[SERVER-17438] Provide a method to create replicated users that work only with certain members of a replica set Created: 02/Mar/15 Updated: 04/Jun/18 Resolved: 10/May/18 |
|
| Status: | Closed |
| Project: | Core Server |
| Component/s: | Replication, Security |
| Affects Version/s: | None |
| Fix Version/s: | None |
| Type: | Improvement | Priority: | Minor - P4 |
| Reporter: | David Hows | Assignee: | Spencer Jackson |
| Resolution: | Done | Votes: | 1 |
| Labels: | None | ||
| Remaining Estimate: | Not Specified | ||
| Time Spent: | Not Specified | ||
| Original Estimate: | Not Specified | ||
| Issue Links: |
|
||||||||
| Participants: | |||||||||
| Description |
|
Provide a method to create replicated users that work only with certain members of a replica set. Example; I have a 5 member replica set (M0-M4) with M3 and M4 being lower powered reporting members. I wish to create a user that will only allow the end user to authenticate to M3 and M4 as we have a requirement that reporting users are only allowed to connect to the reporting secondaries. |
| Comments |
| Comment by Spencer Jackson [ 10/May/18 ] |
|
I believe this functionality can be achieved with IP whitelisting, assuming that the nodes have static IPs. To obtain this behavior, one may attach an authentication restriction to a user document with a serverAddress containing the IP address of the node the user should be able to authenticate on. For future proofing, one could delegate the different classes of nodes to different subnets, and define theĀ serverAddress on the subnet's CIDR range. |