[SERVER-7119] Add SASL config option(s) Created: 24/Sep/12 Updated: 02/Aug/18 Resolved: 26/Dec/12 |
|
| Status: | Closed |
| Project: | Core Server |
| Component/s: | None |
| Affects Version/s: | None |
| Fix Version/s: | 2.3.2 |
| Type: | Task | Priority: | Major - P3 |
| Reporter: | Eric Milkie | Assignee: | Andy Schwerin |
| Resolution: | Done | Votes: | 0 |
| Labels: | None | ||
| Remaining Estimate: | Not Specified | ||
| Time Spent: | Not Specified | ||
| Original Estimate: | Not Specified | ||
| Issue Links: |
|
||||||||
| Backwards Compatibility: | Fully Compatible | ||||||||
| Participants: | |||||||||
| Description |
Supported by both mongod and mongos |
| Comments |
| Comment by Andy Schwerin [ 26/Dec/12 ] | |||
|
The various --setParameter options must be documented. They are, as of this comment,
The default for authenticationMechanisms is MONGO-CR, which is the challenge-response (CR) algorithm supported in mongo 2.2 and prior. Other options are valid SASL mechanisms, and we officially support GSSAPI in 2.4, though CRAM-MD5 and DIGEST-MD5 are also enabled. The default for eanbleLocahostAuthBypass is true, and is the behavior from 2.2 and prior. To disable the "localhost exception", which allows localhost connections to bypass authentication if there are no users in the admin database, set it to false. This is recommended. The default for supportCompatibilityFormPrivilegeDocuments is true, but users who want fine grain control of privilege should switch their users to the extended form and then we recommend they disable this by setting it false. | |||
| Comment by auto [ 26/Dec/12 ] | |||
|
Author: {u'date': u'2012-12-24T01:20:35Z', u'email': u'Andy Schwerin schwerin@10gen.com', u'name': u'Andrew Schwerin'}Message: | |||
| Comment by Andy Schwerin [ 05/Dec/12 ] | |||
|
Use setParameter to specify supported authentication mechanisms in subscription product. https://github.com/10gen/mongo-enterprise-modules/commit/28447a97525aad689f3ed8663e4aab09e0b097b3 | |||
| Comment by auto [ 04/Dec/12 ] | |||
|
Author: {u'date': u'2012-12-04T18:14:05Z', u'email': u'schwerin@10gen.com', u'name': u'Andy Schwerin'}Message: This patch provides a mechanism for disabling the "nonce" and "authenticate" commands at runtime. A Related to | |||
| Comment by Andy Schwerin [ 03/Dec/12 ] | |||
|
Plan is to use the setParameter mechanism extensions from authenticationMechanisms will be a list of strings, and the default will be to support only the mongo challenge-response protocol, MONGO-CR. At the command line, a user wishing to support GSSAPI (kerberos) only would use the following:
To support that and Mongo challenge response, the user would list them both:
Similarly, in the config file:
Server will exit with a non-zero code in the event that authenticationMechanisms contains an unsupported or unknown mechanism. |