[SERVER-46399] Only use configured authenticationMechanisms when performing intra-cluster authenticating Created: 25/Feb/20 Updated: 14/Nov/23 Resolved: 08/Jan/22 |
|
| Status: | Closed |
| Project: | Core Server |
| Component/s: | None |
| Affects Version/s: | None |
| Fix Version/s: | 5.3.0-rc0 |
| Type: | Task | Priority: | Major - P3 |
| Reporter: | Sara Golemon | Assignee: | Adam Rayner |
| Resolution: | Fixed | Votes: | 0 |
| Labels: | None | ||
| Remaining Estimate: | Not Specified | ||
| Time Spent: | Not Specified | ||
| Original Estimate: | Not Specified | ||
| Issue Links: |
|
||||||||||||||||||||
| Backwards Compatibility: | Fully Compatible | ||||||||||||||||||||
| Sprint: | Security 2021-11-01, Security 2021-11-15, Security 2021-11-29, Security 2021-12-13, Security 2021-12-27, Security 2022-01-10 | ||||||||||||||||||||
| Participants: | |||||||||||||||||||||
| Description |
|
When we introduced SCRAM-SHA-256, we gave a special exception for the internalSecurity.user to authenticate using SCRAM-SHA-1 even if it wasn't configured. This has been in use long enough that we should reexamine this decision and tighten up mechanism selection. |
| Comments |
| Comment by Githook User [ 31/Dec/21 ] |
|
Author: {'name': 'Adam Rayner', 'email': 'adam.rayner@gmail.com', 'username': 'adamtron'}Message: |
| Comment by Githook User [ 30/Nov/21 ] |
|
Author: {'name': 'Adam Rayner', 'email': 'adam.rayner@gmail.com', 'username': 'adamtron'}Message: Revert " |
| Comment by Githook User [ 29/Nov/21 ] |
|
Author: {'name': 'Adam Rayner', 'email': 'adam.rayner@gmail.com', 'username': 'adamtron'}Message: |
| Comment by Doug Tarr [ 21/May/21 ] |
|
Yes, we support SCRAM-SHA-256. You can safely remove SCRAM-SHA-1 from any version of mongod from the perspective of mongot since in practice it is not used. We still technically support SCRAM-SHA-1 for the same reason but we will remove it once it is removed from mongod. |
| Comment by Spencer Jackson [ 21/May/21 ] |
|
doug.tarr, we're interested in making a change which would allow mongod processes to authenticate to each other using exclusively SCRAM-SHA-256. This would, however, prevent them from authenticating to or receiving authentication attempts from mongot using SCRAM-SHA-1. Our understanding is that mongot recently received support for SCRAM-SHA-256 for the FedRAMP initiative.
In your estimate, what release of MongoDB could this change be released in to avoid causing problems with mongot? |