<!-- 
RSS generated by JIRA (9.7.1#970001-sha1:2222b88b221c4928ef0de3161136cc90c8356a66) at Thu Feb 08 03:27:43 UTC 2024

It is possible to restrict the fields that are returned in this document by specifying the 'field' parameter in your request.
For example, to request only the issue key and summary append 'field=key&field=summary' to the URL of your request.
-->
<rss version="0.92" >
<channel>
    <title>MongoDB Jira</title>
    <link>https://jira.mongodb.org</link>
    <description>This file is an XML representation of an issue</description>
    <language>en-us</language>    <build-info>
        <version>9.7.1</version>
        <build-number>970001</build-number>
        <build-date>13-04-2023</build-date>
    </build-info>


<item>
            <title>[SERVER-12143] Make some unauthenticated commands require auth</title>
                <link>https://jira.mongodb.org/browse/SERVER-12143</link>
                <project id="10000" key="SERVER">Core Server</project>
                    <description>&lt;p&gt;There are currently 19 commands that do not require authentication. Several of these commands has no use case before an successful authentication has been performed. &lt;/p&gt;

&lt;p&gt;To reduce the unauthenticated API surface without introducing any complexity into the auth system we should introduce commands that require authentication but not authorization.&lt;/p&gt;

&lt;p&gt;The following commands should only be runnable after a successful authentication (with any user, even a user with no roles):&lt;br/&gt;
availableQueryOptions, buildinfo, copydbgetnonce, features, forceerror, getoptime, isdbgrid, isMaster*, listCommands, logout, whatsmyuri&lt;/p&gt;

&lt;p&gt;*isMaster is used by several drivers before performing any authentication so this change will require driver adoption.&lt;/p&gt;

&lt;p&gt;The following commands should be kept as they are:&lt;br/&gt;
_isSelf, authenticate, connectionStatus, getLastError, getnonce, getPrevError, ping, resetError&lt;/p&gt;</description>
                <environment></environment>
        <key id="102936">SERVER-12143</key>
            <summary>Make some unauthenticated commands require auth</summary>
                <type id="4" iconUrl="https://jira.mongodb.org/secure/viewavatar?size=xsmall&amp;avatarId=14710&amp;avatarType=issuetype">Improvement</type>
                                            <priority id="3" iconUrl="https://jira.mongodb.org/images/icons/priorities/major.svg">Major - P3</priority>
                        <status id="6" iconUrl="https://jira.mongodb.org/images/icons/statuses/closed.png" description="The issue is considered finished, the resolution is correct. Issues which are closed can be reopened.">Closed</status>
                    <statusCategory id="3" key="done" colorName="success"/>
                                    <resolution id="2">Won&apos;t Fix</resolution>
                                        <assignee username="spencer.jackson@mongodb.com">Spencer Jackson</assignee>
                                    <reporter username="andreas.nilsson@ninetech.se">Andreas Nilsson</reporter>
                        <labels>
                            <label>26qa</label>
                            <label>platforms-re-triaged</label>
                            <label>security</label>
                    </labels>
                <created>Tue, 17 Dec 2013 19:11:19 +0000</created>
                <updated>Tue, 7 Feb 2023 15:31:02 +0000</updated>
                            <resolved>Thu, 25 Jul 2019 22:20:43 +0000</resolved>
                                    <version>2.5.4</version>
                                                    <component>Security</component>
                                        <votes>5</votes>
                                    <watches>29</watches>
                                                                                                                <comments>
                            <comment id="2344718" author="spencer.jackson@10gen.com" created="Thu, 25 Jul 2019 22:20:06 +0000"  >&lt;p&gt;I&apos;m closing this ticket out. As of 4.0, the Typed Command project prevents parsing for unannotated commands on unauthenticated connections. Commands such as but not limited to &lt;tt&gt;ping&lt;/tt&gt;, &lt;tt&gt;isMaster&lt;/tt&gt;, &lt;tt&gt;saslStart&lt;/tt&gt;, and &lt;tt&gt;saslContinue&lt;/tt&gt;, are annotated such that they may be invoked by unauthenticated clients. &lt;tt&gt;isMaster&lt;/tt&gt; is now sometimes a prerequisite for authentication when negotiating SASL mechanisms, and is used to negotiate wire protocol compression, and set client metadata.&lt;/p&gt;</comment>
                            <comment id="1847538" author="david.golden" created="Wed, 28 Mar 2018 09:43:34 +0000"  >&lt;p&gt;Now that &lt;tt&gt;isMaster&lt;/tt&gt; is used for SCRAM mechanism negotiation as of &lt;a href=&quot;https://jira.mongodb.org/browse/SERVER-32965&quot; title=&quot;Expose per-user SASL mechanism negotiation via isMaster&quot; class=&quot;issue-link&quot; data-issue-key=&quot;SERVER-32965&quot;&gt;&lt;del&gt;SERVER-32965&lt;/del&gt;&lt;/a&gt;, isMaster must NOT require authentication and should be removed from the list of commands under consideration for this ticket.&lt;/p&gt;</comment>
                            <comment id="1738714" author="mosserp@wellsfargo.com" created="Thu, 30 Nov 2017 19:19:34 +0000"  >&lt;p&gt;Is anything happening in regard to this issue?  Any changes planned in upcoming releases?  Our preference would be that connections are rejected for any non-authenticated users, but it appears that that would be a major design shift, and, I&apos;m assuming, is not even open for consideration?&lt;/p&gt;</comment>
                            <comment id="560982" author="david.golden" created="Wed, 23 Apr 2014 22:44:41 +0000"  >&lt;p&gt;An idea: when unauthenticated, could we have isMaster return a subset of information that communicates server capabilities, but omits sensitive information (e.g. network topology)?&lt;/p&gt;</comment>
                            <comment id="560921" author="behackett" created="Wed, 23 Apr 2014 22:06:52 +0000"  >&lt;blockquote&gt;&lt;p&gt;*isMaster is used by several drivers before performing any authentication so this change will require driver adoption.&lt;/p&gt;&lt;/blockquote&gt;

