Uploaded image for project: 'Core Server'
  1. Core Server
  2. SERVER-11025

Adding a user with x509 certificate = server certificate appears to work

    XMLWordPrintable

    Details

    • Type: Bug
    • Status: Closed
    • Priority: Major - P3
    • Resolution: Fixed
    • Affects Version/s: 2.5.2
    • Fix Version/s: 2.5.4
    • Component/s: Security
    • Labels:
    • Operating System:
      ALL
    • Steps To Reproduce:
      Hide

      1. For each node in the replica set, I set up sslClusterFile and sslPEMKeyFile to be "server.pem":

      mongod --replSet testReplSet --sslOnNormalPorts --sslClusterFile jstests/libs/server.pem --clusterAuthMode x509 --sslPEMKeyFile jstests/libs/server.pem --sslCRLFile jstests/libs/crl_client_revoked.pem --sslCAFile jstests/libs/ca.pem --auth

      2. I connect with mongo using the same certificate:

      mongo --ssl --sslPEMKeyFile jstests/libs/server.pem

      3. Create the user & authenticate:

      > db.getSiblingDB("$external").addUser(
      ...    { user:"CN=client,OU=kerneluser,O=10Gen,L=New York City,ST=New York,C=US",
      ...      roles: [
      ...          {name: 'clusterAdmin', source: 'admin', hasRole: true, 'canDelegate': true},
      ...          {name: 'userAdminAnyDatabase', source: 'admin', hasRole: true, 'canDelegate': true},
      ...          {name: 'readWriteAnyDatabase', source: 'admin', hasRole: true, 'canDelegate': true},
      ...          {name: 'dbAdminAnyDatabase', source: 'admin', hasRole: true, 'canDelegate': true}]
      ...    });
      > db.getSiblingDB("$external").auth({ user:"emailAddress=root@lazarus,CN=server,OU=Kernel,O=10Gen,L=New York City,ST=New York,C=US",
      ...          mechanism:"MONGODB-X509"});
      1

      4. Check in the system.users collection:

      > db.getSiblingDB("admin").system.users.findOne()
      {
      	"_id" : "$external.emailAddress=root@lazarus,CN=server,OU=Kernel,O=10Gen,L=New York City,ST=New York,C=US",
      	"name" : "emailAddress=root@lazarus,CN=server,OU=Kernel,O=10Gen,L=New York City,ST=New York,C=US",
      	"source" : "$external",
      	"roles" : [
      		{
      			"name" : "clusterAdmin",
      			"source" : "admin",
      			"hasRole" : true,
      			"canDelegate" : true
      		},
      		{
      			"name" : "userAdminAnyDatabase",
      			"source" : "admin",
      			"hasRole" : true,
      			"canDelegate" : true
      		},
      		{
      			"name" : "readWriteAnyDatabase",
      			"source" : "admin",
      			"hasRole" : true,
      			"canDelegate" : true
      		},
      		{
      			"name" : "dbAdminAnyDatabase",
      			"source" : "admin",
      			"hasRole" : true,
      			"canDelegate" : true
      		}
      	]
      }

      Show
      1. For each node in the replica set, I set up sslClusterFile and sslPEMKeyFile to be "server.pem": mongod --replSet testReplSet --sslOnNormalPorts --sslClusterFile jstests/libs/server.pem --clusterAuthMode x509 --sslPEMKeyFile jstests/libs/server.pem --sslCRLFile jstests/libs/crl_client_revoked.pem --sslCAFile jstests/libs/ca.pem --auth 2. I connect with mongo using the same certificate: mongo --ssl --sslPEMKeyFile jstests/libs/server.pem 3. Create the user & authenticate: > db.getSiblingDB("$external").addUser( ... { user:"CN=client,OU=kerneluser,O=10Gen,L=New York City,ST=New York,C=US", ... roles: [ ... {name: 'clusterAdmin', source: 'admin', hasRole: true, 'canDelegate': true}, ... {name: 'userAdminAnyDatabase', source: 'admin', hasRole: true, 'canDelegate': true}, ... {name: 'readWriteAnyDatabase', source: 'admin', hasRole: true, 'canDelegate': true}, ... {name: 'dbAdminAnyDatabase', source: 'admin', hasRole: true, 'canDelegate': true}] ... }); > db.getSiblingDB("$external").auth({ user:"emailAddress=root@lazarus,CN=server,OU=Kernel,O=10Gen,L=New York City,ST=New York,C=US", ... mechanism:"MONGODB-X509"}); 1 4. Check in the system.users collection: > db.getSiblingDB("admin").system.users.findOne() { "_id" : "$external.emailAddress=root@lazarus,CN=server,OU=Kernel,O=10Gen,L=New York City,ST=New York,C=US", "name" : "emailAddress=root@lazarus,CN=server,OU=Kernel,O=10Gen,L=New York City,ST=New York,C=US", "source" : "$external", "roles" : [ { "name" : "clusterAdmin", "source" : "admin", "hasRole" : true, "canDelegate" : true }, { "name" : "userAdminAnyDatabase", "source" : "admin", "hasRole" : true, "canDelegate" : true }, { "name" : "readWriteAnyDatabase", "source" : "admin", "hasRole" : true, "canDelegate" : true }, { "name" : "dbAdminAnyDatabase", "source" : "admin", "hasRole" : true, "canDelegate" : true } ] }

      Description

      Adding a user with a username equal to the subject of the x509 certificate of a mongod instance in a replica set or sharded cluster appears to be successful as does the authentication of this user. This is in appearance only, as when I take a look at the system.users collection, there is nothing there. I would expect there to be some message that notifies the user that something has gone wrong while trying to add the user with the invalid username and certificate, and then not allow the user to authenticate.

        Attachments

          Issue Links

            Activity

              People

              Assignee:
              andreas.nilsson Andreas Nilsson
              Reporter:
              luke.lovett Luke Lovett
              Participants:
              Votes:
              0 Vote for this issue
              Watchers:
              5 Start watching this issue

                Dates

                Created:
                Updated:
                Resolved: