<!-- 
RSS generated by JIRA (9.7.1#970001-sha1:2222b88b221c4928ef0de3161136cc90c8356a66) at Thu Feb 08 03:35:33 UTC 2024

It is possible to restrict the fields that are returned in this document by specifying the 'field' parameter in your request.
For example, to request only the issue key and summary append 'field=key&field=summary' to the URL of your request.
-->
<rss version="0.92" >
<channel>
    <title>MongoDB Jira</title>
    <link>https://jira.mongodb.org</link>
    <description>This file is an XML representation of an issue</description>
    <language>en-us</language>    <build-info>
        <version>9.7.1</version>
        <build-number>970001</build-number>
        <build-date>13-04-2023</build-date>
    </build-info>


<item>
            <title>[SERVER-14655] x.509 certificate authentication requires O,OU to differ between client and server</title>
                <link>https://jira.mongodb.org/browse/SERVER-14655</link>
                <project id="10000" key="SERVER">Core Server</project>
                    <description>&lt;p&gt;For x.509 certificate authentication, MongoDB server will consider a certificate with identical subject name properties, a member of the cluster and not a client. For some organizations it may not be possible to obtain certificates meeting this requirement.&lt;/p&gt;</description>
                <environment></environment>
        <key id="148431">SERVER-14655</key>
            <summary>x.509 certificate authentication requires O,OU to differ between client and server</summary>
                <type id="2" iconUrl="https://jira.mongodb.org/secure/viewavatar?size=xsmall&amp;avatarId=14711&amp;avatarType=issuetype">New Feature</type>
                                            <priority id="3" iconUrl="https://jira.mongodb.org/images/icons/priorities/major.svg">Major - P3</priority>
                        <status id="6" iconUrl="https://jira.mongodb.org/images/icons/statuses/closed.png" description="The issue is considered finished, the resolution is correct. Issues which are closed can be reopened.">Closed</status>
                    <statusCategory id="3" key="done" colorName="success"/>
                                    <resolution id="3">Duplicate</resolution>
                                        <assignee username="backlog-server-security">Backlog - Security Team</assignee>
                                    <reporter username="mark.helmstetter@mongodb.com">Mark Helmstetter</reporter>
                        <labels>
                            <label>platforms-re-triaged</label>
                    </labels>
                <created>Tue, 22 Jul 2014 19:45:00 +0000</created>
                <updated>Sat, 15 Apr 2023 02:52:51 +0000</updated>
                            <resolved>Sat, 15 Apr 2023 02:52:51 +0000</resolved>
                                    <version>2.6.3</version>
                                                    <component>Security</component>
                                        <votes>6</votes>
                                    <watches>30</watches>
                                                                                                                <comments>
                            <comment id="5349517" author="varun.ravichandran" created="Sat, 15 Apr 2023 02:52:51 +0000"  >&lt;p&gt;The requested behavior will be available in 7.0. Specifically, the newly-added &lt;tt&gt;net.tls.clusterAuthX509.attributes&lt;/tt&gt; config option can be used to specify DN attributes and values that must be contained within a connecting client&apos;s subject name DN in order to be treated as a cluster member (see &lt;a href=&quot;https://jira.mongodb.org/browse/SERVER-74989&quot; title=&quot;Create configuration file option for custom X.509 subject name matching&quot; class=&quot;issue-link&quot; data-issue-key=&quot;SERVER-74989&quot;&gt;&lt;del&gt;SERVER-74989&lt;/del&gt;&lt;/a&gt;). Alternatively, the newly-added &lt;tt&gt;net.tls.clusterAuthX509.extensionValue&lt;/tt&gt; config option can be used to specify a value that is expected to be present in the connecting client&apos;s extension with OID 1.3.6.1.4.1.34601.2.1.2 (see &lt;a href=&quot;https://jira.mongodb.org/browse/SERVER-74999&quot; title=&quot;Create configuration file option for custom X.509 extension for cluster membership&quot; class=&quot;issue-link&quot; data-issue-key=&quot;SERVER-74999&quot;&gt;&lt;del&gt;SERVER-74999&lt;/del&gt;&lt;/a&gt;). With either of these options, customers can use X.509 authentication for intracluster auth and provide member certificates that do not necessarily rely on O/OU being present or identical.&lt;/p&gt;</comment>
                            <comment id="5162868" author="JIRAUSER1272735" created="Thu, 2 Feb 2023 15:58:41 +0000"  >&lt;p&gt;Hello Salman,&lt;/p&gt;

&lt;p&gt;&#160;&lt;/p&gt;