&lt;p&gt;&lt;a href=&quot;https://jira.mongodb.org/browse/SERVER-5479&quot; title=&quot;Arbiter in authenticated replica set should allow and require login/auth for admin-only operations&quot; class=&quot;issue-link&quot; data-issue-key=&quot;SERVER-5479&quot;&gt;SERVER-5479&lt;/a&gt; will have to be fixed before this change can be made.&lt;/p&gt;</comment>
                            <comment id="485099" author="scotthernandez" created="Tue, 21 Jan 2014 19:53:10 +0000"  >&lt;p&gt;No, the commands have a return status/message. GLE is for (no-response) writes (update/insert/delete) not commands which are synchronous and return their errors.&lt;/p&gt;</comment>
                            <comment id="485098" author="andreas.nilsson@10gen.com" created="Tue, 21 Jan 2014 19:50:39 +0000"  >&lt;p&gt;Do you never have to do getLastError on the authenticate or getnonce calls?&lt;/p&gt;</comment>
                            <comment id="485094" author="scotthernandez" created="Tue, 21 Jan 2014 19:47:17 +0000"  >&lt;p&gt;Seems like connectionStatus, getLastError, getPrevError, ping, and resetError should all go into &quot;authenticated&quot; commands, not open list.&lt;/p&gt;</comment>
                    </comments>
                <issuelinks>
                            <issuelinktype id="10011">
                    <name>Depends</name>
                                            <outwardlinks description="depends on">
                                        <issuelink>
            <issuekey id="76533">DRIVERS-90</issuekey>
        </issuelink>
            <issuelink>
            <issuekey id="35307">SERVER-5479</issuekey>
        </issuelink>
            <issuelink>
            <issuekey id="132860">SERVER-13698</issuekey>
        </issuelink>
                            </outwardlinks>
                                                                <inwardlinks description="is depended on by">
                                        <issuelink>
            <issuekey id="594181">DRIVERS-568</issuekey>
        </issuelink>
                            </inwardlinks>
                                    </issuelinktype>
                            <issuelinktype id="10010">
                    <name>Duplicate</name>
                                                                <inwardlinks description="is duplicated by">
                                        <issuelink>
            <issuekey id="119815">SERVER-13166</issuekey>
        </issuelink>
            <issuelink>
            <issuekey id="158728">SERVER-15293</issuekey>
        </issuelink>
                            </inwardlinks>
                                    </issuelinktype>
                            <issuelinktype id="10012">
                    <name>Related</name>
                                            <outwardlinks description="related to">
                                        <issuelink>
            <issuekey id="162873">SERVER-15588</issuekey>
        </issuelink>
                            </outwardlinks>
                                                                <inwardlinks description="is related to">
                                        <issuelink>
            <issuekey id="35307">SERVER-5479</issuekey>
        </issuelink>
            <issuelink>
            <issuekey id="533442">SERVER-34653</issuekey>
        </issuelink>
                            </inwardlinks>
                                    </issuelinktype>
                    </issuelinks>
                <attachments>
                    </attachments>
                <subtasks>
                    </subtasks>
                <customfields>
                                                <customfield id="customfield_10050" key="com.atlassian.jira.toolkit:comments">
                        <customfieldname># Replies</customfieldname>
                        <customfieldvalues>
                            <customfieldvalue>8.0</customfieldvalue>
                        </customfieldvalues>
                    </customfield>
                                                                <customfield id="customfield_18555" key="com.onresolve.jira.groovy.groovyrunner:scripted-field">
                        <customfieldname># of Sprints</customfieldname>
                        <customfieldvalues>
                            <customfieldvalue>1.0</customfieldvalue>

