<!-- 
RSS generated by JIRA (9.7.1#970001-sha1:2222b88b221c4928ef0de3161136cc90c8356a66) at Thu Feb 08 08:24:42 UTC 2024

It is possible to restrict the fields that are returned in this document by specifying the 'field' parameter in your request.
For example, to request only the issue key and summary append 'field=key&field=summary' to the URL of your request.
-->
<rss version="0.92" >
<channel>
    <title>MongoDB Jira</title>
    <link>https://jira.mongodb.org</link>
    <description>This file is an XML representation of an issue</description>
    <language>en-us</language>    <build-info>
        <version>9.7.1</version>
        <build-number>970001</build-number>
        <build-date>13-04-2023</build-date>
    </build-info>


<item>
            <title>[DRIVERS-2095] Implement GSSAPI ServiceHost support in all drivers</title>
                <link>https://jira.mongodb.org/browse/DRIVERS-2095</link>
                <project id="10980" key="DRIVERS">Drivers</project>
                    <description>&lt;p&gt;First, an explanation of what GSSAPI ServiceHost is.&lt;/p&gt;

&lt;p&gt;&#160;&lt;/p&gt;

&lt;p&gt;When connecting via Kerberos, a service ticket must be obtained from the Kerberos Ticket Granting Service in order to authenticate.&#160; The principal name of the service is required (along with the TGT - Ticket Granting Ticket) in order to obtain the service ticket. The service principal name consists of two parts: (1) The service name and (2) The service host.&#160; For example, for a mongod running on host example.com, the principal name would be &quot;mongodb/example.com&quot;.&lt;/p&gt;

&lt;p&gt;&#160;&lt;/p&gt;

&lt;p&gt;Usually, the service host can be determined from the hostname that the application is connecting to.&#160; However, there are cases in which an application may want to connect to &quot;localhost&quot;.&#160; This is required for example when creating the initial user, or in the case of LDAP Authorization, creating the initial role.  This use case relies on the &lt;a href=&quot;https://docs.mongodb.com/manual/core/security-users/#localhost-exception&quot; class=&quot;external-link&quot; target=&quot;_blank&quot; rel=&quot;nofollow noopener&quot;&gt;localhost exception&lt;/a&gt; which as of MongoDB 3.4 &quot;allows users authorizing via LDAP to create a role inside of MongoDB that maps to a role defined in LDAP&quot;&lt;/p&gt;

&lt;p&gt;&#160;&lt;/p&gt;

&lt;p&gt;When creating an initial user, service host is not required because there is no need to authenticate.&#160; No users exist yet!&#160; But it is in the case of LDAP Authorization that things get interesting.&lt;/p&gt;

&lt;p&gt;&#160;&lt;/p&gt;

&lt;p&gt;In an LDAP Authorization setup, no users actually exist in MongoDB.&#160; The users exist externally to MongoDB.&#160; For example, in a Kerberos + LDAP Authorization setup, the user would authenticate to MongoDB via Kerberos.&#160; LDAP is then used for authorization by asking the LDAP server which LDAP groups the user belongs to and then mapping those groups to custom roles in MongoDB which would then inherit built-in roles or privileges.&lt;/p&gt;

&lt;p&gt;&#160;&lt;/p&gt;

&lt;p&gt;When setting up an LDAP Authorization deployment, no custom roles exist yet for LDAP groups to map onto.&#160; Therefore, none of the users have privileges yet.&#160; MongoDB allows you to get round this by allowing you to create the initial custom role via the localhost exception.&#160; However, in order to do this, you MUST be authenticated as a user who belongs to an LDAP group that maps onto the initial role that you are creating.&lt;/p&gt;

&lt;p&gt;&#160;&lt;/p&gt;

&lt;p&gt;It is because you must both be authenticated and connected to localhost in order to create the initial role that ServiceHost support is required.&#160; By ServiceHost support, I mean that you can tell the driver to use a service host different than the hostname being connected to for the purposes of determining the service principal name.&#160; Without it, GSSAPI would be trying to use &quot;localhost&quot; as the service host which would lead to an incorrect service principal name (for example, &quot;mongodb/localhost&quot;).&lt;/p&gt;

&lt;p&gt;&#160;&lt;/p&gt;

&lt;p&gt;For an example of where this is implemented in the mgo driver see: &lt;a href=&quot;https://github.com/globalsign/mgo/blob/113d3961e7311526535a1ef7042196563d442761/session.go#L520&quot; class=&quot;external-link&quot; target=&quot;_blank&quot; rel=&quot;nofollow noopener&quot;&gt;https://github.com/globalsign/mgo/blob/113d3961e7311526535a1ef7042196563d442761/session.go#L520&lt;/a&gt;&lt;/p&gt;

&lt;p&gt;&#160;&lt;/p&gt;

