[SERVER-32974] Enhance createUser and updateUser to support SCRAM-SHA-256 Created: 29/Jan/18 Updated: 29/Oct/23 Resolved: 15/Feb/18 |
|
| Status: | Closed |
| Project: | Core Server |
| Component/s: | Admin, Security |
| Affects Version/s: | None |
| Fix Version/s: | 3.7.3 |
| Type: | Improvement | Priority: | Major - P3 |
| Reporter: | Spencer Jackson | Assignee: | Sara Golemon |
| Resolution: | Fixed | Votes: | 0 |
| Labels: | None | ||
| Remaining Estimate: | Not Specified | ||
| Time Spent: | Not Specified | ||
| Original Estimate: | Not Specified | ||
| Issue Links: |
|
||||||||||||||||||||||||
| Backwards Compatibility: | Minor Change | ||||||||||||||||||||||||
| Participants: | |||||||||||||||||||||||||
| Description |
|
Add the string "SCRAM-SHA-256" to the authenticationMechanisms setParameter. Both createUser and updateUser will be given a new optional argument, named mechanisms which will accept an Array of Strings. “SCRAM-SHA-1” and “SCRAM-SHA-256” are permissible values in this Array. This flag allows administrators to control which mechanisms may be used to authenticate as a specified user. Administrators testing their applications or attempting to meet compliance goals may configure users to support different subsets of mechanisms, or remove support for particular mechanisms. The mechanisms flag may only be used when FCV is 3.7. createUser and updateUser will only produce SCRAM-SHA-1 credentials when the FCV is not 3.7. When either createUser or updateUser would generate a user document containing SCRAM-SHA-256 credentials, they shall ensure that the user's username has been prepared as a stored string with SASLPrep. If the username has not been properly prepared, the command shall return an error. If the server is not in FCV 3.7, but the server would generate SCRAM-SHA-256 credentials otherwise, these commands will still return an error if the provided user name has not been properly prepared. Invocations with password and mechanism When mechanisms is provided to an updateUser invocation containing a password, the command will use the password to generate credentials for the specified mechanism(s) and replace the user document’s existing credentials with them. If a specified mechanism is unrecognized, the command will fail with an error without modifying the user’s document. The mechanisms in the mechanisms field must be a subset of the mechanisms enumerated in the authenticationMechanisms setParameter. Invocations with password only Invocations with mechanism only |
| Comments |
| Comment by Githook User [ 15/Feb/18 ] |
|
Author: {'email': 'sara.golemon@mongodb.com', 'name': 'Sara Golemon', 'username': 'sgolemon'}Message: |