[SERVER-44435] Allow x509 authorization to be selectively enabled based on the CA Created: 05/Nov/19  Updated: 29/Oct/23  Resolved: 17/Jan/20

Status: Closed
Project: Core Server
Component/s: None
Affects Version/s: None
Fix Version/s: 4.2.4, 4.3.3, 3.6.18, 4.0.17

Type: New Feature Priority: Major - P3
Reporter: Cory Mintz Assignee: Sara Golemon
Resolution: Fixed Votes: 0
Labels: None
Remaining Estimate: Not Specified
Time Spent: Not Specified
Original Estimate: Not Specified

Issue Links:
Backports
Depends
Documented
Backwards Compatibility: Fully Compatible
Backport Requested:
v4.2, v4.0, v3.6
Sprint: Security 2019-12-16, Security 2019-01-27
Participants:

 Description   

In SERVER-41069, allowRolesFromX509Certificates was added as a switch to enable or disable the use of x509 authorization extensions for the entire mongod/mongos process.

This is not granular enough for the use case where mongod is running with multiple CAs, some trusted and some un-trusted. An un-trusted CA would be allowed to issue client certificates but the authorizations must still be controlled by the MongoDB database user. A trusted CA would be allowed to issue certificates with x509 authorization extensions.

Ideally instead of allowRolesFromX509Certificates being a boolean there would instead be a way to pass MongoDB a list of trusted CAs.



 Comments   
Comment by Githook User [ 04/Feb/20 ]

Author:

{'username': 'sgolemon', 'name': 'Sara Golemon', 'email': 'sara.golemon@mongodb.com'}

Message: SERVER-44435 Allow selective whitelisting of X509 based role authorizations

(cherry picked from commit b99fbe5f80f4368e1916e1bfbf3d195276ace5c7)

create mode 100644 jstests/libs/client_roles.pem
create mode 100644 jstests/ssl/tlsCATrusts.js
create mode 100644 jstests/ssl/x509/root-and-trusted-ca.pem
create mode 100644 jstests/ssl/x509/trusted-client-testdb-roles.pem
create mode 100644 src/mongo/db/auth/auth_types.idl
create mode 100644 src/mongo/util/net/ssl_parameters.cpp
create mode 100644 src/mongo/util/net/ssl_parameters.idl
Branch: v3.6
https://github.com/mongodb/mongo/commit/3ca76fd569c94de72c4daf6eef27fbf9bf51233b

Comment by Githook User [ 04/Feb/20 ]

Author:

{'username': 'sgolemon', 'name': 'Sara Golemon', 'email': 'sara.golemon@mongodb.com'}

Message: SERVER-44435 Fix typo in test
Branch: master
https://github.com/mongodb/mongo/commit/a347a421837981f55399e19a68ddc0a6127e93c4

Comment by Githook User [ 03/Feb/20 ]

Author:

{'username': 'sgolemon', 'name': 'Sara Golemon', 'email': 'sara.golemon@mongodb.com'}

Message: SERVER-44435 Allow selective whitelisting of X509 based role authorizations

(cherry picked from commit b99fbe5f80f4368e1916e1bfbf3d195276ace5c7)

create mode 100644 jstests/ssl/tlsCATrusts.js
create mode 100644 jstests/ssl/x509/root-and-trusted-ca.pem
create mode 100644 jstests/ssl/x509/trusted-client-testdb-roles.pem
create mode 100644 src/mongo/db/auth/auth_types.idl
create mode 100644 src/mongo/util/net/ssl_parameters.idl
Branch: v4.0
https://github.com/mongodb/mongo/commit/2de3fecd52943c1e0eb554834dd0422cabf958cd

Comment by Githook User [ 28/Jan/20 ]

Author:

{'email': 'sara.golemon@mongodb.com', 'username': 'sgolemon', 'name': 'Sara Golemon'}

Message: SERVER-44435 Allow selective whitelisting of X509 based role authorizations

(cherry picked from commit b99fbe5f80f4368e1916e1bfbf3d195276ace5c7)

create mode 100644 jstests/ssl/tlsCATrusts.js
create mode 100644 jstests/ssl/x509/root-and-trusted-ca.pem
create mode 100644 jstests/ssl/x509/trusted-client-testdb-roles.pem
Branch: v4.2
https://github.com/mongodb/mongo/commit/80ebbb1e48ee022efefe50d577cddfd6df52e84c

Comment by Githook User [ 17/Jan/20 ]

Author:

{'username': 'sgolemon', 'name': 'Sara Golemon', 'email': 'sara.golemon@mongodb.com'}

Message: SERVER-44435 Allow selective whitelisting of X509 based role authorizations

create mode 100644 jstests/ssl/tlsCATrusts.js
create mode 100644 jstests/ssl/x509/trusted-client-testdb-roles.pem
Branch: master
https://github.com/mongodb/mongo/commit/b99fbe5f80f4368e1916e1bfbf3d195276ace5c7

Generated at Thu Feb 08 05:05:58 UTC 2024 using Jira 9.7.1#970001-sha1:2222b88b221c4928ef0de3161136cc90c8356a66.