[COMPASS-6787] Add test: Make X.509 Parameters Configurable for Intra-node Auth and Client-to-node Auth Created: 03/May/23  Updated: 22/May/23  Resolved: 22/May/23

Status: Closed
Project: Compass
Component/s: None
Affects Version/s: None
Fix Version/s: No version

Type: Investigation Priority: Major - P3
Reporter: Le Roux Bodenstein Assignee: Unassigned
Resolution: Won't Fix Votes: 0
Labels: None
Remaining Estimate: Not Specified
Time Spent: Not Specified
Original Estimate: Not Specified

Issue Links:
Cloners
clones COMPASS-6570 Investigate changes in PM-3048: Make ... Closed
Depends
Epic Link: COMPASS-5987
Story Points: 2
Documentation Changes: Not Needed

 Description   
Original Downstream Change Summary

This project will allow customers to configure X.509 cluster membership parameters.

Currently, the way to differentiate client certificate from server certificate is strictly through a different set of values for subject name attributes O, OU, DC. This project will allow these attributes to be configurable.

Description of Linked Ticket

Epic Summary

Summary

Nodes in a cluster must perform privileged operations on their peers. When auth is enabled, they will need to authenticate to each other to perform these operations. If administrators enable TLS, and set the setParameter clusterAuthMode to x509, then nodes will authenticate to their peers using their X509 certificate. When clients authenticate using X509, servers need to figure out if they should be treated like regular users with privileges in admin.system.users or like highly privileged peers. Currently, the way to differentiate client certificate from server certificate is through a different set of values for O, OU, DC. Clients find this restrictive. This project will allow customers to specify additional X.509 parameters whose value is different across client and server.

Motivation

Large self-managed customers have CAs managed by a separate team and it is not possible for them to ensure different set of values for O, OU, DC without significant Docs Update


Generated at Wed Feb 07 22:44:20 UTC 2024 using Jira 9.7.1#970001-sha1:2222b88b221c4928ef0de3161136cc90c8356a66.