Security¶
The Rust server implements the same authentication, authorization, and transport-security surface as the Python server — the same user records on disk, the same commands, the same driver-facing behaviour. This page is the Rust-server operational summary; the concept-level documentation lives in the main tree’s Authentication page and applies verbatim.
Authentication¶
SCRAM-SHA-256 (MongoDB’s default since 4.0) and SCRAM-SHA-1 (per-user opt-in via the
mechanismsarray).MONGODB-X509 — certificate-subject-DN-as-username over mTLS, via the standard
authenticatecommand path every driver uses.
Auth is off by default. Flip it on with --auth (daemon) or
require_auth=True (embedded handle); only the handshake and the SCRAM
exchange then run unauthenticated, everything else returns Unauthorized
(code 13) until the connection authenticates.
User management is the standard command set: createUser / updateUser /
dropUser / dropAllUsersFromDatabase / usersInfo. User records persist
in storage, so the bootstrap pattern is: start without --auth, provision
users, restart with --auth on the same --storage-path.
TLS and mTLS¶
Transport security is rustls-based:
secantusd-rs \
--tls-cert-file /etc/letsencrypt/live/db.example.com/fullchain.pem \
--tls-key-file /etc/letsencrypt/live/db.example.com/privkey.pem \
--tls-ca-file /etc/ssl/client-ca.crt \
--tls-require-client-cert
cert-file+key-filewrap every accepted socket in TLS before the wire protocol starts. Clients connect with?tls=true&tlsCAFile=<ca>.ca-fileturns on client-certificate verification (mTLS). Without--tls-require-client-cert, a presented cert is verified but clients without one are still accepted (useful for staged rollouts); with it, certificate-less clients are rejected.The verified client-cert subject DN feeds MONGODB-X509 authentication.
The same settings are available in the [tls] section of
secantusd.toml and as RustServer(...) constructor arguments.
Out of scope¶
Same non-goals as the Python server: LDAP, Kerberos/GSSAPI, PLAIN, MONGODB-AWS, MONGODB-OIDC, and keyfile cluster auth (no cluster).