Uploaded image for project: 'Core Server'
  1. Core Server
  2. SERVER-15461

Mechanism to allow restricting auth by incoming interface

XMLWordPrintableJSON

    • Fully Compatible
    • Platforms 2017-08-21

      Proposed title: Mechanism to allow restricting auth by incoming interface

      Issue Status as of Sep 14, 2017

      ISSUE DESCRIPTION
      MongoDB 3.6 introduces support for setting IP-based restrictions as part of authentication. Before a client may authenticate to a user account, it must meet all the restrictions listed on the account.

      Restrictions can set against the IP address of the client or the IP address of the Server which accepts the client request. A restriction of this type will be met if the server accepted the client’s connection via an IP address listed in the definition, or included in a CIDR range listed in the definition. In all other cases this restriction will not be met.

      APPLYING THESE RESTRICTIONS
      User and role documents can have a new optional field, called authenticationRestrictions, which contains an array of restriction documents. If this field is attached to a user or role, a client authenticating against this role must meet all the conditions described in at least one document in order to successfully authenticate.

      For example:

      { 
  "_id" : "admin.localhostRoot",
  "role" : "localhostRoot",
  "db" : "admin",
  "privileges" : [ ],
  "roles" : [ { "role" : "root", "db" : "admin" } ],
  "authenticationRestrictions": [
    {
      clientSource: "127.0.0.0/8",
    }
  ]
}

      Additionally, both mongod and mongos have a new configuration flag, --clusterIpWhitelist and corresponding YAML configuration option, security.net.clusterIpWhitelist. The flag’s argument is a string, containing comma separated IP addresses and/or CIDR blocks. If this flag is set on startup, then all authentication attempts to the __system user must originate from an IP address or CIDR block contained in the flag’s argument.

      Original description

      In deployments where mongod/mongoses use bind_ip to listen on several interfaces (including possibly Unix Domain Sockets), it would be useful if there was some way to indicate that a user may only authenticate on connections originating from specific interfaces.

      For example, suppose mongod is listening on an internal 192.168.1.x management subnet, as well as a 10.x.x.x subnet for application client connections. It would be useful if authentication with a "dba" user could be limited only to the former, while the "app" user could be limited only to the latter (or perhaps both). This would help to increase security, since the compromise of an app server and the "dba" user credentials would not be enough to gain admin level access to the system. Currently, credentials can be used via any connection to a mongod.

            Assignee:
            backlog-server-platform DO NOT USE - Backlog - Platform Team
            Reporter:
            kevin.pulo@mongodb.com Kevin Pulo
            Votes:
            1 Vote for this issue
            Watchers:
            11 Start watching this issue

              Created:
              Updated:
              Resolved: