[COMPASS-6787] Add test: Make X.509 Parameters Configurable for Intra-node Auth and Client-to-node Auth Created: 03/May/23 Updated: 22/May/23 Resolved: 22/May/23 |
|
| Status: | Closed |
| Project: | Compass |
| Component/s: | None |
| Affects Version/s: | None |
| Fix Version/s: | No version |
| Type: | Investigation | Priority: | Major - P3 |
| Reporter: | Le Roux Bodenstein | Assignee: | Unassigned |
| Resolution: | Won't Fix | Votes: | 0 |
| Labels: | None | ||
| Remaining Estimate: | Not Specified | ||
| Time Spent: | Not Specified | ||
| Original Estimate: | Not Specified | ||
| Issue Links: |
|
||||||||||||
| Epic Link: | COMPASS-5987 | ||||||||||||
| Story Points: | 2 | ||||||||||||
| Documentation Changes: | Not Needed | ||||||||||||
| Description |
|
Original Downstream Change Summary This project will allow customers to configure X.509 cluster membership parameters. Currently, the way to differentiate client certificate from server certificate is strictly through a different set of values for subject name attributes O, OU, DC. This project will allow these attributes to be configurable. Description of Linked TicketEpic Summary Summary Nodes in a cluster must perform privileged operations on their peers. When auth is enabled, they will need to authenticate to each other to perform these operations. If administrators enable TLS, and set the setParameter clusterAuthMode to x509, then nodes will authenticate to their peers using their X509 certificate. When clients authenticate using X509, servers need to figure out if they should be treated like regular users with privileges in admin.system.users or like highly privileged peers. Currently, the way to differentiate client certificate from server certificate is through a different set of values for O, OU, DC. Clients find this restrictive. This project will allow customers to specify additional X.509 parameters whose value is different across client and server. Motivation Large self-managed customers have CAs managed by a separate team and it is not possible for them to ensure different set of values for O, OU, DC without significant Docs Update |