[SERVER-45938] Allow matching O/OU/DC in client x509 cert if clusterMode:keyFile Created: 03/Feb/20 Updated: 29/Oct/23 Resolved: 02/Sep/20 |
|
| Status: | Closed |
| Project: | Core Server |
| Component/s: | Security |
| Affects Version/s: | 3.2.22, 3.6.17, 3.4.24, 4.2.3, 4.3.3, 4.0.16 |
| Fix Version/s: | 4.7.0, 4.4.2, 4.2.11, 4.0.21 |
| Type: | Improvement | Priority: | Major - P3 |
| Reporter: | James Kovacs | Assignee: | Spencer Jackson |
| Resolution: | Fixed | Votes: | 1 |
| Labels: | None | ||
| Remaining Estimate: | Not Specified | ||
| Time Spent: | Not Specified | ||
| Original Estimate: | Not Specified | ||
| Issue Links: |
|
||||||||||||||||||||||||||||||||||||||||||||
| Backwards Compatibility: | Fully Compatible | ||||||||||||||||||||||||||||||||||||||||||||
| Backport Requested: |
v4.4, v4.2, v4.0
|
||||||||||||||||||||||||||||||||||||||||||||
| Sprint: | Security 2020-02-24, Security 2020-08-24, Security 2020-09-07 | ||||||||||||||||||||||||||||||||||||||||||||
| Participants: | |||||||||||||||||||||||||||||||||||||||||||||
| Case: | (copied to CRM) | ||||||||||||||||||||||||||||||||||||||||||||
| Description |
|
When creating a new client x.509 user via createUser, MongoDB validates that the O/OU/DC do not match to prevent the user from being considered an internal cluster member with _system privileges. However this only applies if clusterMode: x509. If clusterMode: keyFile, then matching O/OU/DC does not grant _system privileges, but MongoDB still prevents these users from being created. So if clusterMode: keyFile, then we should not enforce the matching O/OU/DC restriction between client and PEMKeyFile/clusterFile certs. |
| Comments |
| Comment by Matthew Rummel [ 06/Jan/21 ] |
|
I have the 4.2.11 version installed and set parameter enforceUserClusterSeparation : false in the mongod.conf which allows me to add an external user with the same O/OU/DC as the server. When I try to login as that external user I get "The provided certificate can only be used for cluster authentication, not client authentication. " |
| Comment by Githook User [ 30/Sep/20 ] |
|
Author: {'name': 'Spencer Jackson', 'email': 'spencer.jackson@mongodb.com', 'username': 'spencerjackson'}Message: (cherry picked from commit 2973992735143c9f6b6ff2a8bc15e5adf19d9ac6) |
| Comment by Githook User [ 30/Sep/20 ] |
|
Author: {'name': 'Spencer Jackson', 'email': 'spencer.jackson@mongodb.com', 'username': 'spencerjackson'}Message: (cherry picked from commit 2973992735143c9f6b6ff2a8bc15e5adf19d9ac6) |
| Comment by Githook User [ 17/Sep/20 ] |
|
Author: {'name': 'Spencer Jackson', 'email': 'spencer.jackson@mongodb.com', 'username': 'spencerjackson'}Message: (cherry picked from commit 2973992735143c9f6b6ff2a8bc15e5adf19d9ac6) |
| Comment by Githook User [ 02/Sep/20 ] |
|
Author: {'name': 'Spencer Jackson', 'email': 'spencer.jackson@mongodb.com', 'username': 'spencerjackson'}Message: |
| Comment by Spencer Jackson [ 18/Feb/20 ] |
|
I believe this ticket is mostly a duplicate of |