ISSUE DESCRIPTION
MongoDB 3.6 introduces support for setting IP-based restrictions as part of authentication. Before a client may authenticate to a user account, it must meet all the restrictions listed on the account.
Restrictions can set against the IP address of the client or the IP address of the Server which accepts the client request. A restriction of this type will be met if the server accepted the client’s connection via an IP address listed in the definition, or included in a CIDR range listed in the definition. In all other cases this restriction will not be met.
APPLYING THESE RESTRICTIONS
User and role documents can have a new optional field, called authenticationRestrictions, which contains an array of restriction documents. If this field is attached to a user or role, a client authenticating against this role must meet all the conditions described in at least one document in order to successfully authenticate.
For example:
{
|
"_id" : "admin.localhostRoot",
|
"role" : "localhostRoot",
|
"db" : "admin",
|
"privileges" : [ ],
|
"roles" : [ { "role" : "root", "db" : "admin" } ],
|
"authenticationRestrictions": [
|
{
|
clientSource: "127.0.0.0/8",
|
}
|
]
|
}
|
Additionally, both mongod and mongos have a new configuration flag, --clusterIpWhitelist and corresponding YAML configuration option, security.net.clusterIpWhitelist. The flag’s argument is a string, containing comma separated IP addresses and/or CIDR blocks. If this flag is set on startup, then all authentication attempts to the __system user must originate from an IP address or CIDR block contained in the flag’s argument.