[DOCS-16024] Investigate changes in SERVER-74996: Add override server parameter for X.509 subject name matching and extension value Created: 10/Apr/23 Updated: 13/Nov/23 Resolved: 29/Jun/23 |
|
| Status: | Closed |
| Project: | Documentation |
| Component/s: | Server |
| Affects Version/s: | None |
| Fix Version/s: | 7.0.0-rc0, Server_Docs_20231030, Server_Docs_20231106, Server_Docs_20231105, Server_Docs_20231113 |
| Type: | Task | Priority: | Major - P3 |
| Reporter: | Backlog - Core Eng Program Management Team | Assignee: | Kenneth Dyer |
| Resolution: | Duplicate | Votes: | 0 |
| Labels: | None | ||
| Remaining Estimate: | Not Specified | ||
| Time Spent: | Not Specified | ||
| Original Estimate: | Not Specified | ||
| Issue Links: |
|
||||||||
| Participants: | |||||||||
| Days since reply: | 31 weeks, 6 days ago | ||||||||
| Description |
|
Original Downstream Change Summary This ticket introduces a new server parameter, tlsClusterAuthX509Override, which accepts a JSON object. The provided object is expected to either have {attributes: <string>}or {extensionValue: <string>}. The first option will allow the DBA to specify a set of X.509 DN attributes and values that the server will expect cluster member nodes to contain in their certificate subject names. The second option will allow the DBA to specify an extension value corresponding to the MongoDB cluster membership extension OID that the server will expect cluster member nodes to contain in their certificates. This override parameter is intended to be used explicitly when net.tls.clusterAuthX509.attributes or net.tls.clusterAuthX509.extensionValue is being set or unset via rolling restarts. See WRITING-12681 for full context of the downstream changes around this project. Description of Linked Ticket In order to provide a mechanism of resolving this via rolling restarts, this ticket will introduce a new server parameter that can be used to override the configuration option. When the override is set, both the old and new subject name criteria will be accepted, allowing for certificate rotation via a rolling restart. The full sequence of steps is described below:
This ticket will also add a test that mocks the above procedure to validate its usability. |
| Comments |
| Comment by Kenneth Dyer [ 29/Jun/23 ] |
|
DOCSP-28315 |
| Comment by Sarah Olson [ 10/Apr/23 ] |
|
Hi kenneth.dyer@mongodb.com! Assigning this over to you as it is part of the X.509 work you will be doing in 7.0. I am triaging this to backlog. Feel free to attach it to an epic, if you are tracking your work that way, or close it as a duplicate if you already have a ticket that covers this work! |