-
Type: Improvement
-
Resolution: Won't Fix
-
Priority: Major - P3
-
None
-
Affects Version/s: 2.5.4
-
Component/s: Security
-
Security 2019-07-29
-
(copied to CRM)
There are currently 19 commands that do not require authentication. Several of these commands has no use case before an successful authentication has been performed.
To reduce the unauthenticated API surface without introducing any complexity into the auth system we should introduce commands that require authentication but not authorization.
The following commands should only be runnable after a successful authentication (with any user, even a user with no roles):
availableQueryOptions, buildinfo, copydbgetnonce, features, forceerror, getoptime, isdbgrid, isMaster*, listCommands, logout, whatsmyuri
*isMaster is used by several drivers before performing any authentication so this change will require driver adoption.
The following commands should be kept as they are:
_isSelf, authenticate, connectionStatus, getLastError, getnonce, getPrevError, ping, resetError
- depends on
-
DRIVERS-90 drivers must authenticate before calling isMaster()
- Closed
-
SERVER-5479 Arbiter in authenticated replica set should allow and require login/auth for admin-only operations
- Backlog
-
SERVER-13698 Add roles and privileges to connectionStatus output
- Closed
- is depended on by
-
DRIVERS-568 Make some unauthenticated commands require auth
- Closed
- is duplicated by
-
SERVER-13166 Enabled authentication still allows remote login without username
- Closed
-
SERVER-15293 Anonymous connections are allowed even when auth is enabled
- Closed
- is related to
-
SERVER-5479 Arbiter in authenticated replica set should allow and require login/auth for admin-only operations
- Backlog
-
SERVER-34653 don't even parse requiresAuth commands unless client is authenticated
- Closed
- related to
-
SERVER-15588 An arbiter should return an empty list of supported SASL mechanisms
- Backlog