[SERVER-76792] More granular reporting of AWS IAM authentication failures Created: 03/May/23 Updated: 21/Aug/23 Resolved: 21/Aug/23 |
|
| Status: | Closed |
| Project: | Core Server |
| Component/s: | None |
| Affects Version/s: | None |
| Fix Version/s: | None |
| Type: | Improvement | Priority: | Major - P3 |
| Reporter: | Alex Bevilacqua | Assignee: | Mark Benvenuto |
| Resolution: | Won't Do | Votes: | 0 |
| Labels: | None | ||
| Remaining Estimate: | Not Specified | ||
| Time Spent: | Not Specified | ||
| Original Estimate: | Not Specified | ||
| Issue Links: |
|
||||||||
| Assigned Teams: |
Server Security
|
||||||||
| Sprint: | Security 2023-05-15, Security 2023-05-29, Security 2023-06-12, Security 2023-06-26, Security 2023-07-10, Security 2023-07-24, Security 2023-08-07, Security 2023-08-21, Security 2023-09-04 | ||||||||
| Participants: | |||||||||
| Case: | (copied to CRM) | ||||||||
| Description |
|
When using AWS IAM for external authentication, it is important to ensure that a mongod or mongos are capable of returning distinct error codes to the caller in the event of authentication failures (such as incorrect username or password), or transient authentication sub-system failure (such as AWS IAM not being available), as well as other potential causes. Currently an AuthenticationFailed / code: 18 is returned regardless of the source of the IAM authentication failure, which can make it challenging for downstream consumers (using MongoDB Drivers) to differentiate these failures and action them differently. Drivers must currently clear connection pools and mark servers as unusable when authentication fails as an error code of 18 can only be interpreted as credentials being invalid. More granular error details (perhaps using errorLabels) would allow Drivers to action AWS IAM authentication failures differently - such as retrying authentication failures due to server-side timeouts instead of clearing the connection pools and forcing connections to be re-established. |
| Comments |
| Comment by Mark Benvenuto [ 21/Aug/23 ] |
|
Closing this as won't do since IAM AWS Auth reliability was improved with other tickets. There is no plan to change the authentication protocol to add a new state around AWS availability that drivers need to handle. The server should ideally never return a auth error code that the client must retry. |