Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

[Feature Request] SCRAM functions are in the internal schema #46

Open
AlekSi opened this issue Jan 31, 2025 · 3 comments
Open

[Feature Request] SCRAM functions are in the internal schema #46

AlekSi opened this issue Jan 31, 2025 · 3 comments
Labels
api ready for review api suggestion

Comments

@AlekSi
Copy link
Contributor

AlekSi commented Jan 31, 2025

Purpose of the feature.

FerretDB uses the following functions for authentication:

  • documentdb_api_internal.scram_sha256_get_salt_and_iterations
  • documentdb_api_internal.authenticate_with_scram_sha256

They are in the internal schema. They probably should be in the documentdb_api.

Describe the solution you'd like

Those functions are in the non-internal schema, documented and supported.

Describe alternatives you've considered

Continue using internal schema.

Additional context

None.
@AlekSi AlekSi added the enhancement New feature or request label Jan 31, 2025
@safern
Copy link
Member

safern commented Jan 31, 2025
edited
Loading

Hello @AlekSi -- these are utility functions that probably shouldn't even have landed on the internal schema nor the public one. At the end this is more of a wire protocol problem rather than the extension's functionality as PG provides auth already.

However, we could have a formal proposal with the benefits of it vs implementing your own wire protocol auth and discuss further here, but we are still not convinced this should be public and broadly used/maintained by us for customer to do their auth.

Would you mind expanding on why FerretDB needs to use these APIs, the motivation behind it and examples?

FYI: @visridha

@safern
Copy link
Member

safern commented Jan 31, 2025

@AlekSi were debating that this might not belong in documentdb schema itself but instead in a separate utility schema or even a separate utility extension for gateways that implement the wire protocol.

We will review this still figuring out how to do public reviews.

@AlekSi
Copy link
Contributor Author

AlekSi commented Feb 1, 2025

I would like to point out that the blog post explicitly mentions

A fully functional authentication mechanism including SCRAM (Salted Challenge Response Authentication Mechanism) authentication

As for whatever it should be in DocumentDB at all… We implemented all possible versions of that during v1 development. First, we relied on PostgreSQL only, but it had a limitation of supporting the PLAIN mechanism only, passing a password in the plaintext (and that's not very well supported by MongoDB drivers). Then we added experimental support for SCRAM by handling authentication ourselves, but having two sets of credentials (in FerretDB and PostgreSQL) is very confusing, and also makes it impossible to support authorization down the road. Having SCRAM hooks in the extension really helps us.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
api ready for review api suggestion
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
2 participants
@AlekSi @safern