Uploaded image for project: 'Core Server'
  1. Core Server
  2. SERVER-45938

Allow matching O/OU/DC in client x509 cert if clusterMode:keyFile

    XMLWordPrintable

    Details

    • Type: Improvement
    • Status: Closed
    • Priority: Major - P3
    • Resolution: Fixed
    • Affects Version/s: 3.2.22, 3.6.17, 3.4.24, 4.2.3, 4.3.3, 4.0.16
    • Fix Version/s: 4.7.0, 4.4.2, 4.2.11, 4.0.21
    • Component/s: Security
    • Labels:
      None
    • Backwards Compatibility:
      Fully Compatible
    • Backport Requested:
      v4.4, v4.2, v4.0
    • Sprint:
      Security 2020-02-24, Security 2020-08-24, Security 2020-09-07
    • Case:

      Description

      When creating a new client x.509 user via createUser, MongoDB validates that the O/OU/DC do not match to prevent the user from being considered an internal cluster member with _system privileges. However this only applies if clusterMode: x509. If clusterMode: keyFile, then matching O/OU/DC does not grant _system privileges, but MongoDB still prevents these users from being created. So if clusterMode: keyFile, then we should not enforce the matching O/OU/DC restriction between client and PEMKeyFile/clusterFile certs.

        Attachments

          Issue Links

            Activity

              People

              Assignee:
              spencer.jackson Spencer Jackson
              Reporter:
              james.kovacs James Kovacs
              Participants:
              Votes:
              1 Vote for this issue
              Watchers:
              9 Start watching this issue

                Dates

                Created:
                Updated:
                Resolved: