous and return their errors. |
| Comment by Andreas Nilsson [ 21/Jan/14 ] |
|
Do you never have to do getLastError on the authenticate or getnonce calls? |
| Comment by Scott Hernandez (Inactive) [ 21/Jan/14 ] |
|
Seems like connectionStatus, getLastError, getPrevError, ping, and resetError should all go into "authenticated" commands, not open list. |