[SERVER-44686] Create users with hashed password Created: 17/Nov/19 Updated: 27/Oct/23 Resolved: 16/Dec/19 |
|
| Status: | Closed |
| Project: | Core Server |
| Component/s: | Security |
| Affects Version/s: | 4.2.1 |
| Fix Version/s: | None |
| Type: | New Feature | Priority: | Minor - P4 |
| Reporter: | guy eise | Assignee: | Spencer Jackson |
| Resolution: | Works as Designed | Votes: | 1 |
| Labels: | None | ||
| Remaining Estimate: | Not Specified | ||
| Time Spent: | Not Specified | ||
| Original Estimate: | Not Specified | ||
| Sprint: | Security 2019-12-16, Security 2019-12-30 |
| Participants: |
| Description |
|
As of now, creating a new user requires a clear-text password (without hashing). For example: db.createUser({usr: 'usr1', pwd: '<hash>', hashed:true}) Thank you, Guy
|
| Comments |
| Comment by Spencer Jackson [ 16/Dec/19 ] |
|
The MongoDB server supports multiple authentication mechanisms, which are back by different and incompatible forms of persisted credentials. To enable a smooth transition between mechanisms, the server is able to persist multiple types of credentials for a single user. The mechanics of generating these credentials is subtle, and it is possible to incorrectly generate a set credentials such that some, but not all, clients would fail to authenticate. If this occurred, it would be very difficult to diagnose. As such, we do not currently intend to add support for client provided credentials. |
| Comment by Carl Champain (Inactive) [ 18/Nov/19 ] |
|
Thanks for the report. Kind regards, |