Description

I attempted to follow the instructions in https://docs.mongodb.com/manual/tutorial/configure-x509-client-authentication/ to configure x.509 authentication. This was on a brand new deployment created with mlaunch which had no existing users. My idea was to create the first and only user with x.509 authentication.

However, when attempting to create the user (or run other administrative commands), the server always replied with "unauthorized" error even though I have not enabled auth.

Investigating this, I believe the following occurred:

• mlaunch uses --keyFile option to set up cluster authentication.
• Per https://docs.mongodb.com/manual/tutorial/deploy-replica-set-with-keyfile-access-control/, this enables authentication for clients as well, subject to the "localhost interface exception".
• https://docs.mongodb.com/manual/core/security-users/#localhost-exception talks about this exception, and specifically mentions that "Changed in version 3.0: The localhost exception changed so that these connections only have access to create the first user on the admin database."
• Since the x.509 user is created on $external database, this call to create the user failed.

Therefore it is my impression that in order to create an x.509 user, when the deployment uses member authentication, one must already have another user with credentials (stored in admin database) created. This is not mentioned in https://docs.mongodb.com/manual/tutorial/configure-x509-client-authentication/.

Scope of changes

• Re-validate x.509 tutorial and confirm additional step required in 4.2, 4.0, 3.6
• Check w/ security if there are additional workarounds here
• Document and backport

Impact to Other Docs

Given that LDAP users are also created on $external I can only assume this issue also applies there. LDAP is a bit of a beast, so if this behavior is intentional and generally true we may need to open up additional tickets to fix this.

MVP (Work and Date)

Resources (Scope or Design Docs, Invision, etc.)