Uploaded image for project: 'Core Server'
  1. Core Server
  2. SERVER-44435

Allow x509 authorization to be selectively enabled based on the CA

    XMLWordPrintable

    Details

    • Type: New Feature
    • Status: Closed
    • Priority: Major - P3
    • Resolution: Fixed
    • Affects Version/s: None
    • Fix Version/s: 4.2.4, 4.3.3, 3.6.18, 4.0.17
    • Component/s: None
    • Labels:
      None
    • Backwards Compatibility:
      Fully Compatible
    • Backport Requested:
      v4.2, v4.0, v3.6
    • Sprint:
      Security 2019-12-16, Security 2019-01-27

      Description

      In SERVER-41069, allowRolesFromX509Certificates was added as a switch to enable or disable the use of x509 authorization extensions for the entire mongod/mongos process.

      This is not granular enough for the use case where mongod is running with multiple CAs, some trusted and some un-trusted. An un-trusted CA would be allowed to issue client certificates but the authorizations must still be controlled by the MongoDB database user. A trusted CA would be allowed to issue certificates with x509 authorization extensions.

      Ideally instead of allowRolesFromX509Certificates being a boolean there would instead be a way to pass MongoDB a list of trusted CAs.

        Attachments

          Activity

            People

            Assignee:
            sara.golemon Sara Golemon
            Reporter:
            cory.mintz Cory Mintz
            Participants:
            Votes:
            0 Vote for this issue
            Watchers:
            4 Start watching this issue

              Dates

              Created:
              Updated:
              Resolved: