[COMPASS-6570] Investigate changes in PM-3048: Make X.509 Parameters Configurable for Intra-node Auth and Client-to-node Auth Created: 28/Feb/23  Updated: 03/May/23  Resolved: 03/May/23

Status: Closed
Project: Compass
Component/s: None
Affects Version/s: None
Fix Version/s: No version

Type: Investigation Priority: Major - P3
Reporter: Backlog - Core Eng Program Management Team Assignee: Unassigned
Resolution: Done Votes: 0
Labels: None
Remaining Estimate: Not Specified
Time Spent: Not Specified
Original Estimate: Not Specified

Issue Links:
Cloners
is cloned by COMPASS-6787 Add test: Make X.509 Parameters Confi... Closed
Depends
Epic Link: COMPASS-5987
Documentation Changes: Not Needed

 Description   
Original Downstream Change Summary

This project will allow customers to configure X.509 cluster membership parameters.

Currently, the way to differentiate client certificate from server certificate is strictly through a different set of values for subject name attributes O, OU, DC. This project will allow these attributes to be configurable.

Description of Linked Ticket

Epic Summary

Summary

Nodes in a cluster must perform privileged operations on their peers. When auth is enabled, they will need to authenticate to each other to perform these operations. If administrators enable TLS, and set the setParameter clusterAuthMode to x509, then nodes will authenticate to their peers using their X509 certificate. When clients authenticate using X509, servers need to figure out if they should be treated like regular users with privileges in admin.system.users or like highly privileged peers. Currently, the way to differentiate client certificate from server certificate is through a different set of values for O, OU, DC. Clients find this restrictive. This project will allow customers to specify additional X.509 parameters whose value is different across client and server.

Motivation

Large self-managed customers have CAs managed by a separate team and it is not possible for them to ensure different set of values for O, OU, DC without significant Docs Update



 Comments   
Comment by Le Roux Bodenstein [ 03/May/23 ]

Added a ticket to test this.

Generated at Wed Feb 07 22:43:37 UTC 2024 using Jira 9.7.1#970001-sha1:2222b88b221c4928ef0de3161136cc90c8356a66.