[SERVER-45938] Allow matching O/OU/DC in client x509 cert if clusterMode:keyFile Created: 03/Feb/20  Updated: 29/Oct/23  Resolved: 02/Sep/20

Status: Closed
Project: Core Server
Component/s: Security
Affects Version/s: 3.2.22, 3.6.17, 3.4.24, 4.2.3, 4.3.3, 4.0.16
Fix Version/s: 4.7.0, 4.4.2, 4.2.11, 4.0.21

Type: Improvement Priority: Major - P3
Reporter: James Kovacs Assignee: Spencer Jackson
Resolution: Fixed Votes: 1
Labels: None
Remaining Estimate: Not Specified
Time Spent: Not Specified
Original Estimate: Not Specified

Issue Links:
Backports
Depends
Documented
Problem/Incident
is caused by SERVER-11025 Adding a user with x509 certificate =... Closed
is caused by SERVER-15459 Check new X509 user names against _cl... Closed
Related
related to SERVER-54136 Make the authenticate command respect... Closed
related to SERVER-14655 x.509 certificate authentication requ... Closed
is related to SERVER-73576 enforceUserClusterSeparation authenti... Closed
is related to DOCS-15864 [SERVER] documentation for enforceUse... Backlog
Backwards Compatibility: Fully Compatible
Backport Requested:
v4.4, v4.2, v4.0
Sprint: Security 2020-02-24, Security 2020-08-24, Security 2020-09-07
Participants:
Case:

 Description   

When creating a new client x.509 user via createUser, MongoDB validates that the O/OU/DC do not match to prevent the user from being considered an internal cluster member with _system privileges. However this only applies if clusterMode: x509. If clusterMode: keyFile, then matching O/OU/DC does not grant _system privileges, but MongoDB still prevents these users from being created. So if clusterMode: keyFile, then we should not enforce the matching O/OU/DC restriction between client and PEMKeyFile/clusterFile certs.



 Comments   
Comment by Matthew Rummel [ 06/Jan/21 ]

I have the 4.2.11 version installed and set parameter enforceUserClusterSeparation : false in the mongod.conf which allows me to add an external user with the same  O/OU/DC as the server. When I try to login as that external user I get "The provided certificate can only be used for cluster authentication, not client authentication. "

Comment by Githook User [ 30/Sep/20 ]

Author:

{'name': 'Spencer Jackson', 'email': 'spencer.jackson@mongodb.com', 'username': 'spencerjackson'}

Message: SERVER-45938 Create override for createUser to allow possible cluster members

(cherry picked from commit 2973992735143c9f6b6ff2a8bc15e5adf19d9ac6)
(cherry picked from commit d87aafc7f1a70591c5dac864c807d4b943aa6d5f)
(cherry picked from commit 2b912420bd99dc67168d882d615a7cb94290c46e)
Branch: v4.0
https://github.com/mongodb/mongo/commit/341d8030731194ba9ed400fe68ab40700922fdc8

Comment by Githook User [ 30/Sep/20 ]

Author:

{'name': 'Spencer Jackson', 'email': 'spencer.jackson@mongodb.com', 'username': 'spencerjackson'}

Message: SERVER-45938 Create override for createUser to allow possible cluster members

(cherry picked from commit 2973992735143c9f6b6ff2a8bc15e5adf19d9ac6)
(cherry picked from commit d87aafc7f1a70591c5dac864c807d4b943aa6d5f)
Branch: v4.2
https://github.com/mongodb/mongo/commit/2b912420bd99dc67168d882d615a7cb94290c46e

Comment by Githook User [ 17/Sep/20 ]

Author:

{'name': 'Spencer Jackson', 'email': 'spencer.jackson@mongodb.com', 'username': 'spencerjackson'}

Message: SERVER-45938 Create override for createUser to allow possible cluster members

(cherry picked from commit 2973992735143c9f6b6ff2a8bc15e5adf19d9ac6)
Branch: v4.4
https://github.com/mongodb/mongo/commit/0541641137ae7b25d61c58b579be4985f43c1472

Comment by Githook User [ 02/Sep/20 ]

Author:

{'name': 'Spencer Jackson', 'email': 'spencer.jackson@mongodb.com', 'username': 'spencerjackson'}

Message: SERVER-45938 Create override for createUser to allow possible cluster members
Branch: master
https://github.com/mongodb/mongo/commit/2973992735143c9f6b6ff2a8bc15e5adf19d9ac6

Comment by Spencer Jackson [ 18/Feb/20 ]

I believe this ticket is mostly a duplicate of SERVER-14655 and will resolve it accordingly. The issue at play is some subject names are reserved for use with clusterAuthMode: x509 . User accounts may not not exist with these reserved names, and so may not be created. However, it is possible to upgrade from clusterAuthMode: keyFile to clusterAuthMode: x509. As such, users with reserved names must never exist, because an upgrade can later occur.

Generated at Thu Feb 08 05:10:05 UTC 2024 using Jira 9.7.1#970001-sha1:2222b88b221c4928ef0de3161136cc90c8356a66.