&lt;p&gt;Thank you for responding. Yes please, we are looking to implement x.509 as an potential alternative to LDAP based authentication and it&apos;s showstopper for us. Happy to get on a call to elaborate on this further&lt;/p&gt;</comment>
                            <comment id="5162852" author="salman.baset" created="Thu, 2 Feb 2023 15:56:06 +0000"  >&lt;p&gt;&lt;a href=&quot;https://jira.mongodb.org/secure/ViewProfile.jspa?name=sanchayan.sen%40natwest.com&quot; class=&quot;user-hover&quot; rel=&quot;sanchayan.sen@natwest.com&quot;&gt;sanchayan.sen@natwest.com&lt;/a&gt; thanks for your comment. We are working on a solution to bring X.509 certs with user defined attributes. Happy to discuss your specific situation directly.&lt;/p&gt;</comment>
                            <comment id="5162790" author="JIRAUSER1272735" created="Thu, 2 Feb 2023 15:45:15 +0000"  >&lt;p&gt;Hi&lt;/p&gt;

&lt;p&gt;&#160;&lt;/p&gt;

&lt;p&gt;Is there any update on this ? We do have a similar problem and it&apos;s showstopper really. We cannot obtain certificates with different attributes and thats stopping us from adopting x.509 authentication&lt;/p&gt;</comment>
                            <comment id="3550694" author="mattmail4543@yahoo.com" created="Wed, 6 Jan 2021 16:12:36 +0000"  >&lt;p&gt;I have the 4.2.11 version installed and set parameter enforceUserClusterSeparation : false in the mongod.conf which allows me to add an external user with the same&#160;&#160;O/OU/DC as the server. When I try to login as that external user I get &quot;The provided certificate can only be used for cluster authentication, not client authentication. &quot;&lt;/p&gt;</comment>
                            <comment id="3332437" author="spencer.jackson@10gen.com" created="Tue, 11 Aug 2020 14:14:22 +0000"  >&lt;p&gt;Here&apos;s a quick summary of our understanding of and plans for this ticket.&lt;/p&gt;

&lt;p&gt;Clusters configured for intracluster X509 authentication validate whether incoming client connections are originating from fellow cluster members by comparing the peer&apos;s certificate&apos;s subject name against its own certificate&apos;s. Clients with certificates corresponding to the cluster are granted internal cluster privileges. These authentication attempts do not require the server to make a disk access. This implies that it would be unsafe to create an unprivileged user whose name would be considered a cluster member: anyone authenticating as it would be granted full internal privileges regardless of its defined on-disk privileges. To prevent this issue from arising, createUser has a guardrail which prevents it from making users with these names.&lt;/p&gt;

&lt;p&gt;Clusters using keyFile intracluster authentication would be immune from this conflation. However, we support upgrading a cluster from using keyFile intracluster authentication to using X509. Any users created under the old regimen could suddenly gain many powerful privileges after an upgrade. So, createUser&apos;s guardrail remains engaged in keyFile mode.&lt;/p&gt;

&lt;p&gt;There could be multiple solutions for this request. One could involve a general rework to how cluster identities are provisioned, one could be to relax the guardrail for consumers of keyFile authentication.&lt;/p&gt;

&lt;p&gt;There seems to be enough appetite for a relaxation. I believe that this relaxation should be opt-in via a setParameter, and that we should document the risks of using this mode and that the users&apos; collection should be audited before upgrading to intracluster X509 authentication. I believe that we should re-open and perform this work under &lt;a href=&quot;https://jira.mongodb.org/browse/SERVER-45938&quot; title=&quot;Allow matching O/OU/DC in client x509 cert if clusterMode:keyFile&quot; class=&quot;issue-link&quot; data-issue-key=&quot;SERVER-45938&quot;&gt;&lt;del&gt;SERVER-45938&lt;/del&gt;&lt;/a&gt;, which was more precisely along these lines. We&apos;ll keep this ticket open in order to retain longer discussion about provisioning of cluster identity.&lt;/p&gt;</comment>
                            <comment id="2883013" author="simon.levesque@morganstanley.com" created="Tue, 18 Feb 2020 19:37:17 +0000"  >&lt;p&gt;Hi,&lt;/p&gt;

&lt;p&gt;I would consider that a &quot;bug&quot; ; not a &quot;new feature&quot; since when using keyfile that doesn&apos;t make sense at all.&lt;/p&gt;

&lt;p&gt;Also, it is &quot;Major&quot; since 2014. How can we get some traction on it? We depend on that fix to be able to use some vendor products that do not work with kerberos.&lt;/p&gt;

