<!-- 
RSS generated by JIRA (9.7.1#970001-sha1:2222b88b221c4928ef0de3161136cc90c8356a66) at Thu Feb 08 05:10:05 UTC 2024

It is possible to restrict the fields that are returned in this document by specifying the 'field' parameter in your request.
For example, to request only the issue key and summary append 'field=key&field=summary' to the URL of your request.
-->
<rss version="0.92" >
<channel>
    <title>MongoDB Jira</title>
    <link>https://jira.mongodb.org</link>
    <description>This file is an XML representation of an issue</description>
    <language>en-us</language>    <build-info>
        <version>9.7.1</version>
        <build-number>970001</build-number>
        <build-date>13-04-2023</build-date>
    </build-info>


<item>
            <title>[SERVER-45938] Allow matching O/OU/DC in client x509 cert if clusterMode:keyFile</title>
                <link>https://jira.mongodb.org/browse/SERVER-45938</link>
                <project id="10000" key="SERVER">Core Server</project>
                    <description>&lt;p&gt;When creating a new client x.509 user via &lt;tt&gt;createUser&lt;/tt&gt;, MongoDB validates that the O/OU/DC do not match to prevent the user from being considered an internal cluster member with &lt;tt&gt;_&lt;em&gt;system&lt;/tt&gt; privileges. However this only applies if &lt;tt&gt;clusterMode: x509&lt;/tt&gt;. If &lt;tt&gt;clusterMode: keyFile&lt;/tt&gt;, then matching O/OU/DC does not grant &lt;tt&gt;&lt;/em&gt;_system&lt;/tt&gt; privileges, but MongoDB still prevents these users from being created. So if &lt;tt&gt;clusterMode: keyFile&lt;/tt&gt;, then we should not enforce the matching O/OU/DC restriction between client and PEMKeyFile/clusterFile certs.&lt;/p&gt;</description>
                <environment></environment>
        <key id="1127925">SERVER-45938</key>
            <summary>Allow matching O/OU/DC in client x509 cert if clusterMode:keyFile</summary>
                <type id="4" iconUrl="https://jira.mongodb.org/secure/viewavatar?size=xsmall&amp;avatarId=14710&amp;avatarType=issuetype">Improvement</type>
                                            <priority id="3" iconUrl="https://jira.mongodb.org/images/icons/priorities/major.svg">Major - P3</priority>
                        <status id="6" iconUrl="https://jira.mongodb.org/images/icons/statuses/closed.png" description="The issue is considered finished, the resolution is correct. Issues which are closed can be reopened.">Closed</status>
                    <statusCategory id="3" key="done" colorName="success"/>
                                    <resolution id="13201">Fixed</resolution>
                                        <assignee username="spencer.jackson@mongodb.com">Spencer Jackson</assignee>
                                    <reporter username="james.kovacs@mongodb.com">James Kovacs</reporter>
                        <labels>
                    </labels>
                <created>Mon, 3 Feb 2020 22:59:40 +0000</created>
                <updated>Sun, 29 Oct 2023 22:12:36 +0000</updated>
                            <resolved>Wed, 2 Sep 2020 15:01:04 +0000</resolved>
                                    <version>3.2.22</version>
                    <version>3.6.17</version>
                    <version>3.4.24</version>
                    <version>4.2.3</version>
                    <version>4.3.3</version>
                    <version>4.0.16</version>
                                    <fixVersion>4.7.0</fixVersion>
                    <fixVersion>4.4.2</fixVersion>
                    <fixVersion>4.2.11</fixVersion>
                    <fixVersion>4.0.21</fixVersion>
                                    <component>Security</component>
                                        <votes>1</votes>
                                    <watches>8</watches>
                                                                                                                <comments>
                            <comment id="3550697" author="mattmail4543@yahoo.com" created="Wed, 6 Jan 2021 16:13:20 +0000"  >&lt;p&gt;I have the 4.2.11 version installed and set parameter enforceUserClusterSeparation : false in the mongod.conf which allows me to add an external user with the same&#160;&#160;O/OU/DC as the server. When I try to login as that external user I get &quot;The provided certificate can only be used for cluster authentication, not client authentication. &quot;&lt;/p&gt;</comment>
                            <comment id="3419247" author="xgen-internal-githook" created="Wed, 30 Sep 2020 18:50:36 +0000"  >&lt;p&gt;Author:&lt;/p&gt;
{&apos;name&apos;: &apos;Spencer Jackson&apos;, &apos;email&apos;: &apos;spencer.jackson@mongodb.com&apos;, &apos;username&apos;: &apos;spencerjackson&apos;}
&lt;p&gt;Message: &lt;a href=&quot;https://jira.mongodb.org/browse/SERVER-45938&quot; title=&quot;Allow matching O/OU/DC in client x509 cert if clusterMode:keyFile&quot; class=&quot;issue-link&quot; data-issue-key=&quot;SERVER-45938&quot;&gt;&lt;del&gt;SERVER-45938&lt;/del&gt;&lt;/a&gt; Create override for createUser to allow possible cluster members&lt;/p&gt;

