-
Type: Bug
-
Resolution: Won't Fix
-
Priority: Minor - P4
-
None
-
Affects Version/s: None
-
Component/s: Security
-
Server Security
-
ALL
MongoDB currently supports two authentication modes. For lack of accepted terms, call them "mandatory" and "optional". In "mandatory" mode, operations perform access control checks, and these checks frequently require a logged in user with specific assigned roles in order to succeed. In "optional" mode, no access control checks are performed, but users may still authenticate to the server, if they care to. The "optional" mode is the default in 2.5.0 and prior.
This work item introduces an additional authentication mode, "disabled", in which authentication commands are not even available. Clients attempting authentication will receive error responses, unconditionally. This will be the new default mode, in order to make misconfigurations easier to detect. The "optional" mode will be preserved and as necessary enhanced to support rolling upgrades from "disabled" to "mandatory."
If a user exists but auth is not turned on you currently don't get an error message:
> db.auth("scott", "foo") Error: 18 { code: 18, ok: 0.0, errmsg: "auth fails" } 0 > db.addUser("scott", "foo") { "user" : "scott", "readOnly" : false, "pwd" : "220567d3c24155e4b570a7de08911aad", "_id" : ObjectId("51928dc902eff8bcb5ae8638") } > db.auth("scott", "foo") // this should error. 1
- is depended on by
-
DRIVERS-96 Check that auth is enabled before running authentication tests
- Closed
-
SERVER-9895 Support rolling upgrade from no auth to keyfile or x.509 certificates.
- Closed