Loading...

XML

Word

Printable

JSON

Type: New Feature
Resolution: Done
Priority: Major - P3
Fix Version/s: None
Component/s: None
Labels:
None

Server Compat:
- 2.5

All CRUD on system.users is being replaced and enhanced with commands.

Note that these commands will all take a write concern as an extra field.

The point of this ticket is to ensure that a given driver's addUser / removeUser helpers work in a backward and forward compatible way. To do this your driver has to determine wether it has to use the new user manipulation commands or fall back to its existing code. Pseudo code looks something like this:

try
    userInfo = db.runCommand({'usersInfo': username})
catch error
    if error code == 59 or error code == Null
        <fallback to existing code for backward compatibility>
    else
        re-raise error

if userInfo["users"]
    <use new updateUser command>
else
    <use new createUser command>

Notes:

By default the server will salt and hash the password sent in createUser and updateUser, assuming the password was passed to it in plaintext. This can be controlled using the "digestPassword" option. By default drivers should salt and hash the password client side, passing the password digest to the server instead of the plaintext password. You must pass {digestPassword: false}
to the server when hashing the password client side.
All drivers with an addUser helper must continue to support the 2 and 3 parameter versions of that method. See NOTE below for more details.
Delegated authentication is gone in 2.5.x so any tests you have that make use of userSource should be skipped in >= 2.5.3.
All users must have roles in 2.5.x. To get the equivalent of a legacy super user for testing you want at least ['readWriteAnyDatabase', 'userAdminAnyDatabase', 'dbAdminAnyDatabase', 'clusterAdmin']
To remove all users from a database in 2.5.x use the command {"dropAllUsersFromDatabase": 1}

NOTE - Although createUser requires a "roles" field the addUser helper must continue to support the legacy 2 and 3 parameter forms, i.e.:

db.addUser('username', 'password')
# Read Only User
db.addUser('username', 'password', true)

Drivers will follow the shell implementation specified in ~~SERVER-10794~~. This requires some new built-in roles, specified in that ticket. Drivers should also warn when these forms are used, as specified in the server ticket.

depends on

SERVER-10794 For compatibility with old versions of the shell, db.addUser("user", "password") should create a super-user.

Closed

CSHARP-793 Manipulate user objects exclusively via commands

Closed

JAVA-909 Update user manipulation helpers to use new manipulation commands provided by the server.

Closed

CDRIVER-232 Manipulate user objects exclusively via commands

Closed

NODE-61 Manipulate user objects exclusively via commands

Closed

PYTHON-552 Manipulate user objects exclusively via commands (MongoDB 2.6)

Closed

RUBY-667 Manipulate user objects exclusively via commands

Closed

SERVER-6246 Manipulate user objects exclusively via commands

Closed

SERVER-10721 Add an error code for "no such cmd: <command name>"

Closed

SERVER-10855 Add a way to specify in createUser and updateUser commands whether the server should hash the password or the driver already has

Closed

SERVER-7727 Provide at least two extra free format fields to store user information

Closed

is related to

DRIVERS-149 Some MongoDB 2.6 driver releases may not be able to add users or create indexes with mongos versions before 2.4.0

Closed

PHPLIB-4 Create PHP library to provide helpers for administrative Mongo commands

Closed

related to

CDRIVER-326 add update_user helper to mongoc_database_t

Closed

(6 depends on, 2 is related to, 1 related to)

Assignee:: Barrie Segal

Reporter:: Barrie Segal

Votes:: 0 Vote for this issue

Watchers:: 7 Start watching this issue

Created:: Jul 30 2013 06:23:04 PM UTC

Updated:: May 27 2022 01:34:23 AM UTC

Resolved:: Nov 11 2015 08:19:35 PM UTC

Details

Description

Attachments

Issue Links

Activity

People

Dates