[SERVER-44435] Allow x509 authorization to be selectively enabled based on the CA Created: 05/Nov/19 Updated: 29/Oct/23 Resolved: 17/Jan/20 |
|
| Status: | Closed |
| Project: | Core Server |
| Component/s: | None |
| Affects Version/s: | None |
| Fix Version/s: | 4.2.4, 4.3.3, 3.6.18, 4.0.17 |
| Type: | New Feature | Priority: | Major - P3 |
| Reporter: | Cory Mintz | Assignee: | Sara Golemon |
| Resolution: | Fixed | Votes: | 0 |
| Labels: | None | ||
| Remaining Estimate: | Not Specified | ||
| Time Spent: | Not Specified | ||
| Original Estimate: | Not Specified | ||
| Issue Links: |
|
||||||||||||
| Backwards Compatibility: | Fully Compatible | ||||||||||||
| Backport Requested: |
v4.2, v4.0, v3.6
|
||||||||||||
| Sprint: | Security 2019-12-16, Security 2019-01-27 | ||||||||||||
| Participants: | |||||||||||||
| Description |
|
In This is not granular enough for the use case where mongod is running with multiple CAs, some trusted and some un-trusted. An un-trusted CA would be allowed to issue client certificates but the authorizations must still be controlled by the MongoDB database user. A trusted CA would be allowed to issue certificates with x509 authorization extensions. Ideally instead of allowRolesFromX509Certificates being a boolean there would instead be a way to pass MongoDB a list of trusted CAs. |
| Comments |
| Comment by Githook User [ 04/Feb/20 ] |
|
Author: {'username': 'sgolemon', 'name': 'Sara Golemon', 'email': 'sara.golemon@mongodb.com'}Message: (cherry picked from commit b99fbe5f80f4368e1916e1bfbf3d195276ace5c7) create mode 100644 jstests/libs/client_roles.pem |
| Comment by Githook User [ 04/Feb/20 ] |
|
Author: {'username': 'sgolemon', 'name': 'Sara Golemon', 'email': 'sara.golemon@mongodb.com'}Message: |
| Comment by Githook User [ 03/Feb/20 ] |
|
Author: {'username': 'sgolemon', 'name': 'Sara Golemon', 'email': 'sara.golemon@mongodb.com'}Message: (cherry picked from commit b99fbe5f80f4368e1916e1bfbf3d195276ace5c7) create mode 100644 jstests/ssl/tlsCATrusts.js |
| Comment by Githook User [ 28/Jan/20 ] |
|
Author: {'email': 'sara.golemon@mongodb.com', 'username': 'sgolemon', 'name': 'Sara Golemon'}Message: (cherry picked from commit b99fbe5f80f4368e1916e1bfbf3d195276ace5c7) create mode 100644 jstests/ssl/tlsCATrusts.js |
| Comment by Githook User [ 17/Jan/20 ] |
|
Author: {'username': 'sgolemon', 'name': 'Sara Golemon', 'email': 'sara.golemon@mongodb.com'}Message: create mode 100644 jstests/ssl/tlsCATrusts.js |