&lt;p&gt;thanks&lt;/p&gt;

&lt;p&gt;&#160;&lt;/p&gt;</comment>
                    </comments>
                <issuelinks>
                            <issuelinktype id="10011">
                    <name>Depends</name>
                                                                <inwardlinks description="is depended on by">
                                                        </inwardlinks>
                                    </issuelinktype>
                            <issuelinktype id="10320">
                    <name>Documented</name>
                                                                <inwardlinks description="is documented by">
                                                        </inwardlinks>
                                    </issuelinktype>
                            <issuelinktype id="10010">
                    <name>Duplicate</name>
                                            <outwardlinks description="duplicates">
                                        <issuelink>
            <issuekey id="2291069">SERVER-74989</issuekey>
        </issuelink>
            <issuelink>
            <issuekey id="2291225">SERVER-74999</issuekey>
        </issuelink>
                            </outwardlinks>
                                                        </issuelinktype>
                            <issuelinktype id="10520">
                    <name>Problem/Incident</name>
                                            <outwardlinks description="causes">
                                                        </outwardlinks>
                                                        </issuelinktype>
                            <issuelinktype id="10012">
                    <name>Related</name>
                                            <outwardlinks description="related to">
                                                        </outwardlinks>
                                                                <inwardlinks description="is related to">
                                        <issuelink>
            <issuekey id="1605025">SERVER-54136</issuekey>
        </issuelink>
            <issuelink>
            <issuekey id="1127925">SERVER-45938</issuekey>
        </issuelink>
                            </inwardlinks>
                                    </issuelinktype>
                    </issuelinks>
                <attachments>
                    </attachments>
                <subtasks>
                    </subtasks>
                <customfields>
                                                <customfield id="customfield_10050" key="com.atlassian.jira.toolkit:comments">
                        <customfieldname># Replies</customfieldname>
                        <customfieldvalues>
                            <customfieldvalue>7.0</customfieldvalue>
                        </customfieldvalues>
                    </customfield>
                                                                <customfield id="customfield_18555" key="com.onresolve.jira.groovy.groovyrunner:scripted-field">
                        <customfieldname># of Sprints</customfieldname>
                        <customfieldvalues>
                            <customfieldvalue>1.0</customfieldvalue>

                        </customfieldvalues>
                    </customfield>
                                                                                                                                                                                                                                                                    <customfield id="customfield_12751" key="com.atlassian.jira.plugin.system.customfieldtypes:multiselect">
                        <customfieldname>Assigned Teams</customfieldname>
                        <customfieldvalues>
                                <customfieldvalue key="25129"><![CDATA[Server Security]]></customfieldvalue>
    
                        </customfieldvalues>
                    </customfield>
                                                                                                                                                                                                                                                                                                                            <customfield id="customfield_13552" key="com.go2group.jira.plugin.crm:crm_generic_field">
                        <customfieldname>Case</customfieldname>
                        <customfieldvalues>
                            <customfieldvalue><![CDATA[[500A000000YTYPeIAP, 5002K00000kDPxGQAW, 5002K00000ocekNQAQ, 5002K000011eg8XQAQ]]]></customfieldvalue>

                        </customfieldvalues>
                    </customfield>
                                                                                                                                                                                                                                                                                                                            <customfield id="customfield_10055" key="com.atlassian.jira.ext.charting:firstresponsedate">
                        <customfieldname>Date of 1st Reply</customfieldname>
                        <customfieldvalues>
                            <customfieldvalue>Tue, 22 Jul 2014 22:16:35 +0000</customfieldvalue>

                        </customfieldvalues>
                    </customfield>
                                                                <customfield id="customfield_10052" key="com.atlassian.jira.toolkit:dayslastcommented">
                        <customfieldname>Days since reply</customfieldname>
                        <customfieldvalues>
                                        42 weeks, 5 days ago
    
                        </customfieldvalues>
                    </customfield>
                                                                <customfield id="customfield_18254" key="com.onresolve.jira.groovy.groovyrunner:scripted-field">
                        <customfieldname>Dependencies</customfieldname>
                        <customfieldvalues>
                            <customfieldvalue><![CDATA[]]></customfieldvalue>


                        </customfieldvalues>
                    </customfield>
                                                                <customfield id="customfield_15850" key="com.atlassian.jira.plugins.jira-development-integration-plugin:devsummary">
                        <customfieldname>Development</customfieldname>
                        <customfieldvalues>
                            
