Uploaded image for project: 'Core Server'
  1. Core Server
  2. SERVER-11025

Adding a user with x509 certificate = server certificate appears to work

XMLWordPrintableJSON

    • Type: Icon: Bug Bug
    • Resolution: Done
    • Priority: Icon: Major - P3 Major - P3
    • 2.5.4
    • Affects Version/s: 2.5.2
    • Component/s: Security
    • ALL
    • Hide

      1. For each node in the replica set, I set up sslClusterFile and sslPEMKeyFile to be "server.pem":

      mongod --replSet testReplSet --sslOnNormalPorts --sslClusterFile jstests/libs/server.pem --clusterAuthMode x509 --sslPEMKeyFile jstests/libs/server.pem --sslCRLFile jstests/libs/crl_client_revoked.pem --sslCAFile jstests/libs/ca.pem --auth

      2. I connect with mongo using the same certificate:

      mongo --ssl --sslPEMKeyFile jstests/libs/server.pem

      3. Create the user & authenticate:

      > db.getSiblingDB("$external").addUser(
...    { user:"CN=client,OU=kerneluser,O=10Gen,L=New York City,ST=New York,C=US",
...      roles: [
...          {name: 'clusterAdmin', source: 'admin', hasRole: true, 'canDelegate': true},
...          {name: 'userAdminAnyDatabase', source: 'admin', hasRole: true, 'canDelegate': true},
...          {name: 'readWriteAnyDatabase', source: 'admin', hasRole: true, 'canDelegate': true},
...          {name: 'dbAdminAnyDatabase', source: 'admin', hasRole: true, 'canDelegate': true}]
...    });
> db.getSiblingDB("$external").auth({ user:"emailAddress=root@lazarus,CN=server,OU=Kernel,O=10Gen,L=New York City,ST=New York,C=US",
...          mechanism:"MONGODB-X509"});
1

      4. Check in the system.users collection:

      > db.getSiblingDB("admin").system.users.findOne()
{
	"_id" : "$external.emailAddress=root@lazarus,CN=server,OU=Kernel,O=10Gen,L=New York City,ST=New York,C=US",
	"name" : "emailAddress=root@lazarus,CN=server,OU=Kernel,O=10Gen,L=New York City,ST=New York,C=US",
	"source" : "$external",
	"roles" : [
		{
			"name" : "clusterAdmin",
			"source" : "admin",
			"hasRole" : true,
			"canDelegate" : true
		},
		{
			"name" : "userAdminAnyDatabase",
			"source" : "admin",
			"hasRole" : true,
			"canDelegate" : true
		},
		{
			"name" : "readWriteAnyDatabase",
			"source" : "admin",
			"hasRole" : true,
			"canDelegate" : true
		},
		{
			"name" : "dbAdminAnyDatabase",
			"source" : "admin",
			"hasRole" : true,
			"canDelegate" : true
		}
	]
}
      Show
      1. For each node in the replica set, I set up sslClusterFile and sslPEMKeyFile to be "server.pem": mongod --replSet testReplSet --sslOnNormalPorts --sslClusterFile jstests/libs/server.pem --clusterAuthMode x509 --sslPEMKeyFile jstests/libs/server.pem --sslCRLFile jstests/libs/crl_client_revoked.pem --sslCAFile jstests/libs/ca.pem --auth 2. I connect with mongo using the same certificate: mongo --ssl --sslPEMKeyFile jstests/libs/server.pem 3. Create the user & authenticate: > db.getSiblingDB("$external").addUser( ... { user:"CN=client,OU=kerneluser,O=10Gen,L=New York City,ST=New York,C=US", ... roles: [ ... {name: 'clusterAdmin', source: 'admin', hasRole: true, 'canDelegate': true}, ... {name: 'userAdminAnyDatabase', source: 'admin', hasRole: true, 'canDelegate': true}, ... {name: 'readWriteAnyDatabase', source: 'admin', hasRole: true, 'canDelegate': true}, ... {name: 'dbAdminAnyDatabase', source: 'admin', hasRole: true, 'canDelegate': true}] ... }); > db.getSiblingDB("$external").auth({ user:"emailAddress=root@lazarus,CN=server,OU=Kernel,O=10Gen,L=New York City,ST=New York,C=US", ... mechanism:"MONGODB-X509"}); 1 4. Check in the system.users collection: > db.getSiblingDB("admin").system.users.findOne() { "_id" : "$external.emailAddress=root@lazarus,CN=server,OU=Kernel,O=10Gen,L=New York City,ST=New York,C=US", "name" : "emailAddress=root@lazarus,CN=server,OU=Kernel,O=10Gen,L=New York City,ST=New York,C=US", "source" : "$external", "roles" : [ { "name" : "clusterAdmin", "source" : "admin", "hasRole" : true, "canDelegate" : true }, { "name" : "userAdminAnyDatabase", "source" : "admin", "hasRole" : true, "canDelegate" : true }, { "name" : "readWriteAnyDatabase", "source" : "admin", "hasRole" : true, "canDelegate" : true }, { "name" : "dbAdminAnyDatabase", "source" : "admin", "hasRole" : true, "canDelegate" : true } ] }

      Adding a user with a username equal to the subject of the x509 certificate of a mongod instance in a replica set or sharded cluster appears to be successful as does the authentication of this user. This is in appearance only, as when I take a look at the system.users collection, there is nothing there. I would expect there to be some message that notifies the user that something has gone wrong while trying to add the user with the invalid username and certificate, and then not allow the user to authenticate.

        1. invalid_cert.log
          50 kB

            Assignee:
            andreas.nilsson Andreas Nilsson
            Reporter:
            luke.lovett Luke Lovett
            Votes:
            0 Vote for this issue
            Watchers:
            5 Start watching this issue

              Created:
              Updated:
              Resolved: