summaryrefslogtreecommitdiff
diff options
context:
space:
mode:
authorIsabella Siu <isabella.siu@10gen.com>2019-01-24 11:00:29 -0500
committerIsabella Siu <isabella.siu@10gen.com>2019-02-01 15:03:56 -0500
commit6c0c3f30d261de356b9c57d56a478c301298025d (patch)
tree72e1ffd34230570993066e6c77552216436b72be
parentb8bfe9ff391ebeb10a5c2fb86979d854d17d0fd5 (diff)
downloadmongo-6c0c3f30d261de356b9c57d56a478c301298025d.tar.gz
SERVER-38428 log warning when non-mongod client connects with cluster certificate
-rw-r--r--src/mongo/db/commands/SConscript1
-rw-r--r--src/mongo/db/commands/authentication_commands.cpp17
2 files changed, 18 insertions, 0 deletions
diff --git a/src/mongo/db/commands/SConscript b/src/mongo/db/commands/SConscript
index 7bc9fe55b69..547dddc5284 100644
--- a/src/mongo/db/commands/SConscript
+++ b/src/mongo/db/commands/SConscript
@@ -160,6 +160,7 @@ env.Library(
'$BUILD_DIR/mongo/db/repl/repl_coordinator_interface',
'$BUILD_DIR/mongo/executor/egress_tag_closer_manager',
'$BUILD_DIR/mongo/executor/task_executor_pool',
+ '$BUILD_DIR/mongo/rpc/client_metadata',
'$BUILD_DIR/mongo/s/sharding_legacy_api',
'$BUILD_DIR/mongo/s/coreshard',
'$BUILD_DIR/mongo/scripting/scripting_common',
diff --git a/src/mongo/db/commands/authentication_commands.cpp b/src/mongo/db/commands/authentication_commands.cpp
index 226944af259..b5c6ac9c4c6 100644
--- a/src/mongo/db/commands/authentication_commands.cpp
+++ b/src/mongo/db/commands/authentication_commands.cpp
@@ -53,6 +53,8 @@
#include "mongo/db/commands/test_commands_enabled.h"
#include "mongo/db/operation_context.h"
#include "mongo/platform/random.h"
+#include "mongo/rpc/metadata/client_metadata.h"
+#include "mongo/rpc/metadata/client_metadata_ismaster.h"
#include "mongo/stdx/memory.h"
#include "mongo/transport/session.h"
#include "mongo/util/concurrency/mutex.h"
@@ -105,6 +107,21 @@ Status _authenticateX509(OperationContext* opCtx, const UserName& user, const BS
"authentication. The current configuration does not allow "
"x.509 cluster authentication, check the --clusterAuthMode flag");
}
+ auto& clientMetadata =
+ ClientMetadataIsMasterState::get(opCtx->getClient()).getClientMetadata();
+ if (clientMetadata) {
+ auto clientMetadataDoc = clientMetadata->getDocument();
+ auto driverName = clientMetadataDoc.getObjectField("driver"_sd)
+ .getField("name"_sd)
+ .checkAndGetStringData();
+ if (!clientMetadata->getApplicationName().empty() ||
+ (driverName != "MongoDB Internal Client" &&
+ driverName != "NetworkInterfaceTL")) {
+ warning() << "Client isn't a mongod or mongos, but is connecting with a "
+ "certificate with cluster membership";
+ }
+ }
+
authorizationSession->grantInternalAuthorization();
}
// Handle normal client authentication, only applies to client-server connections