[SERVER-32974] Enhance createUser and updateUser to support SCRAM-SHA-256 Created: 29/Jan/18  Updated: 29/Oct/23  Resolved: 15/Feb/18

Status: Closed
Project: Core Server
Component/s: Admin, Security
Affects Version/s: None
Fix Version/s: 3.7.3

Type: Improvement Priority: Major - P3
Reporter: Spencer Jackson Assignee: Sara Golemon
Resolution: Fixed Votes: 0
Labels: None
Remaining Estimate: Not Specified
Time Spent: Not Specified
Original Estimate: Not Specified

Issue Links:
Documented
is documented by DOCS-11384 Docs for SERVER-32974: Enhance create... Closed
Duplicate
duplicates SERVER-32964 Make db.createUser shell helper gener... Closed
Related
is related to SERVER-18412 Possibility to override default authe... Closed
Backwards Compatibility: Minor Change
Participants:

 Description   

Add the string "SCRAM-SHA-256" to the authenticationMechanisms setParameter.

Both createUser and updateUser will be given a new optional argument, named mechanisms which will accept an Array of Strings. “SCRAM-SHA-1” and “SCRAM-SHA-256” are permissible values in this Array. This flag allows administrators to control which mechanisms may be used to authenticate as a specified user. Administrators testing their applications or attempting to meet compliance goals may configure users to support different subsets of mechanisms, or remove support for particular mechanisms.

The mechanisms flag may only be used when FCV is 3.7. createUser and updateUser will only produce SCRAM-SHA-1 credentials when the FCV is not 3.7.

When either createUser or updateUser would generate a user document containing SCRAM-SHA-256 credentials, they shall ensure that the user's username has been prepared as a stored string with SASLPrep. If the username has not been properly prepared, the command shall return an error. If the server is not in FCV 3.7, but the server would generate SCRAM-SHA-256 credentials otherwise, these commands will still return an error if the provided user name has not been properly prepared.

Invocations with password and mechanism
When mechanisms is provided to a createUser invocation with a password, the command will use the provided password to generate user documents containing credentials for the specified mechanism(s). The mechanisms in the mechanisms field must be a subset of the mechanisms enumerated in the authenticationMechanisms setParameter.

When mechanisms is provided to an updateUser invocation containing a password, the command will use the password to generate credentials for the specified mechanism(s) and replace the user document’s existing credentials with them. If a specified mechanism is unrecognized, the command will fail with an error without modifying the user’s document. The mechanisms in the mechanisms field must be a subset of the mechanisms enumerated in the authenticationMechanisms setParameter.

Invocations with password only
When createUser or updateUser are invoked with a password and without the mechanisms field, the commands will use the provided password to generate user documents containing credentials for all mechanisms enumerated in the authenticationMechanisms setParameter, if the server's current FCV is 3.7. Otherwise, the generated user documents will only contain credentials for SCRAM-SHA-1.

Invocations with mechanism only
When mechanisms is provided to updateUser without a password, if the listed mechanisms are a subset of the mechanisms supported by the target user’s credentials, all mechanisms not listed will be removed from the user's credentials. If the mechanisms field is empty or not a subset, an error will be emitted and the user shall be left unmodified. If the mechanisms field contains unrecognized mechanisms, the command shall fail with an error if the unrecognized mechanisms are not supported by the target user’s credentials. If the mechanisms field only contains unrecognized fields, the command shall fail with an error.



 Comments   
Comment by Githook User [ 15/Feb/18 ]

Author:

{'email': 'sara.golemon@mongodb.com', 'name': 'Sara Golemon', 'username': 'sgolemon'}

Message: SERVER-32974 Enhance createUser/updateUser to support SCRAM-SHA-256
Branch: master
https://github.com/mongodb/mongo/commit/c201eec1ccd7959b0192adeb0d0a458a7f9eb9e7

Generated at Thu Feb 08 04:31:53 UTC 2024 using Jira 9.7.1#970001-sha1:2222b88b221c4928ef0de3161136cc90c8356a66.