&lt;p&gt;(cherry picked from commit 2973992735143c9f6b6ff2a8bc15e5adf19d9ac6)&lt;br/&gt;
(cherry picked from commit d87aafc7f1a70591c5dac864c807d4b943aa6d5f)&lt;br/&gt;
(cherry picked from commit 2b912420bd99dc67168d882d615a7cb94290c46e)&lt;br/&gt;
Branch: v4.0&lt;br/&gt;
&lt;a href=&quot;https://github.com/mongodb/mongo/commit/341d8030731194ba9ed400fe68ab40700922fdc8&quot; class=&quot;external-link&quot; target=&quot;_blank&quot; rel=&quot;nofollow noopener&quot;&gt;https://github.com/mongodb/mongo/commit/341d8030731194ba9ed400fe68ab40700922fdc8&lt;/a&gt;&lt;/p&gt;</comment>
                            <comment id="3418634" author="xgen-internal-githook" created="Wed, 30 Sep 2020 14:58:03 +0000"  >&lt;p&gt;Author:&lt;/p&gt;
{&apos;name&apos;: &apos;Spencer Jackson&apos;, &apos;email&apos;: &apos;spencer.jackson@mongodb.com&apos;, &apos;username&apos;: &apos;spencerjackson&apos;}
&lt;p&gt;Message: &lt;a href=&quot;https://jira.mongodb.org/browse/SERVER-45938&quot; title=&quot;Allow matching O/OU/DC in client x509 cert if clusterMode:keyFile&quot; class=&quot;issue-link&quot; data-issue-key=&quot;SERVER-45938&quot;&gt;&lt;del&gt;SERVER-45938&lt;/del&gt;&lt;/a&gt; Create override for createUser to allow possible cluster members&lt;/p&gt;

&lt;p&gt;(cherry picked from commit 2973992735143c9f6b6ff2a8bc15e5adf19d9ac6)&lt;br/&gt;
(cherry picked from commit d87aafc7f1a70591c5dac864c807d4b943aa6d5f)&lt;br/&gt;
Branch: v4.2&lt;br/&gt;
&lt;a href=&quot;https://github.com/mongodb/mongo/commit/2b912420bd99dc67168d882d615a7cb94290c46e&quot; class=&quot;external-link&quot; target=&quot;_blank&quot; rel=&quot;nofollow noopener&quot;&gt;https://github.com/mongodb/mongo/commit/2b912420bd99dc67168d882d615a7cb94290c46e&lt;/a&gt;&lt;/p&gt;</comment>
                            <comment id="3399359" author="xgen-internal-githook" created="Thu, 17 Sep 2020 15:52:44 +0000"  >&lt;p&gt;Author:&lt;/p&gt;
{&apos;name&apos;: &apos;Spencer Jackson&apos;, &apos;email&apos;: &apos;spencer.jackson@mongodb.com&apos;, &apos;username&apos;: &apos;spencerjackson&apos;}
&lt;p&gt;Message: &lt;a href=&quot;https://jira.mongodb.org/browse/SERVER-45938&quot; title=&quot;Allow matching O/OU/DC in client x509 cert if clusterMode:keyFile&quot; class=&quot;issue-link&quot; data-issue-key=&quot;SERVER-45938&quot;&gt;&lt;del&gt;SERVER-45938&lt;/del&gt;&lt;/a&gt; Create override for createUser to allow possible cluster members&lt;/p&gt;

