diff options
| author | Isabella Siu <isabella.siu@10gen.com> | 2019-01-24 11:00:29 -0500 |
|---|---|---|
| committer | Isabella Siu <isabella.siu@10gen.com> | 2019-02-01 15:03:56 -0500 |
| commit | 6c0c3f30d261de356b9c57d56a478c301298025d (patch) | |
| tree | 72e1ffd34230570993066e6c77552216436b72be | |
| parent | b8bfe9ff391ebeb10a5c2fb86979d854d17d0fd5 (diff) | |
| download | mongo-6c0c3f30d261de356b9c57d56a478c301298025d.tar.gz | |
SERVER-38428 log warning when non-mongod client connects with cluster certificate
| -rw-r--r-- | src/mongo/db/commands/SConscript | 1 | ||||
| -rw-r--r-- | src/mongo/db/commands/authentication_commands.cpp | 17 |
2 files changed, 18 insertions, 0 deletions
diff --git a/src/mongo/db/commands/SConscript b/src/mongo/db/commands/SConscript index 7bc9fe55b69..547dddc5284 100644 --- a/src/mongo/db/commands/SConscript +++ b/src/mongo/db/commands/SConscript @@ -160,6 +160,7 @@ env.Library( '$BUILD_DIR/mongo/db/repl/repl_coordinator_interface', '$BUILD_DIR/mongo/executor/egress_tag_closer_manager', '$BUILD_DIR/mongo/executor/task_executor_pool', + '$BUILD_DIR/mongo/rpc/client_metadata', '$BUILD_DIR/mongo/s/sharding_legacy_api', '$BUILD_DIR/mongo/s/coreshard', '$BUILD_DIR/mongo/scripting/scripting_common', diff --git a/src/mongo/db/commands/authentication_commands.cpp b/src/mongo/db/commands/authentication_commands.cpp index 226944af259..b5c6ac9c4c6 100644 --- a/src/mongo/db/commands/authentication_commands.cpp +++ b/src/mongo/db/commands/authentication_commands.cpp @@ -53,6 +53,8 @@ #include "mongo/db/commands/test_commands_enabled.h" #include "mongo/db/operation_context.h" #include "mongo/platform/random.h" +#include "mongo/rpc/metadata/client_metadata.h" +#include "mongo/rpc/metadata/client_metadata_ismaster.h" #include "mongo/stdx/memory.h" #include "mongo/transport/session.h" #include "mongo/util/concurrency/mutex.h" @@ -105,6 +107,21 @@ Status _authenticateX509(OperationContext* opCtx, const UserName& user, const BS "authentication. The current configuration does not allow " "x.509 cluster authentication, check the --clusterAuthMode flag"); } + auto& clientMetadata = + ClientMetadataIsMasterState::get(opCtx->getClient()).getClientMetadata(); + if (clientMetadata) { + auto clientMetadataDoc = clientMetadata->getDocument(); + auto driverName = clientMetadataDoc.getObjectField("driver"_sd) + .getField("name"_sd) + .checkAndGetStringData(); + if (!clientMetadata->getApplicationName().empty() || + (driverName != "MongoDB Internal Client" && + driverName != "NetworkInterfaceTL")) { + warning() << "Client isn't a mongod or mongos, but is connecting with a " + "certificate with cluster membership"; + } + } + authorizationSession->grantInternalAuthorization(); } // Handle normal client authentication, only applies to client-server connections |