[SERVER-76792] More granular reporting of AWS IAM authentication failures Created: 03/May/23  Updated: 21/Aug/23  Resolved: 21/Aug/23

Status: Closed
Project: Core Server
Component/s: None
Affects Version/s: None
Fix Version/s: None

Type: Improvement Priority: Major - P3
Reporter: Alex Bevilacqua Assignee: Mark Benvenuto
Resolution: Won't Do Votes: 0
Labels: None
Remaining Estimate: Not Specified
Time Spent: Not Specified
Original Estimate: Not Specified

Issue Links:
Related
related to SERVER-62053 Add retry for errors in AWS server-si... Closed
Assigned Teams:
Server Security
Sprint: Security 2023-05-15, Security 2023-05-29, Security 2023-06-12, Security 2023-06-26, Security 2023-07-10, Security 2023-07-24, Security 2023-08-07, Security 2023-08-21, Security 2023-09-04
Participants:
Case:

 Description   

When using AWS IAM for external authentication, it is important to ensure that a mongod or mongos are capable of returning distinct error codes to the caller in the event of authentication failures (such as incorrect username or password), or transient authentication sub-system failure (such as AWS IAM not being available), as well as other potential causes.

Currently an AuthenticationFailed / code: 18 is returned regardless of the source of the IAM authentication failure, which can make it challenging for downstream consumers (using MongoDB Drivers) to differentiate these failures and action them differently.

Drivers must currently clear connection pools and mark servers as unusable when authentication fails as an error code of 18 can only be interpreted as credentials being invalid.

More granular error details (perhaps using errorLabels) would allow Drivers to action AWS IAM authentication failures differently - such as retrying authentication failures due to server-side timeouts instead of clearing the connection pools and forcing connections to be re-established.



 Comments   
Comment by Mark Benvenuto [ 21/Aug/23 ]

Closing this as won't do since IAM AWS Auth reliability was improved with other tickets. There is no plan to change the authentication protocol to add a new state around AWS availability that drivers need to handle. The server should ideally never return a auth error code that the client must retry.

Generated at Thu Feb 08 06:33:37 UTC 2024 using Jira 9.7.1#970001-sha1:2222b88b221c4928ef0de3161136cc90c8356a66.