Uploaded image for project: 'Core Server'
  1. Core Server
  2. SERVER-9685

Support three authentication modes, change default to "disabled".

    • Server Security
    • ALL

      MongoDB currently supports two authentication modes. For lack of accepted terms, call them "mandatory" and "optional". In "mandatory" mode, operations perform access control checks, and these checks frequently require a logged in user with specific assigned roles in order to succeed. In "optional" mode, no access control checks are performed, but users may still authenticate to the server, if they care to. The "optional" mode is the default in 2.5.0 and prior.

      This work item introduces an additional authentication mode, "disabled", in which authentication commands are not even available. Clients attempting authentication will receive error responses, unconditionally. This will be the new default mode, in order to make misconfigurations easier to detect. The "optional" mode will be preserved and as necessary enhanced to support rolling upgrades from "disabled" to "mandatory."

      If a user exists but auth is not turned on you currently don't get an error message:

      > db.auth("scott", "foo")
      Error: 18 { code: 18, ok: 0.0, errmsg: "auth fails" }
      0
      > db.addUser("scott", "foo")
      {
      	"user" : "scott",
      	"readOnly" : false,
      	"pwd" : "220567d3c24155e4b570a7de08911aad",
      	"_id" : ObjectId("51928dc902eff8bcb5ae8638")
      }
      > db.auth("scott", "foo") // this should error.
      1
      

            Assignee:
            backlog-server-security [DO NOT USE] Backlog - Security Team
            Reporter:
            scotthernandez Scott Hernandez (Inactive)
            Votes:
            0 Vote for this issue
            Watchers:
            7 Start watching this issue

              Created:
              Updated:
              Resolved: