diff options
author | Varun Ravichandran <varun.ravichandran@mongodb.com> | 2021-04-22 00:22:57 +0000 |
---|---|---|
committer | Evergreen Agent <no-reply@evergreen.mongodb.com> | 2021-04-28 19:49:29 +0000 |
commit | 193e8838d915a3609b1cda62301e4601bd48b34d (patch) | |
tree | d9041d6f98857f0776b230085ccc33aa352d4699 | |
parent | b46ac14ee3895b8129069c8f1b03e3820ebcea99 (diff) | |
download | mongo-193e8838d915a3609b1cda62301e4601bd48b34d.tar.gz |
SERVER-55827: Rename security.clusterIpSourceWhitelist to security.clusterIpSourceAllowlist
-rw-r--r-- | debian/mongod.1 | 10 | ||||
-rw-r--r-- | jstests/auth/cluster_ip_whitelist.js | 46 | ||||
-rw-r--r-- | src/mongo/db/mongod_options.cpp | 4 | ||||
-rw-r--r-- | src/mongo/db/mongod_options_general.idl | 6 |
4 files changed, 39 insertions, 27 deletions
diff --git a/debian/mongod.1 b/debian/mongod.1 index 7d70e315630..a49aeefc92a 100644 --- a/debian/mongod.1 +++ b/debian/mongod.1 @@ -397,7 +397,7 @@ is, you can specify one or the other, but not both. .UNINDENT .INDENT 0.0 .TP -.B \-\-clusterIpSourceWhitelist <string> +.B \-\-clusterIpSourceAllowlist <string> New in version 3.6. .sp @@ -409,17 +409,17 @@ either explicitly in the list or belongs to a CIDR range in the list. If the IP address is not present, the server does not authenticate the \fI\%mongod\fP or \fBmongos\fP\&. .sp -\fI\%\-\-clusterIpSourceWhitelist\fP has no effect on a \fI\%mongod\fP started without +\fI\%\-\-clusterIpSourceAllowlist\fP has no effect on a \fI\%mongod\fP started without authentication\&. .sp -\fI\%\-\-clusterIpSourceWhitelist\fP accepts multiple comma\-separated IPv4/6 addresses or Classless +\fI\%\-\-clusterIpSourceAllowlist\fP accepts multiple comma\-separated IPv4/6 addresses or Classless Inter\-Domain Routing (\fI\%CIDR\fP) ranges: .INDENT 7.0 .INDENT 3.5 .sp .nf .ft C -mongod \-\-clusterIpSourceWhitelist 192.0.2.0/24,127.0.0.1,::1 +mongod \-\-clusterIpSourceAllowlist 192.0.2.0/24,127.0.0.1,::1 .ft P .fi .UNINDENT @@ -428,7 +428,7 @@ mongod \-\-clusterIpSourceWhitelist 192.0.2.0/24,127.0.0.1,::1 \fBIMPORTANT:\fP .INDENT 7.0 .INDENT 3.5 -Ensure \fI\%\-\-clusterIpSourceWhitelist\fP includes the IP address \fIor\fP CIDR ranges that include the +Ensure \fI\%\-\-clusterIpSourceAllowlist\fP includes the IP address \fIor\fP CIDR ranges that include the IP address of each replica set member or \fBmongos\fP in the deployment to ensure healthy communication between cluster components. .UNINDENT diff --git a/jstests/auth/cluster_ip_whitelist.js b/jstests/auth/cluster_ip_whitelist.js index 401133dcf71..80b6089de4d 100644 --- a/jstests/auth/cluster_ip_whitelist.js +++ b/jstests/auth/cluster_ip_whitelist.js @@ -1,56 +1,66 @@ /** - * This test checks that cluster IP whitelists can be set and respected. + * This test checks that cluster IP allowlists can be set and respected. */ (function() { 'use strict'; -print("When whitelist is empty, the server does not start."); +print("When allowlist is empty, the server does not start."); +assert.eq(null, + MongoRunner.runMongod( + {auth: null, keyFile: "jstests/libs/key1", clusterIpSourceAllowlist: ""})); +// Check that the same behavior is seen with the deprecated 'clusterIpSourceWhiteList' flag. assert.eq(null, MongoRunner.runMongod( {auth: null, keyFile: "jstests/libs/key1", clusterIpSourceWhitelist: ""})); -function testIpWhitelist(description, whitelistString, authResult) { +function testIpAllowlist(description, allowlistString, authResult) { print(description); var conn = MongoRunner.runMongod( - {auth: null, keyFile: "jstests/libs/key1", clusterIpSourceWhitelist: whitelistString}); + {auth: null, keyFile: "jstests/libs/key1", clusterIpSourceAllowlist: allowlistString}); + assert.eq(authResult, conn.getDB("local").auth("__system", "foopdedoop")); + MongoRunner.stopMongod(conn); + + // Verify that the deprecated 'clusterIpSourceWhitelist' flag still exhibits the same behavior. + conn = MongoRunner.runMongod( + {auth: null, keyFile: "jstests/libs/key1", clusterIpSourceWhitelist: allowlistString}); assert.eq(authResult, conn.getDB("local").auth("__system", "foopdedoop")); MongoRunner.stopMongod(conn); } -testIpWhitelist( - "When 127.0.0.1 is whitelisted, a client connected via localhost may auth as __system.", +testIpAllowlist( + "When 127.0.0.1 is allowlisted, a client connected via localhost may auth as __system.", "127.0.0.1", true); -testIpWhitelist( - "When 127.0.0.0 is whitelisted as a 24-bit CIDR block, a client connected via localhost may auth as __system.", +testIpAllowlist( + "When 127.0.0.0 is allowlisted as a 24-bit CIDR block, a client connected via localhost may auth as __system.", "127.0.0.0/24", true); -testIpWhitelist( - "When 127.0.0.5 is whitelisted as a 24-bit CIDR block, a client connected via localhost may auth as __system.", +testIpAllowlist( + "When 127.0.0.5 is allowlisted as a 24-bit CIDR block, a client connected via localhost may auth as __system.", "127.0.0.5/24", true); -testIpWhitelist( - "When 127.0.0.0 is whitelisted as a 8-bit CIDR block, a client connected via localhost may auth as __system.", +testIpAllowlist( + "When 127.0.0.0 is allowlisted as a 8-bit CIDR block, a client connected via localhost may auth as __system.", "127.0.0.0/8", true); -testIpWhitelist( - "When the IP block reserved for documentation and the 127.0.0.0/8 block are both whitelisted, a client connected via localhost may auth as __system.", +testIpAllowlist( + "When the IP block reserved for documentation and the 127.0.0.0/8 block are both allowlisted, a client connected via localhost may auth as __system.", "192.0.2.0/24,127.0.0.0/8", true); -testIpWhitelist( - "When 127.0.0.0/8 and the IP block reserved for documentation are both whitelisted, a client connected via localhost may auth as __system.", +testIpAllowlist( + "When 127.0.0.0/8 and the IP block reserved for documentation are both allowlisted, a client connected via localhost may auth as __system.", "127.0.0.0/8,192.0.2.0/24", true); -testIpWhitelist( - "When the IP block reserved for documentation and examples is whitelisted, a client connected via localhost may not auth as __system.", +testIpAllowlist( + "When the IP block reserved for documentation and examples is allowlisted, a client connected via localhost may not auth as __system.", "192.0.2.0/24", false); }()); diff --git a/src/mongo/db/mongod_options.cpp b/src/mongo/db/mongod_options.cpp index 9238a06f5d4..4d512e3e4f8 100644 --- a/src/mongo/db/mongod_options.cpp +++ b/src/mongo/db/mongod_options.cpp @@ -463,10 +463,10 @@ Status storeMongodOptions(const moe::Environment& params) { mongodGlobalParams.scriptingEnabled = params["security.javascriptEnabled"].as<bool>(); } - if (params.count("security.clusterIpSourceWhitelist")) { + if (params.count("security.clusterIpSourceAllowlist")) { mongodGlobalParams.whitelistedClusterNetwork = std::vector<std::string>(); for (const std::string& whitelistEntry : - params["security.clusterIpSourceWhitelist"].as<std::vector<std::string>>()) { + params["security.clusterIpSourceAllowlist"].as<std::vector<std::string>>()) { std::vector<std::string> intermediates; str::splitStringDelim(whitelistEntry, &intermediates, ','); std::copy(intermediates.begin(), diff --git a/src/mongo/db/mongod_options_general.idl b/src/mongo/db/mongod_options_general.idl index 302c601f1c4..0e81416d1c8 100644 --- a/src/mongo/db/mongod_options_general.idl +++ b/src/mongo/db/mongod_options_general.idl @@ -41,9 +41,11 @@ configs: arg_vartype: Switch source: [ cli, ini ] conflicts: noauth - 'security.clusterIpSourceWhitelist': + 'security.clusterIpSourceAllowlist': description: 'Network CIDR specification of permitted origin for `__system` access' - short_name: clusterIpSourceWhitelist + short_name: clusterIpSourceAllowlist + deprecated_name: "security.clusterIpSourceWhitelist" + deprecated_short_name: clusterIpSourceWhitelist arg_vartype: StringVector source: [ cli, ini, yaml ] duplicate_behavior: append |