                        </customfieldvalues>
                    </customfield>
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                            <customfield id="customfield_13552" key="com.go2group.jira.plugin.crm:crm_generic_field">
                        <customfieldname>Case</customfieldname>
                        <customfieldvalues>
                            <customfieldvalue><![CDATA[[500A000000bz1ktIAA, 5002K00000dHFiFQAW, 5006R00001r7JbEQAU]]]></customfieldvalue>

                        </customfieldvalues>
                    </customfield>
                                                                                                                                                                                                                                                                                                                            <customfield id="customfield_10055" key="com.atlassian.jira.ext.charting:firstresponsedate">
                        <customfieldname>Date of 1st Reply</customfieldname>
                        <customfieldvalues>
                            <customfieldvalue>Tue, 21 Jan 2014 19:47:17 +0000</customfieldvalue>

                        </customfieldvalues>
                    </customfield>
                                                                <customfield id="customfield_10052" key="com.atlassian.jira.toolkit:dayslastcommented">
                        <customfieldname>Days since reply</customfieldname>
                        <customfieldvalues>
                                        4 years, 28 weeks, 6 days ago
    
                        </customfieldvalues>
                    </customfield>
                                                                <customfield id="customfield_18254" key="com.onresolve.jira.groovy.groovyrunner:scripted-field">
                        <customfieldname>Dependencies</customfieldname>
                        <customfieldvalues>
                            <customfieldvalue><![CDATA[<s><a href='https://jira.mongodb.org/browse/SERVER-13698'>SERVER-13698</a></s>, <s><a href='https://jira.mongodb.org/browse/DRIVERS-90'>DRIVERS-90</a></s>, <a href='https://jira.mongodb.org/browse/SERVER-5479'>SERVER-5479</a>]]></customfieldvalue>


                        </customfieldvalues>
                    </customfield>
                                                                <customfield id="customfield_15850" key="com.atlassian.jira.plugins.jira-development-integration-plugin:devsummary">
                        <customfieldname>Development</customfieldname>
                        <customfieldvalues>
                            
