Uploaded image for project: 'Compass '
  1. Compass
  2. COMPASS-6787

Add test: Make X.509 Parameters Configurable for Intra-node Auth and Client-to-node Auth

    XMLWordPrintableJSON

Details

    • Icon: Investigation Investigation
    • Resolution: Won't Fix
    • Icon: Major - P3 Major - P3
    • No version
    • None
    • None
    • None
    • 2
    • Not Needed

    Description

      Original Downstream Change Summary

      This project will allow customers to configure X.509 cluster membership parameters.

      Currently, the way to differentiate client certificate from server certificate is strictly through a different set of values for subject name attributes O, OU, DC. This project will allow these attributes to be configurable.

      Description of Linked Ticket

      Epic Summary

      Summary

      Nodes in a cluster must perform privileged operations on their peers. When auth is enabled, they will need to authenticate to each other to perform these operations. If administrators enable TLS, and set the setParameter clusterAuthMode to x509, then nodes will authenticate to their peers using their X509 certificate. When clients authenticate using X509, servers need to figure out if they should be treated like regular users with privileges in admin.system.users or like highly privileged peers. Currently, the way to differentiate client certificate from server certificate is through a different set of values for O, OU, DC. Clients find this restrictive. This project will allow customers to specify additional X.509 parameters whose value is different across client and server.

      Motivation

      Large self-managed customers have CAs managed by a separate team and it is not possible for them to ensure different set of values for O, OU, DC without significant Docs Update

      Attachments

        Activity

          People

            Unassigned Unassigned
            leroux.bodenstein@mongodb.com Le Roux Bodenstein
            Votes:
            0 Vote for this issue
            Watchers:
            1 Start watching this issue

            Dates

              Created:
              Updated:
              Resolved: