[SERVER-17390] HTTP Interface does not work with SCRAM User Documents Created: 26/Feb/15  Updated: 14/Jul/17  Resolved: 14/Jul/17

Status: Closed
Project: Core Server
Component/s: Security
Affects Version/s: 3.0.0-rc11
Fix Version/s: None

Type: Bug Priority: Major - P3
Reporter: Amalia Hawkins Assignee: DO NOT USE - Backlog - Platform Team
Resolution: Done Votes: 3
Labels: None
Remaining Estimate: Not Specified
Time Spent: Not Specified
Original Estimate: Not Specified

Issue Links:
Duplicate
is duplicated by SERVER-17512 Unable to authenticate with web conso... Closed
Related
is related to SERVER-17527 Add startupWarning if server started ... Closed
Backwards Compatibility: Fully Compatible
Operating System: ALL
Steps To Reproduce:

1. Run a 3.0 server with --auth and --httpinterface both enabled, no user documents present.
2. Create a new user.
3. Attempt to access the http interface with the user's credentials.

Participants:

 Description   

The HTTP Interface code (db/dbwebserver.cpp) was never updated to work with SCRAM-style user documents, and thus is not compatible with the new user document format. However, the interface still works with 2.6-style user documents in a 3.0 database that have not yet been updated.

Alternatively, we could deprecate support for the HTTP interface with auth enabled (or entirely) as it is a potential security risk.


Generated at Thu Feb 08 03:44:16 UTC 2024 using Jira 9.7.1#970001-sha1:2222b88b221c4928ef0de3161136cc90c8356a66.