New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Add support for the authentication source parameter #34

rspeed opened this Issue Dec 12, 2013 · 5 comments


None yet
4 participants
Copy link

rspeed commented Dec 12, 2013

To prevent the duplication of authentication data across databases, MongoDB has two mechanisms to delegate authentication to a specific separate database. Both use a specific key in the system.users collection, but act in the opposite direction. The first method is the otherDBRoles key in the admin database. The value names both the table that receives authentication and the roles assigned to the user. The other method is the userSource key, which goes in any database and simply refers to another database with the same user.

For both methods, when the client authenticates, it has to do so against the other database – admin for the first method, the named DB in the other. To accomplish this in PyMongo, a source parameter is included when calling MongoDB.authenticate.

Adding support for this feature should be fairly straightforward. IT requires the addition of a new config value with a name like PREFIX_SOURCE, as well as parsing the authSource URI parameter. That value is then passed to the authentication method, and that's all there is to it.


This comment has been minimized.

Copy link
Contributor Author

rspeed commented Dec 13, 2013

Steps to verify and test:

  1. Have a MongoDB server set up with at least two databases and auth enabled in its configuration.
  2. In database A create a user and assign normal privileges.
  3. In database B create a user with the same username but set userSource instead of pwd, and assign some normal privileges.
  4. In an application using flash-pymongo, configure it to attempt to connect to database A using the username and password. Verify that it works.
  5. Reconfigure the application to connect to database B instead. Verify that it fails.
  6. Add MONGO_AUTH_SOURCE setting to the application, with A as its value. Verify that it works.
  7. Reconfigure the application to use MONGO_URI for database B. Verify that it works.

Similar steps may also be taken to verify that otherDBRoles functions, though the mechanism should be identical.


This comment has been minimized.

Copy link

blade2005 commented Feb 10, 2017

@rspeed did you ever come up with a way around this? Obviously this wasn't implemented and seeing as how it's been open for over 3 years at this point I doubt it will be.


This comment has been minimized.

Copy link
Contributor Author

rspeed commented Feb 11, 2017

Nah, I don't even remember what I was using this for.


This comment has been minimized.

Copy link

tcco commented Feb 14, 2017

Quite unfortunate this is not an added feature. Here is the workaround.

Order of operations:
Instantiate flask_pymongo.PyMongo, lets call the var mongo
Call mongo.init_app(application, config_prefix=application.config['MONGO_CONFIG_PREFIX'])
Under app_context, run mongo.db.authenticate(user, pwd, source='source_db')

Not ideal, would appreciate a cleaner solution.


This comment has been minimized.

Copy link

dcrosta commented May 22, 2017

#88 fixed this, and will be released as part of the upcoming 0.5.0 release.

@dcrosta dcrosta closed this May 22, 2017

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment