[SERVER-54136] Make the authenticate command respect enforceUserClusterSeparation Created: 29/Jan/21  Updated: 29/Oct/23  Resolved: 18/Feb/21

Status: Closed
Project: Core Server
Component/s: None
Affects Version/s: None
Fix Version/s: 4.9.0, 4.4.5, 4.0.24, 4.2.14

Type: Bug Priority: Major - P3
Reporter: Spencer Jackson Assignee: Benjamin Caimano (Inactive)
Resolution: Fixed Votes: 1
Labels: None
Remaining Estimate: Not Specified
Time Spent: Not Specified
Original Estimate: Not Specified

Issue Links:
Backports
Depends
Documented
Problem/Incident
causes SERVER-73576 enforceUserClusterSeparation authenti... Closed
Related
related to SERVER-14655 x.509 certificate authentication requ... Closed
is related to DOCS-15864 [SERVER] documentation for enforceUse... Backlog
is related to SERVER-45938 Allow matching O/OU/DC in client x509... Closed
Backwards Compatibility: Fully Compatible
Operating System: ALL
Backport Requested:
v4.4, v4.2, v4.0
Sprint: Security 2021-02-22
Participants:
Case:

 Description   

The enforceUserClusterSeparation setParameter introduced by SERVER-45938 can be used to disable certain sanity checks in the createUser command, for clusters where they are not relevant.

We should disable the equivalent checks in the authenticate command when this parameter is active, allowing "cluster member" certificates to authenticate as users stored in the $external database.

We should also validate why tests introduced by SERVER-45938 didn't identify that this override wasn't present.



 Comments   
Comment by Benjamin Caimano (Inactive) [ 19/Mar/21 ]

Author:

{'name': 'Ben Caimano', 'email': 'ben.caimano@10gen.com'}

Message: SERVER-54964 Take out extra idl file
Branch: v4.0
https://github.com/mongodb/mongo/commit/eb3d2fbac2b4f9240ac20ab2052d1ed04df13c24

(Regrettably attached the wrong jira ticket.)

Comment by Githook User [ 19/Mar/21 ]

Author:

{'name': 'Ben Caimano', 'email': 'ben.caimano@10gen.com'}

Message: SERVER-54136 Make the authenticate command respect enforceUserClusterSeparation
Branch: v4.0
https://github.com/mongodb/mongo/commit/78cbc632402a6a7505dc751789e779921b8d85ce

Comment by Githook User [ 16/Mar/21 ]

Author:

{'name': 'Ben Caimano', 'email': 'ben.caimano@10gen.com'}

Message: SERVER-54136 Make the authenticate command respect enforceUserClusterSeparation

(cherry picked from commit 664eacb0a0924e6a9ab2d2043e0326946f027a39)
Branch: v4.2
https://github.com/mongodb/mongo/commit/0b8bd0798190c3aaa077d22682cf1b4b41055021

Comment by Githook User [ 15/Mar/21 ]

Author:

{'name': 'Ben Caimano', 'email': 'ben.caimano@10gen.com'}

Message: SERVER-54136 Make the authenticate command respect enforceUserClusterSeparation
Branch: v4.4
https://github.com/mongodb/mongo/commit/c60f7a4f2d00d26aeb79720fdc4e0080d3df38c1

Comment by Simon Levesque [ 15/Mar/21 ]

The big issue is that we were waiting for a long time on SERVER-45938 and SERVER-45938 is just not usable until this fix is put it. SERVER-45938 cannot work and never worked...

In other words, that is a blocker for us and we need that fix asap.

thanks

Comment by Salman Baset [ 15/Mar/21 ]

We are working on a back port for 4.0 and expect to deliver it in July time frame.

Comment by Githook User [ 18/Feb/21 ]

Author:

{'name': 'Ben Caimano', 'email': 'ben.caimano@10gen.com'}

Message: SERVER-54136 Make the authenticate command respect enforceUserClusterSeparation
Branch: master
https://github.com/mongodb/mongo/commit/5a76da986da7166226cc3da2eed081bc5263bfe6

Generated at Thu Feb 08 05:32:45 UTC 2024 using Jira 9.7.1#970001-sha1:2222b88b221c4928ef0de3161136cc90c8356a66.