                        </customfieldvalues>
                    </customfield>
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                        <customfield id="customfield_10057" key="com.atlassian.jira.toolkit:lastusercommented">
                        <customfieldname>Last comment by Customer</customfieldname>
                        <customfieldvalues>
                            <customfieldvalue>true</customfieldvalue>
                        </customfieldvalues>
                    </customfield>
                                                                                                                        <customfield id="customfield_11151" key="com.atlassian.jira.toolkit:LastCommentDate">
                        <customfieldname>Last public comment date</customfieldname>
                        <customfieldvalues>
                            4 years, 28 weeks, 6 days ago
                        </customfieldvalues>
                    </customfield>
                                                                                                                        <customfield id="customfield_10000" key="com.atlassian.jira.plugin.system.customfieldtypes:radiobuttons">
                        <customfieldname>Old_Backport</customfieldname>
                        <customfieldvalues>
                                <customfieldvalue key="10000"><![CDATA[No]]></customfieldvalue>

                        </customfieldvalues>
                    </customfield>
                                                                                                                                                                                <customfield id="customfield_10051" key="com.atlassian.jira.toolkit:participants">
                        <customfieldname>Participants</customfieldname>
                        <customfieldvalues>
                                        <customfieldvalue>andreas.nilsson</customfieldvalue>
            <customfieldvalue>andreas.nilsson@ninetech.se</customfieldvalue>
            <customfieldvalue>bernie@mongodb.com</customfieldvalue>
            <customfieldvalue>david.golden@mongodb.com</customfieldvalue>
            <customfieldvalue>mosserp@wellsfargo.com</customfieldvalue>
            <customfieldvalue>scotthernandez</customfieldvalue>
            <customfieldvalue>spencer.jackson@mongodb.com</customfieldvalue>
    
                        </customfieldvalues>
                    </customfield>
                                                                                                                                                                                                                                        <customfield id="customfield_14254" key="com.pyxis.greenhopper.jira:gh-lexo-rank">
                        <customfieldname>Product Rank</customfieldname>
                        <customfieldvalues>
                            <customfieldvalue>1|hrm56f:</customfieldvalue>

                        </customfieldvalues>
                    </customfield>
                                                                                                                                                                                <customfield id="customfield_12550" key="com.pyxis.greenhopper.jira:gh-lexo-rank">
                        <customfieldname>Rank</customfieldname>
                        <customfieldvalues>
                            <customfieldvalue>2|hr9eqf:</customfieldvalue>

                        </customfieldvalues>
                    </customfield>
                                                                <customfield id="customfield_10558" key="com.pyxis.greenhopper.jira:gh-global-rank">
                        <customfieldname>Rank (Obsolete)</customfieldname>
                        <customfieldvalues>
                            <customfieldvalue>3876</customfieldvalue>
                        </customfieldvalues>
                    </customfield>
                                                                                            <customfield id="customfield_23361" key="com.onresolve.jira.groovy.groovyrunner:scripted-field">
                        <customfieldname>Requested By</customfieldname>
                        <customfieldvalues>
                                

                        </customfieldvalues>
                    </customfield>
                                                                                                                                                                                                                                        <customfield id="customfield_10557" key="com.pyxis.greenhopper.jira:gh-sprint">
                        <customfieldname>Sprint</customfieldname>
                        <customfieldvalues>
                                <customfieldvalue id="3107">Security 2019-07-29</customfieldvalue>

                        </customfieldvalues>
                    </customfield>
                                                                                                                                                                                                                                                                                                                            <customfield id="customfield_10053" key="com.atlassian.jira.ext.charting:timeinstatus">
                        <customfieldname>Time In Status</customfieldname>
                        <customfieldvalues>
                            
                        </customfieldvalues>
                    </customfield>
                                                                                                                                                                                                                                                                                                                                                                                                                                                                        <customfield id="customfield_22870" key="com.onresolve.jira.groovy.groovyrunner:scripted-field">
                        <customfieldname>Triagers</customfieldname>
                        <customfieldvalues>
                                

                        </customfieldvalues>
                    </customfield>
                                                                                                                                                                                                                                                                                                                                                                                    <customfield id="customfield_14350" key="com.pyxis.greenhopper.jira:gh-lexo-rank">
                        <customfieldname>serverRank</customfieldname>
                        <customfieldvalues>
                            <customfieldvalue>1|hs9xz3:</customfieldvalue>

                        </customfieldvalues>
                    </customfield>
                                    </customfields>
    </item>
</channel>
</rss>