&lt;p&gt;There is an already a ticket for this for our official Go driver:&#160;&lt;a href=&quot;https://jira.mongodb.org/browse/GODRIVER-698&quot; title=&quot;Support for GSSAPI &amp;quot;ServiceHost&amp;quot;&quot; class=&quot;issue-link&quot; data-issue-key=&quot;GODRIVER-698&quot;&gt;&lt;del&gt;GODRIVER-698&lt;/del&gt;&lt;/a&gt;&lt;/p&gt;</description>
                <environment></environment>
        <key id="704092">DRIVERS-2095</key>
            <summary>Implement GSSAPI ServiceHost support in all drivers</summary>
                <type id="14901" iconUrl="https://jira.mongodb.org/secure/viewavatar?size=xsmall&amp;avatarId=14700&amp;avatarType=issuetype">Spec Change</type>
                                            <priority id="3" iconUrl="https://jira.mongodb.org/images/icons/priorities/major.svg">Major - P3</priority>
                        <status id="10038" iconUrl="https://jira.mongodb.org/images/icons/subtask.gif" description="">Backlog</status>
                    <statusCategory id="2" key="new" colorName="default"/>
                                    <resolution id="-1">Unresolved</resolution>
                                        <assignee username="-1">Unassigned</assignee>
                                    <reporter username="tim.olsen@mongodb.com">Timothy Olsen</reporter>
                        <labels>
                    </labels>
                <created>Mon, 25 Feb 2019 18:31:56 +0000</created>
                <updated>Thu, 31 Mar 2022 14:03:06 +0000</updated>
                                                                <component>Authentication</component>
                                        <votes>1</votes>
                                    <watches>3</watches>
                                                                                                                    <issuelinks>
                            <issuelinktype id="10011">
                    <name>Depends</name>
                                            <outwardlinks description="depends on">
                                        <issuelink>
            <issuekey id="653390">GODRIVER-698</issuekey>
        </issuelink>
                            </outwardlinks>
                                                                <inwardlinks description="is depended on by">
                                                        </inwardlinks>
                                    </issuelinktype>
                    </issuelinks>
                <attachments>
                    </attachments>
                <subtasks>
                    </subtasks>
                <customfields>
                                                                                                                                                                                                                                                                                                            <customfield id="customfield_15850" key="com.atlassian.jira.plugins.jira-development-integration-plugin:devsummary">
                        <customfieldname>Development</customfieldname>
                        <customfieldvalues>
                            
                        </customfieldvalues>
                    </customfield>
                                                                                                                                                    <customfield id="customfield_10951" key="com.atlassian.jira.plugin.system.customfieldtypes:radiobuttons">
                        <customfieldname>Driver Changes</customfieldname>
                        <customfieldvalues>
                                <customfieldvalue key="10748"><![CDATA[Needed]]></customfieldvalue>

                        </customfieldvalues>
                    </customfield>
                                                                <customfield id="customfield_23952" key="com.onresolve.jira.groovy.groovyrunner:scripted-field">
                        <customfieldname>Driver Compliance</customfieldname>
                        <customfieldvalues>
                            <customfieldvalue><![CDATA[<style type='text/css'>
         #scriptField, #scriptField *{
                border: 1px solid black;
            }

            #scriptField{
                border-collapse: collapse;
            }

            #scriptField td {
                text-align: center; /* Center-align text in table cells */
            }

            #scriptField td.key {
                text-align: left; /* Left-align text in the Key column */
            }

            #scriptField a {
                text-decoration: none; /* Remove underlines from links */
                border: none; /* Remove border from links */
            }
            
            /* Add green background color to cells with FixVersion */
            #scriptField td.hasFixVersion {
                background-color: #00FF00; /* Green color code */
            }

            /* Center-align the first row headers */
            #scriptField th {
                text-align: center;
            }
        </style>
<table id='scriptField'>
  <tr>
    <th>Key</th>
    <th>Status/Resolution</th>
    <th>FixVersion</th>
  </tr>
  <tr>
    <td class='key'>
      <a href='https://jira.mongodb.org/browse/GODRIVER-698'>GODRIVER-698</a>
    </td>
    <td>Fixed</td>
    <td class='hasFixVersion'>1.0.0-rc2</td>
  </tr>
</table>]]></customfieldvalue>


                        </customfieldvalues>
                    </customfield>
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                            <customfield id="customfield_12550" key="com.pyxis.greenhopper.jira:gh-lexo-rank">
                        <customfieldname>Rank</customfieldname>
                        <customfieldvalues>
                            <customfieldvalue>2|hr6kfj:</customfieldvalue>

                        </customfieldvalues>
                    </customfield>
                                                                <customfield id="customfield_10558" key="com.pyxis.greenhopper.jira:gh-global-rank">
                        <customfieldname>Rank (Obsolete)</customfieldname>
                        <customfieldvalues>
                            <customfieldvalue>9223372036854775807</customfieldvalue>
                        </customfieldvalues>
                    </customfield>
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                        </customfields>
    </item>
</channel>
</rss>