Key file and client authentication

Why does keyfile authentication implicitly enable client authentication?

Keyfile authentication is one of two internal authentication mechanisms (i.e. internal authentication between nodes) that implicitly enables client authorisation. I suppose it does this because users will need to be authorised to access resources within the replica set.

What I’ve found however is that, if you leave out the security.authorization: enabled option (an option that explicitly enables client authorisation), you can still make a connection to any of the nodes without a username/password and be able to run rs.isMaster(). It’s either a bug or by design (which to me is “insecure”).

I tested this out on 3.2, 3.6 and 4.0… so it’s best to be explicit.