[SERVER-54136] Make the authenticate command respect enforceUserClusterSeparation - MongoDB Jira

XML

Word

Printable

JSON

Details

Type: Bug
Status: Closed
Priority: Major - P3
Resolution: Fixed
Affects Version/s: None
Fix Version/s: 4.9.0, 4.4.5, 4.0.24, 4.2.14
Component/s: None
Labels:
None

Backwards Compatibility:
Fully Compatible
Operating System:
ALL
Backport Requested:

v4.4, v4.2, v4.0
Sprint:
Security 2021-02-22
Case:

Description

The enforceUserClusterSeparation setParameter introduced by ~~SERVER-45938~~ can be used to disable certain sanity checks in the createUser command, for clusters where they are not relevant.

We should disable the equivalent checks in the authenticate command when this parameter is active, allowing "cluster member" certificates to authenticate as users stored in the $external database.

We should also validate why tests introduced by ~~SERVER-45938~~ didn't identify that this override wasn't present.

Attachments

Issue Links

causes

SERVER-73576 enforceUserClusterSeparation authenticate validation incorrect

Closed

is related to

DOCS-15864 [SERVER] documentation for enforceUserClusterSeparation parameter

Backlog

SERVER-45938 Allow matching O/OU/DC in client x509 cert if clusterMode:keyFile

Closed

related to

SERVER-14655 x.509 certificate authentication requires O,OU to differ between client and server

Closed

Activity

People

Assignee:: Benjamin Caimano (Inactive)

Reporter:: Spencer Jackson

Participants:: Benjamin Caimano, Githook User, Salman Baset, Simon Levesque, Spencer Jackson

Votes:: 1 Vote for this issue

Watchers:: 8 Start watching this issue

Dates

Created:: Jan 29 2021 03:52:06 PM UTC

Updated:: Feb 03 2023 11:27:12 AM UTC

Resolved:: Feb 18 2021 05:06:03 PM UTC