diff options
| author | Jonathan Reams <jbreams@mongodb.com> | 2019-06-07 11:07:10 -0400 |
|---|---|---|
| committer | Jonathan Reams <jbreams@mongodb.com> | 2019-07-09 17:08:45 -0400 |
| commit | 6dfb1512ab0a47fb9059f76831f0234a3d4e4679 (patch) | |
| tree | 205541df7e32a6c8e2d09269214662379aa12d33 | |
| parent | b0770322568c42ab8480be6a220bd5349349af23 (diff) | |
| download | mongo-6dfb1512ab0a47fb9059f76831f0234a3d4e4679.tar.gz | |
SERVER-41069 Add option to disable embedded roles from X509 certificates
(cherry picked from commit 85ec26ff72f4029c52c40fab796ad53533828e60)
(cherry picked from commit 20c801587e1dab2d9cb2d468a4b10e3549d91e24)
(cherry picked from commit c0f9667715e87634ba3d8d956e8bc9ae752518cf)
(cherry picked from commit 727b84641088ff5b7c6908dea7139afa2e4695d0)
| -rw-r--r-- | src/mongo/db/auth/SConscript | 1 | ||||
| -rw-r--r-- | src/mongo/db/auth/authz_manager_external_state.cpp | 8 |
2 files changed, 9 insertions, 0 deletions
diff --git a/src/mongo/db/auth/SConscript b/src/mongo/db/auth/SConscript index 9ef91280636..8add083a5b9 100644 --- a/src/mongo/db/auth/SConscript +++ b/src/mongo/db/auth/SConscript @@ -46,6 +46,7 @@ env.Library('authcore', ['action_set.cpp', '$BUILD_DIR/mongo/db/common', '$BUILD_DIR/mongo/db/ops/update_driver', '$BUILD_DIR/mongo/db/namespace_string', + '$BUILD_DIR/mongo/db/server_parameters', '$BUILD_DIR/mongo/db/service_context', '$BUILD_DIR/mongo/util/md5']) diff --git a/src/mongo/db/auth/authz_manager_external_state.cpp b/src/mongo/db/auth/authz_manager_external_state.cpp index 0403af8e256..1e2ec025ea3 100644 --- a/src/mongo/db/auth/authz_manager_external_state.cpp +++ b/src/mongo/db/auth/authz_manager_external_state.cpp @@ -32,9 +32,13 @@ #include "mongo/db/auth/authz_manager_external_state.h" #include "mongo/db/auth/user_name.h" #include "mongo/db/operation_context.h" +#include "mongo/db/server_parameters.h" #include "mongo/util/net/ssl_types.h" namespace mongo { +namespace { +MONGO_EXPORT_STARTUP_SERVER_PARAMETER(allowRolesFromX509Certificates, bool, true); +} stdx::function<std::unique_ptr<AuthzManagerExternalState>()> AuthzManagerExternalState::create; @@ -48,6 +52,10 @@ bool AuthzManagerExternalState::shouldUseRolesFromConnection(OperationContext* t return false; } + if (!allowRolesFromX509Certificates) { + return false; + } + auto sslPeerInfo = txn->getClient()->session()->getX509PeerInfo(); return sslPeerInfo.subjectName.toString() == userName.getUser() && userName.getDB() == "$external" && !sslPeerInfo.roles.empty(); |