[SERVER-44686] Create users with hashed password Created: 17/Nov/19  Updated: 27/Oct/23  Resolved: 16/Dec/19

Status: Closed
Project: Core Server
Component/s: Security
Affects Version/s: 4.2.1
Fix Version/s: None

Type: New Feature Priority: Minor - P4
Reporter: guy eise Assignee: Spencer Jackson
Resolution: Works as Designed Votes: 1
Labels: None
Remaining Estimate: Not Specified
Time Spent: Not Specified
Original Estimate: Not Specified

Sprint: Security 2019-12-16, Security 2019-12-30
Participants:

 Description   

As of now, creating a new user requires a clear-text password (without hashing).
I would appreciate having the option to use a hashed password.

For example: db.createUser({usr: 'usr1', pwd: '<hash>', hashed:true})

Thank you,

Guy

 



 Comments   
Comment by Spencer Jackson [ 16/Dec/19 ]

The MongoDB server supports multiple authentication mechanisms, which are back by different and incompatible forms of persisted credentials. To enable a smooth transition between mechanisms, the server is able to persist multiple types of credentials for a single user. The mechanics of generating these credentials is subtle, and it is possible to incorrectly generate a set credentials such that some, but not all, clients would fail to authenticate. If this occurred, it would be very difficult to diagnose. As such, we do not currently intend to add support for client provided credentials.

Comment by Carl Champain (Inactive) [ 18/Nov/19 ]

Hi guyeise5@gmail.com,

Thanks for the report.
I'm passing this ticket along to Security team for additional investigation.

Kind regards,
Carl
 

Generated at Thu Feb 08 05:06:40 UTC 2024 using Jira 9.7.1#970001-sha1:2222b88b221c4928ef0de3161136cc90c8356a66.