&lt;p&gt;(cherry picked from commit 2973992735143c9f6b6ff2a8bc15e5adf19d9ac6)&lt;br/&gt;
Branch: v4.4&lt;br/&gt;
&lt;a href=&quot;https://github.com/mongodb/mongo/commit/0541641137ae7b25d61c58b579be4985f43c1472&quot; class=&quot;external-link&quot; target=&quot;_blank&quot; rel=&quot;nofollow noopener&quot;&gt;https://github.com/mongodb/mongo/commit/0541641137ae7b25d61c58b579be4985f43c1472&lt;/a&gt;&lt;/p&gt;</comment>
                            <comment id="3371508" author="xgen-internal-githook" created="Wed, 2 Sep 2020 00:20:13 +0000"  >&lt;p&gt;Author:&lt;/p&gt;
{&apos;name&apos;: &apos;Spencer Jackson&apos;, &apos;email&apos;: &apos;spencer.jackson@mongodb.com&apos;, &apos;username&apos;: &apos;spencerjackson&apos;}
&lt;p&gt;Message: &lt;a href=&quot;https://jira.mongodb.org/browse/SERVER-45938&quot; title=&quot;Allow matching O/OU/DC in client x509 cert if clusterMode:keyFile&quot; class=&quot;issue-link&quot; data-issue-key=&quot;SERVER-45938&quot;&gt;&lt;del&gt;SERVER-45938&lt;/del&gt;&lt;/a&gt; Create override for createUser to allow possible cluster members&lt;br/&gt;
Branch: master&lt;br/&gt;
&lt;a href=&quot;https://github.com/mongodb/mongo/commit/2973992735143c9f6b6ff2a8bc15e5adf19d9ac6&quot; class=&quot;external-link&quot; target=&quot;_blank&quot; rel=&quot;nofollow noopener&quot;&gt;https://github.com/mongodb/mongo/commit/2973992735143c9f6b6ff2a8bc15e5adf19d9ac6&lt;/a&gt;&lt;/p&gt;</comment>
                            <comment id="2882980" author="spencer.jackson@10gen.com" created="Tue, 18 Feb 2020 19:24:18 +0000"  >&lt;p&gt;I believe this ticket is mostly a duplicate of &lt;a href=&quot;https://jira.mongodb.org/browse/SERVER-14655&quot; title=&quot;x.509 certificate authentication requires O,OU to differ between client and server&quot; class=&quot;issue-link&quot; data-issue-key=&quot;SERVER-14655&quot;&gt;&lt;del&gt;SERVER-14655&lt;/del&gt;&lt;/a&gt; and will resolve it accordingly. The issue at play is some subject names are reserved for use with &lt;tt&gt;clusterAuthMode: x509&lt;/tt&gt; . User accounts may not not exist with these reserved names, and so may not be created. However, it is possible to upgrade from &lt;tt&gt;clusterAuthMode: keyFile&lt;/tt&gt; to &lt;tt&gt;clusterAuthMode: x509&lt;/tt&gt;. As such, users with reserved names must never exist, because an upgrade can later occur.&lt;/p&gt;</comment>
                    </comments>
                <issuelinks>
                            <issuelinktype id="10420">
                    <name>Backports</name>
                                            <outwardlinks description="backported by">
                                                        </outwardlinks>
                                                        </issuelinktype>
                            <issuelinktype id="10011">
                    <name>Depends</name>
                                                                <inwardlinks description="is depended on by">
                                                        </inwardlinks>
                                    </issuelinktype>
                            <issuelinktype id="10320">
                    <name>Documented</name>
                                                                <inwardlinks description="is documented by">
                                                        </inwardlinks>
                                    </issuelinktype>
                            <issuelinktype id="10520">
                    <name>Problem/Incident</name>
                                                                <inwardlinks description="is caused by">
                                        <issuelink>
            <issuekey id="92594">SERVER-11025</issuekey>
        </issuelink>
            <issuelink>
            <issuekey id="161013">SERVER-15459</issuekey>
        </issuelink>
                            </inwardlinks>
                                    </issuelinktype>
                            <issuelinktype id="10012">
                    <name>Related</name>
                                            <outwardlinks description="related to">
                                        <issuelink>
            <issuekey id="1605025">SERVER-54136</issuekey>
        </issuelink>
            <issuelink>
            <issuekey id="148431">SERVER-14655</issuekey>
        </issuelink>
                            </outwardlinks>
                                                                <inwardlinks description="is related to">
                                        <issuelink>
            <issuekey id="2251868">SERVER-73576</issuekey>
        </issuelink>
            <issuelink>
            <issuekey id="2251887">DOCS-15864</issuekey>
        </issuelink>
                            </inwardlinks>
                                    </issuelinktype>
                    </issuelinks>
                <attachments>
                    </attachments>
                <subtasks>
                    </subtasks>
                <customfields>
                                                <customfield id="customfield_10050" key="com.atlassian.jira.toolkit:comments">
                        <customfieldname># Replies</customfieldname>
                        <customfieldvalues>
                            <customfieldvalue>6.0</customfieldvalue>
                        </customfieldvalues>
                    </customfield>
                                                                <customfield id="customfield_18555" key="com.onresolve.jira.groovy.groovyrunner:scripted-field">
                        <customfieldname># of Sprints</customfieldname>
                        <customfieldvalues>
                            <customfieldvalue>3.0</customfieldvalue>

