[SERVER-7119] Add SASL config option(s) Created: 24/Sep/12  Updated: 02/Aug/18  Resolved: 26/Dec/12

Status: Closed
Project: Core Server
Component/s: None
Affects Version/s: None
Fix Version/s: 2.3.2

Type: Task Priority: Major - P3
Reporter: Eric Milkie Assignee: Andy Schwerin
Resolution: Done Votes: 0
Labels: None
Remaining Estimate: Not Specified
Time Spent: Not Specified
Original Estimate: Not Specified

Issue Links:
Depends
is depended on by SERVER-7626 Provide configuration option to disab... Closed
Backwards Compatibility: Fully Compatible
Participants:

 Description   
  • enable mechanism choice
  • disable all auth

Supported by both mongod and mongos



 Comments   
Comment by Andy Schwerin [ 26/Dec/12 ]

The various --setParameter options must be documented.

They are, as of this comment,

--setParameter authenticationMechanisms=<comma-separated-list-of-strings>
--setParameter enableLocalhostAuthBypass=<Boolean>
--setParameter supportCompatibilityFormPrivilegeDocuments=<Boolean>

The default for authenticationMechanisms is MONGO-CR, which is the challenge-response (CR) algorithm supported in mongo 2.2 and prior. Other options are valid SASL mechanisms, and we officially support GSSAPI in 2.4, though CRAM-MD5 and DIGEST-MD5 are also enabled.

The default for eanbleLocahostAuthBypass is true, and is the behavior from 2.2 and prior. To disable the "localhost exception", which allows localhost connections to bypass authentication if there are no users in the admin database, set it to false. This is recommended.

The default for supportCompatibilityFormPrivilegeDocuments is true, but users who want fine grain control of privilege should switch their users to the extended form and then we recommend they disable this by setting it false.

Comment by auto [ 26/Dec/12 ]

Author:

{u'date': u'2012-12-24T01:20:35Z', u'email': u'Andy Schwerin schwerin@10gen.com', u'name': u'Andrew Schwerin'}

Message: SERVER-7119 Make it possible to disable compatibility-form privilege documents via setParameter.
Branch: master
https://github.com/mongodb/mongo/commit/513470c4d1a2cef523f6423fdf57a550fa69cbc7

Comment by Andy Schwerin [ 05/Dec/12 ]

Use setParameter to specify supported authentication mechanisms in subscription product.

https://github.com/10gen/mongo-enterprise-modules/commit/28447a97525aad689f3ed8663e4aab09e0b097b3

Comment by auto [ 04/Dec/12 ]

Author:

{u'date': u'2012-12-04T18:14:05Z', u'email': u'schwerin@10gen.com', u'name': u'Andy Schwerin'}

Message: SERVER-7626 Provide a facility for disabling the mongo challenge-response commands in server source.

This patch provides a mechanism for disabling the "nonce" and "authenticate" commands at runtime. A
separate patch, in the subscription codebase, provides a startup parameter for choosing authentication
mechanisms to support.

Related to SERVER-7119.
Branch: master
https://github.com/mongodb/mongo/commit/55bb0f445ee535fd3091b6f0436f4e0ed5c9a19b

Comment by Andy Schwerin [ 03/Dec/12 ]

Plan is to use the setParameter mechanism extensions from SERVER-7778 to introduce an "authenticationMechanisms" parameter settable at the commandline (but not at runtime) and inspectable via getParameter, in the enterprise product.

authenticationMechanisms will be a list of strings, and the default will be to support only the mongo challenge-response protocol, MONGO-CR.

At the command line, a user wishing to support GSSAPI (kerberos) only would use the following:

--setParameter authenticationMechanisms=GSSAPI

To support that and Mongo challenge response, the user would list them both:

--setParameter authenticationMechanbisms=GSSAPI,MONGO-CR

Similarly, in the config file:

setParameter=authenticationMechanisms=GSSAPI

Server will exit with a non-zero code in the event that authenticationMechanisms contains an unsupported or unknown mechanism.

Generated at Thu Feb 08 03:13:41 UTC 2024 using Jira 9.7.1#970001-sha1:2222b88b221c4928ef0de3161136cc90c8356a66.