Loading...

XML

Word

Printable

JSON

Type: Improvement
Resolution: Fixed
Priority: Major - P3
Fix Version/s: 4.7.0, 4.4.2, 4.2.11, 4.0.21
Affects Version/s: 3.2.22, 3.6.17, 3.4.24, 4.2.3, 4.3.3, 4.0.16
Component/s: Security
Labels:
None

Backwards Compatibility:
Fully Compatible
Backport Requested:

v4.4, v4.2, v4.0
Sprint:
Security 2020-02-24, Security 2020-08-24, Security 2020-09-07
Case:

When creating a new client x.509 user via createUser, MongoDB validates that the O/OU/DC do not match to prevent the user from being considered an internal cluster member with _system privileges. However this only applies if clusterMode: x509. If clusterMode: keyFile, then matching O/OU/DC does not grant _system privileges, but MongoDB still prevents these users from being created. So if clusterMode: keyFile, then we should not enforce the matching O/OU/DC restriction between client and PEMKeyFile/clusterFile certs.

is caused by

SERVER-11025 Adding a user with x509 certificate = server certificate appears to work

Closed

SERVER-15459 Check new X509 user names against _clusterIdMatch

Closed

is related to

SERVER-73576 enforceUserClusterSeparation authenticate validation incorrect

Closed

related to

SERVER-54136 Make the authenticate command respect enforceUserClusterSeparation

Closed

SERVER-14655 x.509 certificate authentication requires O,OU to differ between client and server

Closed

Assignee:: Spencer Jackson

Reporter:: James Kovacs

Participants:: Githook User, James Kovacs, Matthew Rummel, Spencer Jackson

Votes:: 1 Vote for this issue

Watchers:: 9 Start watching this issue

Created:: Feb 03 2020 10:59:40 PM UTC

Updated:: Oct 29 2023 10:12:36 PM UTC

Resolved:: Sep 02 2020 03:01:04 PM UTC

Details

Description

Attachments

Issue Links

Activity

People

Dates