                        </customfieldvalues>
                    </customfield>
                                                                                                                                                                                                                                                                                                                                                                                                                <customfield id="customfield_12450" key="com.atlassian.jira.plugin.system.customfieldtypes:multicheckboxes">
                        <customfieldname>Backport Requested</customfieldname>
                        <customfieldvalues>
                                <customfieldvalue key="18953"><![CDATA[v4.4]]></customfieldvalue>
    <customfieldvalue key="16775"><![CDATA[v4.2]]></customfieldvalue>
    <customfieldvalue key="15640"><![CDATA[v4.0]]></customfieldvalue>
    
                        </customfieldvalues>
                    </customfield>
                                                                <customfield id="customfield_10011" key="com.atlassian.jira.plugin.system.customfieldtypes:radiobuttons">
                        <customfieldname>Backwards Compatibility</customfieldname>
                        <customfieldvalues>
                                <customfieldvalue key="10038"><![CDATA[Fully Compatible]]></customfieldvalue>

                        </customfieldvalues>
                    </customfield>
                                                                                                                                                    <customfield id="customfield_13552" key="com.go2group.jira.plugin.crm:crm_generic_field">
                        <customfieldname>Case</customfieldname>
                        <customfieldvalues>
                            <customfieldvalue><![CDATA[[5002K00000kDPxGQAW, 5002K00000saOi7QAE]]]></customfieldvalue>

                        </customfieldvalues>
                    </customfield>
                                                                                                                                                                                                                                                                                                                            <customfield id="customfield_10055" key="com.atlassian.jira.ext.charting:firstresponsedate">
                        <customfieldname>Date of 1st Reply</customfieldname>
                        <customfieldvalues>
                            <customfieldvalue>Mon, 3 Feb 2020 23:13:11 +0000</customfieldvalue>

                        </customfieldvalues>
                    </customfield>
                                                                <customfield id="customfield_10052" key="com.atlassian.jira.toolkit:dayslastcommented">
                        <customfieldname>Days since reply</customfieldname>
                        <customfieldvalues>
                                        3 years, 5 weeks ago
    
                        </customfieldvalues>
                    </customfield>
                                                                <customfield id="customfield_18254" key="com.onresolve.jira.groovy.groovyrunner:scripted-field">
                        <customfieldname>Dependencies</customfieldname>
                        <customfieldvalues>
                            <customfieldvalue><![CDATA[]]></customfieldvalue>


                        </customfieldvalues>
                    </customfield>
                                                                <customfield id="customfield_15850" key="com.atlassian.jira.plugins.jira-development-integration-plugin:devsummary">
                        <customfieldname>Development</customfieldname>
                        <customfieldvalues>
                            
                        </customfieldvalues>
                    </customfield>
                                                                                            <customfield id="customfield_17052" key="com.atlassian.jira.plugin.system.customfieldtypes:textarea">
                        <customfieldname>Downstream Changes Summary</customfieldname>
                        <customfieldvalues>
                            <customfieldvalue>This change introduced a new setParameter, named {{enforceUserClusterSeparation}}, which defaults to {{true}}. When set to {{false}}, the system will permit the creation of users with names which would conflict with the names of cluster members. Authenticating as such a user when {{clusterAuthMode: x509}} is set will cause the user to gain internal permissions. This flag should not be used with {{clusterAuthMode: x509}}. All users which this flag allowed to be created should be removed before enabling {{clusterAuthMode: x509}}.</customfieldvalue>

                        </customfieldvalues>
                    </customfield>
                                                                <customfield id="customfield_17050" key="com.atlassian.jira.plugin.system.customfieldtypes:radiobuttons">
                        <customfieldname>Downstream Team Attention</customfieldname>
                        <customfieldvalues>
                                <customfieldvalue key="16942"><![CDATA[Needed]]></customfieldvalue>

