[DOCS-13117] X.509 auth page does not state that a user with credentials may be required Created: 15/Oct/19  Updated: 30/Oct/23  Due: 11/Sep/20  Resolved: 31/Oct/22

Status: Closed
Project: Documentation
Component/s: manual
Affects Version/s: None
Fix Version/s: Server_Docs_20231030

Type: Bug Priority: Minor - P4
Reporter: Oleg Pudeyev (Inactive) Assignee: Emet Ozar
Resolution: Won't Fix Votes: 0
Labels: docs-investigating
Remaining Estimate: Not Specified
Time Spent: Not Specified
Original Estimate: Not Specified

Issue Links:
Related
related to RUBY-1949 Add X.509 authentication integration ... Closed
Participants:
Days since reply: 1 year, 14 weeks, 2 days ago
Epic Link: DOCSP-1769

 Description   

Description

I attempted to follow the instructions in https://docs.mongodb.com/manual/tutorial/configure-x509-client-authentication/ to configure x.509 authentication. This was on a brand new deployment created with mlaunch which had no existing users. My idea was to create the first and only user with x.509 authentication.

However, when attempting to create the user (or run other administrative commands), the server always replied with "unauthorized" error even though I have not enabled auth.

Investigating this, I believe the following occurred:

Therefore it is my impression that in order to create an x.509 user, when the deployment uses member authentication, one must already have another user with credentials (stored in admin database) created. This is not mentioned in https://docs.mongodb.com/manual/tutorial/configure-x509-client-authentication/.

Scope of changes

  • Re-validate x.509 tutorial and confirm additional step required in 4.2, 4.0, 3.6
  • Check w/ security if there are additional workarounds here
  • Document and backport

Impact to Other Docs

Given that LDAP users are also created on $external I can only assume this issue also applies there. LDAP is a bit of a beast, so if this behavior is intentional and generally true we may need to open up additional tickets to fix this.

MVP (Work and Date)

Resources (Scope or Design Docs, Invision, etc.)



 Comments   
Comment by Education Bot [ 31/Oct/22 ]

Hello! This ticket has been closed due to inactivity. If you believe this ticket is still important, please reopen it and leave a comment to explain why. Thank you!

Comment by Oleg Pudeyev (Inactive) [ 05/Oct/20 ]

Assigning to myself for tracking, will assign to jason.price when done investigating.

Comment by Oleg Pudeyev (Inactive) [ 10/Sep/20 ]

In the description of the ticket I stated that mlaunch uses --keyFile option which enables authentication. I don't see this option being provided in the subsequent tests performed.

I do not see this option referenced in https://docs.mongodb.com/manual/tutorial/configure-x509-client-authentication/ either, therefore perhaps the issue is really an mlaunch one.

I am also confused why this ticket is marked fixed when it appears that no changes were made. What was the fix?

Comment by Jason Price [ 09/Sep/20 ]

No doc update needed.

Generated at Thu Feb 08 08:06:59 UTC 2024 using Jira 9.7.1#970001-sha1:2222b88b221c4928ef0de3161136cc90c8356a66.