[SERVER-9685] Support three authentication modes, change default to "disabled". Created: 14/May/13  Updated: 06/Dec/22  Resolved: 09/May/18

Status: Closed
Project: Core Server
Component/s: Security
Affects Version/s: None
Fix Version/s: None

Type: Bug Priority: Minor - P4
Reporter: Scott Hernandez (Inactive) Assignee: Backlog - Security Team
Resolution: Won't Fix Votes: 0
Labels: authentication, commands, platforms-re-triaged
Remaining Estimate: Not Specified
Time Spent: Not Specified
Original Estimate: Not Specified

Issue Links:
Depends
is depended on by DRIVERS-96 Check that auth is enabled before run... Closed
is depended on by SERVER-9895 Support rolling upgrade from no auth ... Closed
Assigned Teams:
Server Security
Operating System: ALL
Participants:

 Description   

MongoDB currently supports two authentication modes. For lack of accepted terms, call them "mandatory" and "optional". In "mandatory" mode, operations perform access control checks, and these checks frequently require a logged in user with specific assigned roles in order to succeed. In "optional" mode, no access control checks are performed, but users may still authenticate to the server, if they care to. The "optional" mode is the default in 2.5.0 and prior.

This work item introduces an additional authentication mode, "disabled", in which authentication commands are not even available. Clients attempting authentication will receive error responses, unconditionally. This will be the new default mode, in order to make misconfigurations easier to detect. The "optional" mode will be preserved and as necessary enhanced to support rolling upgrades from "disabled" to "mandatory."

If a user exists but auth is not turned on you currently don't get an error message:

> db.auth("scott", "foo")
Error: 18 { code: 18, ok: 0.0, errmsg: "auth fails" }
0
> db.addUser("scott", "foo")
{
	"user" : "scott",
	"readOnly" : false,
	"pwd" : "220567d3c24155e4b570a7de08911aad",
	"_id" : ObjectId("51928dc902eff8bcb5ae8638")
}
> db.auth("scott", "foo") // this should error.
1



 Comments   
Comment by Bernie Hackett [ 24/Jul/13 ]

scotthernandez, this is ticket is marked as "driver changes needed". It doesn't seem like the drivers have to do anything here. If auth is in "disabled" mode we just get authentication errors if we try to authenticate. The only problem I can think of is unit tests failing when auth is disabled.

Generated at Thu Feb 08 03:21:10 UTC 2024 using Jira 9.7.1#970001-sha1:2222b88b221c4928ef0de3161136cc90c8356a66.