SERVER-53404 Make tenant migration donor copy the recipient's cluster time signing keys before sending recipientSyncData

author: Cheahuychou Mao <mao.cheahuychou@gmail.com> 2021-01-21 01:25:10 +0000
committer: Evergreen Agent <no-reply@evergreen.mongodb.com> 2021-01-28 02:11:41 +0000
commit: e9360bd8e7cb8f1447ffd513149d284c394bb4a0 (patch)
tree: 7404bfc08bba640c65cbaf1aed551a6428aedf06 /jstests/ssl/x509
parent: 96fe72c36d370a4067240738f051021d4daf72ce (diff)
download: mongo-e9360bd8e7cb8f1447ffd513149d284c394bb4a0.tar.gz
1 files changed, 23 insertions, 9 deletions
diff --git a/jstests/ssl/x509/certs.yml b/jstests/ssl/x509/certs.yml
index 2953a0448db..1141b36636b 100644
--- a/jstests/ssl/x509/certs.yml
+++ b/jstests/ssl/x509/certs.yml
@@ -322,7 +322,7 @@ certs:
     extendedKeyUsage: [clientAuth]
     mongoRoles:
     - {role: backup, db: admin}
-    - {role: advanceClusterTimeRole, db: admin}
+    - {role: findInternalClusterTimeKeysRole, db: admin}
 
 - name: 'rs0_tenant_migration_expired.pem'
   description:
@@ -339,7 +339,21 @@ certs:
     extendedKeyUsage: [clientAuth]
     mongoRoles:
     - {role: backup, db: admin}
-    - {role: advanceClusterTimeRole, db: admin}
+    - {role: findInternalClusterTimeKeysRole, db: admin}
+
+- name: 'rs0_tenant_migration_no_find_cluster_time_keys_role.pem'
+  description:
+    Client certificate file for tenant migration donor or recipient without role to run find command
+    against admin.system.keys.
+  Subject:
+    OU: 'rs0_tenant_migration'
+  extensions:
+    basicConstraints: {CA: false}
+    subjectKeyIdentifier: hash
+    keyUsage: [digitalSignature, keyEncipherment]
+    extendedKeyUsage: [clientAuth]
+    mongoRoles:
+    - {role: backup, db: admin}
 
 - name: 'rs1.pem'
   description: General purpose server certificate file.
@@ -363,7 +377,7 @@ certs:
     extendedKeyUsage: [clientAuth]
     mongoRoles:
     - {role: backup, db: admin}
-    - {role: advanceClusterTimeRole, db: admin}
+    - {role: findInternalClusterTimeKeysRole, db: admin}
 
 - name: 'rs1_tenant_migration_expired.pem'
   description:
@@ -380,7 +394,7 @@ certs:
     extendedKeyUsage: [clientAuth]
     mongoRoles:
     - {role: backup, db: admin}
-    - {role: advanceClusterTimeRole, db: admin}
+    - {role: findInternalClusterTimeKeysRole, db: admin}
 
 - name: 'rs1_tenant_migration_no_backup_role.pem'
   description:
@@ -393,12 +407,12 @@ certs:
     keyUsage: [digitalSignature, keyEncipherment]
     extendedKeyUsage: [clientAuth]
     mongoRoles:
-    - {role: advanceClusterTimeRole, db: admin}
+    - {role: findInternalClusterTimeKeysRole, db: admin}
 
-- name: 'rs1_tenant_migration_no_advance_cluster_time_role.pem'
+- name: 'rs1_tenant_migration_no_find_cluster_time_keys_role.pem'
   description:
-    Client certificate file for tenant migration donor or recipient without role to advance
-    cluster time.
+    Client certificate file for tenant migration donor or recipient without role to run find command
+    against admin.system.keys.
   Subject:
     OU: 'rs1_tenant_migration'
   extensions:
@@ -431,7 +445,7 @@ certs:
     extendedKeyUsage: [clientAuth]
     mongoRoles:
     - {role: backup, db: admin}
-    - {role: advanceClusterTimeRole, db: admin}
+    - {role: findInternalClusterTimeKeysRole, db: admin}
 
 ###
 # Certificates not based on the primary root ca.pem
author	Cheahuychou Mao <mao.cheahuychou@gmail.com>	2021-01-21 01:25:10 +0000
committer	Evergreen Agent <no-reply@evergreen.mongodb.com>	2021-01-28 02:11:41 +0000
commit	e9360bd8e7cb8f1447ffd513149d284c394bb4a0 (patch)
tree	7404bfc08bba640c65cbaf1aed551a6428aedf06 /jstests/ssl/x509
parent	96fe72c36d370a4067240738f051021d4daf72ce (diff)
download	mongo-e9360bd8e7cb8f1447ffd513149d284c394bb4a0.tar.gz