diff options
author | Spencer Jackson <spencer.jackson@mongodb.com> | 2021-05-04 17:52:33 -0400 |
---|---|---|
committer | Evergreen Agent <no-reply@evergreen.mongodb.com> | 2021-05-14 19:08:20 +0000 |
commit | c51f7e9c15db0e4c508d8856a495ad278135a07d (patch) | |
tree | 70d1070f2f6509b90a29067d4948f944b27bea4b /src/mongo/db/auth | |
parent | 47d99621851c0cd8da8d0628edeaa2f59bff6e14 (diff) | |
download | mongo-c51f7e9c15db0e4c508d8856a495ad278135a07d.tar.gz |
SERVER-54781 Describe multiple authentication in architecture guide
Diffstat (limited to 'src/mongo/db/auth')
-rw-r--r-- | src/mongo/db/auth/README.md | 16 |
1 files changed, 16 insertions, 0 deletions
diff --git a/src/mongo/db/auth/README.md b/src/mongo/db/auth/README.md index 6f1eb191269..f98840bdc4f 100644 --- a/src/mongo/db/auth/README.md +++ b/src/mongo/db/auth/README.md @@ -294,6 +294,22 @@ execute commands. [Here](https://github.com/mongodb/mongo/blob/r4.4.0/src/mongo/db/auth/authorization_session_impl.cpp#L126) is the authorization session calling into the authorization manager to acquire a user. +Clients are expected to authenticate at most one time on a connection, and a +client which opts into API Version 1 will receive an error if it attempts to +authenticate more than once. However, legacy clients which have not opted into +an API Version may authenticate multiple times. If a legacy client +authenticates as UserA on a database and then authenticates as UserB on the +same database, its AuthorizationSession will implicitly logout UserA and +replace its cached User object with that of UserB. Alternatively, if a legacy +client authenticates as UserA on one database and then authenticates as UserB +on a second database, its AuthorizationSession will store User objects for both +UserA and UserB, and will consider itself authorized for the union of the two +users' privileges. Because modern drivers no longer allow applications to +authenticate with multiple user identities, this behavior in +AuthorizationSession is deprecated, and support for it will eventually be +removed. + + ### User `User` objects contain authorization information with regards to a specific user in a database. The |