[SERVER-35753] listCommands should include value for requiresAuth Created: 22/Jun/18  Updated: 29/Oct/23  Resolved: 26/Jul/19

Status: Closed
Project: Core Server
Component/s: Security, Usability
Affects Version/s: None
Fix Version/s: 4.3.1

Type: Improvement Priority: Major - P3
Reporter: Spencer Jackson Assignee: Adam Cooper (Inactive)
Resolution: Fixed Votes: 0
Labels: neweng
Remaining Estimate: Not Specified
Time Spent: Not Specified
Original Estimate: Not Specified

Issue Links:
Depends
Backwards Compatibility: Fully Compatible
Sprint: Security 2019-07-29
Participants:

 Description   

It would be interesting to be able to see this property for all commands in the system.



 Comments   
Comment by Githook User [ 26/Jul/19 ]

Author:

{'name': 'Adam Cooper', 'email': 'adam.cooper@mongodb.com', 'username': 'super-cooper'}

Message: SERVER-35753 listCommands should include value for requiresAuth
Branch: master
https://github.com/mongodb/mongo/commit/2ff2b24ce6c0745e181f2cb1fe4fc12d220a9e8a

Comment by Shane Harvey [ 21/Sep/18 ]

This ticket would have helped in figure out which commands are not supposed to require auth for SERVER-34820.

spencer.jackson did some git-fu and came up with this list of commands "which explicitly set requiresAuth to return false, and so may be run by unauthenticated clients":

  • saslStart
  • saslContinue
  • authenticate
  • getnonce
  • connectionStatus
  • buildInfo
  • ping
  • listCommands (but we rather it weren't per SERVER-35482)
  • resetError
  • getLastError
  • getPrevError
  • shutdown (but still has an auth check)
  • ismaster
  • whatsmyuri (internal)
  • _isSelf (internal)

And the test only commands that don't require auth:

  • configureFailPoint
  • echo
  • refreshLogicalSessionCacheNow
  • waitForOngoingChunkSplits
Generated at Thu Feb 08 04:40:50 UTC 2024 using Jira 9.7.1#970001-sha1:2222b88b221c4928ef0de3161136cc90c8356a66.