<!-- 
RSS generated by JIRA (9.7.1#970001-sha1:2222b88b221c4928ef0de3161136cc90c8356a66) at Thu Feb 08 09:00:43 UTC 2024

It is possible to restrict the fields that are returned in this document by specifying the 'field' parameter in your request.
For example, to request only the issue key and summary append 'field=key&field=summary' to the URL of your request.
-->
<rss version="0.92" >
<channel>
    <title>MongoDB Jira</title>
    <link>https://jira.mongodb.org</link>
    <description>This file is an XML representation of an issue</description>
    <language>en-us</language>    <build-info>
        <version>9.7.1</version>
        <build-number>970001</build-number>
        <build-date>13-04-2023</build-date>
    </build-info>


<item>
            <title>[JAVA-3896] Support authentication credential rotation</title>
                <link>https://jira.mongodb.org/browse/JAVA-3896</link>
                <project id="10006" key="JAVA">Java Driver</project>
                    <description>&lt;p&gt;The driver should provide support for rotating authentication credentials:&lt;/p&gt;
&lt;ul&gt;
	&lt;li&gt;The customer may opt to rotate a specific credential (a password, client keytab, or a re-issued client certificate - when your private key will be the old one or a new one and the certificate will always be updated), or both the username&#160;&lt;em&gt;and&lt;/em&gt;&#160;its credential&lt;/li&gt;
	&lt;li&gt;drivers must support authentication hooks/override methods to handle custom logic. For example: when an external vault processes the password change, it will have a delay before the SCRAM / PLAIN password gets changed in the MongoDB Server / LDAP server. The customer-provided code will take care of this.&lt;/li&gt;
	&lt;li&gt;Once a MongoDB connection went through the authentication step, the driver no longer needs a credential. However, we must allow for customers to choose between two following scenarios: a) drain the existing connections ASAP and create a bunch of new ones using a new credential; b) keep the existing connections as long as needed, potentially until the next restart of the MongoDB Server instance or until the application code decides to re-authenticate using them.&lt;/li&gt;
&lt;/ul&gt;
</description>
                <environment></environment>
        <key id="1550807">JAVA-3896</key>
            <summary>Support authentication credential rotation</summary>
                <type id="4" iconUrl="https://jira.mongodb.org/secure/viewavatar?size=xsmall&amp;avatarId=14710&amp;avatarType=issuetype">Improvement</type>
                                            <priority id="3" iconUrl="https://jira.mongodb.org/images/icons/priorities/major.svg">Major - P3</priority>
                        <status id="6" iconUrl="https://jira.mongodb.org/images/icons/statuses/closed.png" description="The issue is considered finished, the resolution is correct. Issues which are closed can be reopened.">Closed</status>
                    <statusCategory id="3" key="done" colorName="success"/>
                                    <resolution id="12300">Won&apos;t Do</resolution>
                                        <assignee username="-1">Unassigned</assignee>
                                    <reporter username="frank.derwin@mongodb.com">Frank Derwin</reporter>
                        <labels>
                            <label>rp-track</label>
                    </labels>
                <created>Tue, 24 Nov 2020 11:49:22 +0000</created>
                <updated>Wed, 21 Jun 2023 21:37:44 +0000</updated>
                            <resolved>Wed, 21 Jun 2023 19:39:59 +0000</resolved>
                                                                    <component>Security</component>
                                        <votes>3</votes>
                                    <watches>11</watches>
                                                                                                                <comments>
                            <comment id="5516861" author="jeff.yemin" created="Wed, 21 Jun 2023 21:37:44 +0000"  >&lt;p&gt;FYI, this was closed because we&apos;re converging on an OIDC-based solution to credential rotation.&lt;/p&gt;</comment>
                            <comment id="5516508" author="dbeng-pm-bot" created="Wed, 21 Jun 2023 19:40:02 +0000"  >&lt;p&gt;&lt;a href=&quot;https://jira.mongodb.org/browse/DRIVERS-1463&quot; title=&quot;Support authentication credential rotation&quot; class=&quot;issue-link&quot; data-issue-key=&quot;DRIVERS-1463&quot;&gt;&lt;del&gt;DRIVERS-1463&lt;/del&gt;&lt;/a&gt; has been closed as Won&apos;t Do, closing this ticket as the same. &lt;/p&gt;</comment>
                            <comment id="4766261" author="mpaluch@paluch.biz" created="Mon, 22 Aug 2022 08:00:50 +0000"  >&lt;p&gt;FWIW, a &lt;tt&gt;MongoCredentialProvider&lt;/tt&gt; providing &lt;tt&gt;MongoCredential&lt;/tt&gt; could be a neat approach to let a component produce a credentials object once the driver wants to authenticate with a server. A &lt;tt&gt;MongoCredentialProvider&lt;/tt&gt; could be e.g. implemented by Spring Cloud Vault to provide a backend that rotates credentials on the server side and provides the updated credentials to the application.&lt;/p&gt;</comment>
                            <comment id="3896202" author="JIRAUSER1260828" created="Thu, 24 Jun 2021 11:58:07 +0000"  >&lt;p&gt;This is also an issue for us. Compliance to&#160;ISO 27001 requires that we rotate our credentials, but there is no effective &quot;hook&quot; to allow those java client connections that previously authenticated with old credentials to reauthenticate with the new credentials.&lt;/p&gt;