                        </customfieldvalues>
                    </customfield>
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                    <customfield id="customfield_10057" key="com.atlassian.jira.toolkit:lastusercommented">
                        <customfieldname>Last comment by Customer</customfieldname>
                        <customfieldvalues>
                            <customfieldvalue>true</customfieldvalue>
                        </customfieldvalues>
                    </customfield>
                                                                                            <customfield id="customfield_10056" key="com.atlassian.jira.toolkit:lastupdaterorcommenter">
                        <customfieldname>Last commenter</customfieldname>
                        <customfieldvalues>
                            <customfieldvalue>luke.bonanomi@mongodb.com</customfieldvalue>

                        </customfieldvalues>
                    </customfield>
                                                                <customfield id="customfield_11151" key="com.atlassian.jira.toolkit:LastCommentDate">
                        <customfieldname>Last public comment date</customfieldname>
                        <customfieldvalues>
                            3 years, 5 weeks ago
                        </customfieldvalues>
                    </customfield>
                                                                                                                                                                                                                                                                    <customfield id="customfield_10051" key="com.atlassian.jira.toolkit:participants">
                        <customfieldname>Participants</customfieldname>
                        <customfieldvalues>
                                        <customfieldvalue>xgen-internal-githook</customfieldvalue>
            <customfieldvalue>james.kovacs@mongodb.com</customfieldvalue>
            <customfieldvalue>mattmail4543@yahoo.com</customfieldvalue>
            <customfieldvalue>spencer.jackson@mongodb.com</customfieldvalue>
    
                        </customfieldvalues>
                    </customfield>
                                                                                                                                                                                                                                        <customfield id="customfield_14254" key="com.pyxis.greenhopper.jira:gh-lexo-rank">
                        <customfieldname>Product Rank</customfieldname>
                        <customfieldvalues>
                            <customfieldvalue>1|hwndtj:</customfieldvalue>

                        </customfieldvalues>
                    </customfield>
                                                                                                                                                                                <customfield id="customfield_12550" key="com.pyxis.greenhopper.jira:gh-lexo-rank">
                        <customfieldname>Rank</customfieldname>
                        <customfieldvalues>
                            <customfieldvalue>2|hwbe13:</customfieldvalue>

                        </customfieldvalues>
                    </customfield>
                                                                <customfield id="customfield_10558" key="com.pyxis.greenhopper.jira:gh-global-rank">
                        <customfieldname>Rank (Obsolete)</customfieldname>
                        <customfieldvalues>
                            <customfieldvalue>9223372036854775807</customfieldvalue>
                        </customfieldvalues>
                    </customfield>
                                                                                            <customfield id="customfield_23361" key="com.onresolve.jira.groovy.groovyrunner:scripted-field">
                        <customfieldname>Requested By</customfieldname>
                        <customfieldvalues>
                                

                        </customfieldvalues>
                    </customfield>
                                                                                                                                                                                                                                        <customfield id="customfield_10557" key="com.pyxis.greenhopper.jira:gh-sprint">
                        <customfieldname>Sprint</customfieldname>
                        <customfieldvalues>
                                <customfieldvalue id="3659">Security 2020-02-24</customfieldvalue>
    <customfieldvalue id="4144">Security 2020-08-24</customfieldvalue>
    <customfieldvalue id="4145">Security 2020-09-07</customfieldvalue>

                        </customfieldvalues>
                    </customfield>
                                                                                                                                                                                                                                                                    <customfield id="customfield_17051" key="com.atlassian.jira.plugin.system.customfieldtypes:multicheckboxes">
                        <customfieldname>Teams Impacted</customfieldname>
                        <customfieldvalues>
                                <customfieldvalue key="16944"><![CDATA[Docs]]></customfieldvalue>
    
                        </customfieldvalues>
                    </customfield>
                                                                                            <customfield id="customfield_10053" key="com.atlassian.jira.ext.charting:timeinstatus">
                        <customfieldname>Time In Status</customfieldname>
                        <customfieldvalues>
                            
                        </customfieldvalues>
                    </customfield>
                                                                                                                                                                                                                                                                                                                                                                                                                                                                        <customfield id="customfield_22870" key="com.onresolve.jira.groovy.groovyrunner:scripted-field">
                        <customfieldname>Triagers</customfieldname>
                        <customfieldvalues>
                                

                        </customfieldvalues>
                    </customfield>
                                                                                                                                                                                                                                                                                                                                                                                    <customfield id="customfield_14350" key="com.pyxis.greenhopper.jira:gh-lexo-rank">
                        <customfieldname>serverRank</customfieldname>
                        <customfieldvalues>
                            <customfieldvalue>1|hwn02v:</customfieldvalue>

                        </customfieldvalues>
                    </customfield>
                                    </customfields>
    </item>
</channel>
</rss>