                        </customfieldvalues>
                    </customfield>
                                                                                                                                                                                                            <customfield id="customfield_10857" key="com.pyxis.greenhopper.jira:gh-epic-link">
                        <customfieldname>Epic Link</customfieldname>
                        <customfieldvalues>
                            <customfieldvalue>PM-3048</customfieldvalue>
                        </customfieldvalues>
                    </customfield>
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                <customfield id="customfield_10057" key="com.atlassian.jira.toolkit:lastusercommented">
                        <customfieldname>Last comment by Customer</customfieldname>
                        <customfieldvalues>
                            <customfieldvalue>true</customfieldvalue>
                        </customfieldvalues>
                    </customfield>
                                                                                            <customfield id="customfield_10056" key="com.atlassian.jira.toolkit:lastupdaterorcommenter">
                        <customfieldname>Last commenter</customfieldname>
                        <customfieldvalues>
                            <customfieldvalue>varun.ravichandran@mongodb.com</customfieldvalue>

                        </customfieldvalues>
                    </customfield>
                                                                <customfield id="customfield_11151" key="com.atlassian.jira.toolkit:LastCommentDate">
                        <customfieldname>Last public comment date</customfieldname>
                        <customfieldvalues>
                            42 weeks, 5 days ago
                        </customfieldvalues>
                    </customfield>
                                                                                                                                                                                                                                                                    <customfield id="customfield_10051" key="com.atlassian.jira.toolkit:participants">
                        <customfieldname>Participants</customfieldname>
                        <customfieldvalues>
                                        <customfieldvalue>backlog-server-security</customfieldvalue>
            <customfieldvalue>mark.helmstetter@mongodb.com</customfieldvalue>
            <customfieldvalue>mattmail4543@yahoo.com</customfieldvalue>
            <customfieldvalue>salman.baset@mongodb.com</customfieldvalue>
            <customfieldvalue>sanchayan.sen@natwest.com</customfieldvalue>
            <customfieldvalue>simon.levesque@morganstanley.com</customfieldvalue>
            <customfieldvalue>spencer.jackson@mongodb.com</customfieldvalue>
            <customfieldvalue>varun.ravichandran@mongodb.com</customfieldvalue>
    
                        </customfieldvalues>
                    </customfield>
                                                                                                                                                                                                                                        <customfield id="customfield_14254" key="com.pyxis.greenhopper.jira:gh-lexo-rank">
                        <customfieldname>Product Rank</customfieldname>
                        <customfieldvalues>
                            <customfieldvalue>1|hrlr67:</customfieldvalue>

                        </customfieldvalues>
                    </customfield>
                                                                                                                                                                                <customfield id="customfield_12550" key="com.pyxis.greenhopper.jira:gh-lexo-rank">
                        <customfieldname>Rank</customfieldname>
                        <customfieldvalues>
                            <customfieldvalue>2|hr8vif:</customfieldvalue>

                        </customfieldvalues>
                    </customfield>
                                                                <customfield id="customfield_10558" key="com.pyxis.greenhopper.jira:gh-global-rank">
                        <customfieldname>Rank (Obsolete)</customfieldname>
                        <customfieldvalues>
                            <customfieldvalue>3852</customfieldvalue>
                        </customfieldvalues>
                    </customfield>
                                                                                                                                                                                                                                                                                                <customfield id="customfield_10557" key="com.pyxis.greenhopper.jira:gh-sprint">
                        <customfieldname>Sprint</customfieldname>
                        <customfieldvalues>
                                <customfieldvalue id="4065">Security 2020-08-10</customfieldvalue>

                        </customfieldvalues>
                    </customfield>
                                                                                                                                                                                                                                                                                                                            <customfield id="customfield_10053" key="com.atlassian.jira.ext.charting:timeinstatus">
                        <customfieldname>Time In Status</customfieldname>
                        <customfieldvalues>
                            
                        </customfieldvalues>
                    </customfield>
                                                                                                                                                                                                                                                                                                                                                                                                                                                                        <customfield id="customfield_22870" key="com.onresolve.jira.groovy.groovyrunner:scripted-field">
                        <customfieldname>Triagers</customfieldname>
                        <customfieldvalues>
                                

                        </customfieldvalues>
                    </customfield>
                                                                                                                                                                                                                                                                                                                                                                                    <customfield id="customfield_14350" key="com.pyxis.greenhopper.jira:gh-lexo-rank">
                        <customfieldname>serverRank</customfieldname>
                        <customfieldvalues>
                            <customfieldvalue>1|hsgs67:</customfieldvalue>

                        </customfieldvalues>
                    </customfield>
                                    </customfields>
    </item>
</channel>
</rss>