&lt;p&gt;Restarting the application is not acceptable, unfortunately (such as via pod restart, for example), so we need a way of gracefully continuing a connection without resorting to workarounds. Is there a way of extending the connection listener (or something similar) to trap authentication errors and allow reauthentication once the connection has been established (and then later experiences a failure)?&lt;/p&gt;

&lt;p&gt;&#160;&lt;/p&gt;</comment>
                    </comments>
                <issuelinks>
                            <issuelinktype id="10620">
                    <name>Issue split</name>
                                                                <inwardlinks description="split from">
                                        <issuelink>
            <issuekey id="1556395">DRIVERS-1463</issuekey>
        </issuelink>
                            </inwardlinks>
                                    </issuelinktype>
                            <issuelinktype id="10012">
                    <name>Related</name>
                                            <outwardlinks description="related to">
                                                        </outwardlinks>
                                                        </issuelinktype>
                    </issuelinks>
                <attachments>
                    </attachments>
                <subtasks>
                    </subtasks>
                <customfields>
                                                                                                                                                                                                                                                    <customfield id="customfield_13552" key="com.go2group.jira.plugin.crm:crm_generic_field">
                        <customfieldname>Case</customfieldname>
                        <customfieldvalues>
                            <customfieldvalue><![CDATA[[5002K00000qeFk6QAE, 5006R00001tv7lPQAQ]]]></customfieldvalue>

                        </customfieldvalues>
                    </customfield>
                                                                                                                                                    <customfield id="customfield_15850" key="com.atlassian.jira.plugins.jira-development-integration-plugin:devsummary">
                        <customfieldname>Development</customfieldname>
                        <customfieldvalues>
                            
                        </customfieldvalues>
                    </customfield>
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                    <customfield id="customfield_12550" key="com.pyxis.greenhopper.jira:gh-lexo-rank">
                        <customfieldname>Rank</customfieldname>
                        <customfieldvalues>
                            <customfieldvalue>2|hy4u3j:</customfieldvalue>

                        </customfieldvalues>
                    </customfield>
                                                                <customfield id="customfield_10558" key="com.pyxis.greenhopper.jira:gh-global-rank">
                        <customfieldname>Rank (Obsolete)</customfieldname>
                        <customfieldvalues>
                            <customfieldvalue>9223372036854775807</customfieldvalue>
                        </customfieldvalues>
                    </customfield>
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                            </customfields>
    </item>
</channel>
</rss>