Uploaded image for project: 'Core Server'
  1. Core Server
  2. SERVER-64364

Update scan_checked_replset.js helper to be usable in more configurations

XMLWordPrintableJSON

    • Type: Icon: Improvement Improvement
    • Resolution: Duplicate
    • Priority: Icon: Major - P3 Major - P3
    • None
    • Affects Version/s: None
    • Component/s: None
    • None
    • Server Security

      Current, scan_checked_replset.js makes an assumption that the authenticationDatabase for connections will always be `admin`.  This is often true, but for externally managed users (e.g. LDAP), it is not.

      Modify all uses of `auth()` in the script to be invoked on the `mongo` connection instance, and ensure that authInfo has a default value of `admin` for the db field.

      e.g. In various places:

      -   db.getSiblingDB('admin').auth(authInfo);
+   db.getMongo().auth(authInfo);

      and at the bottom of the script:

       var authInfo;
+authInfo.db = authInfo.db || 'admin';

       

      Secondly, it is currently impossible to use TLS when opening new connections to cluster members.  To accomodate this, we need to either extract TLS info from the base connection or provide a `tlsInfo` struct (similar to authInfo) and consctruct a meaningful mongodb:// URI when opening new connections, or we need to simply allow the user to specify arbitrary URI parameters and append them to the constructed mongodb:// URI.

            Assignee:
            backlog-server-security [DO NOT USE] Backlog - Security Team
            Reporter:
            sara.golemon@mongodb.com Sara Golemon
            Votes:
            0 Vote for this issue
            Watchers:
            3 Start watching this issue

              Created:
              Updated:
              Resolved: