[COMPASS-5142] Enable connecting to replica sets and TLS with SSH tunnels Created: 06/Oct/21  Updated: 29/Oct/23  Resolved: 24/Jan/22

Status: Closed
Project: Compass
Component/s: None
Affects Version/s: None
Fix Version/s: 1.31.0

Type: Story Priority: Major - P3
Reporter: Anna Henningsen Assignee: Anna Henningsen
Resolution: Fixed Votes: 0
Labels: None
Σ Remaining Estimate: Not Specified Remaining Estimate: Not Specified
Σ Time Spent: Not Specified Time Spent: Not Specified
Σ Original Estimate: Not Specified Original Estimate: Not Specified

Issue Links:
Depends
depends on NODE-3633 Socks5 Proxy support Closed
Documented
Related
is related to COMPASS-4328 Cannot connect to Replicat Set with S... Closed
is related to COMPASS-5379 Update connection-secrets.ts to accou... Closed
is related to COMPASS-5399 Bump driver version to 4.3.0 Closed
is related to MONGOSH-1093 Bump driver version to 4.3.0 Closed
Sub-Tasks:
Key
Summary
Type
Status
Assignee
COMPASS-5157 Move ssh-tunnel package into Compass ... Sub-task Closed Anna Henningsen  
COMPASS-5156 Make SSH tunnel use Socks5 Sub-task Closed Anna Henningsen  
COMPASS-5155 Add Socks5 options to connection form UI Sub-task Closed Basit Chonka  
COMPASS-5158 Add connectivity tests for SSH tunnel... Sub-task Closed Anna Henningsen  
COMPASS-5375 Add connection form UI validation Sub-task Closed Basit Chonka  
COMPASS-5449 Add telemetry support for Socks5 Sub-task Closed Anna Henningsen  
Epic Link: COMPASS-5198
Story Points: 8
Documentation Changes: Needed
Documentation Changes Summary:

The new connection form (which I think is handled in a special way on the docs side, not sure myself) now supports specifying a Socks5 proxy hostname, as well as optionally a Socks5 proxy port and/or username and password. This is mutually exclusive with the usage of SSH tunneling.

If this feature is documented (I don't think SSH tunneling support currently is), a few security aspects might be relevant to mention in the documentation:

  • Socks5 transmits passwords in plaintext. Consequently, usage of a remote proxy host with Socks5 passwords is generally insecure.
  • Socks5 is a proxy protocol, and as such, it is highly recommended to only use it when TLS is fully enabled and no insecure TLS options are being passed.
Sprint: Iteration Seoul, Iteration Tokyo

 Description   

We are going to add support for connecting to replica sets using SSH tunnels. As part of that, we ensure that connecting using SSH + TLS also works.

This should be based on the driver work in DRIVERS-1357 / NODE-3633.


Generated at Wed Feb 07 22:38:35 UTC 2024 using Jira 9.7.1#970001-sha1:2222b88b221c4928ef0de3161136cc90c8356a66.