diff options
author | Cheahuychou Mao <mao.cheahuychou@gmail.com> | 2021-03-01 22:32:47 +0000 |
---|---|---|
committer | Evergreen Agent <no-reply@evergreen.mongodb.com> | 2021-03-02 17:57:12 +0000 |
commit | 1f39f0c300eee9a0b53614e6d7f2cca2595f51a8 (patch) | |
tree | 3fec6c47dde7af544dadc2d2ba6df27a74e1756a /jstests/ssl | |
parent | 8ba3957bc307c2b37228b616a77f395fd135d05f (diff) | |
download | mongo-1f39f0c300eee9a0b53614e6d7f2cca2595f51a8.tar.gz |
SERVER-54868 Regenerate test tenant migration certificates with only the necessary privileges
Diffstat (limited to 'jstests/ssl')
-rw-r--r-- | jstests/ssl/x509/certs.yml | 112 |
1 files changed, 37 insertions, 75 deletions
diff --git a/jstests/ssl/x509/certs.yml b/jstests/ssl/x509/certs.yml index f1ab1ec16f2..be4f96d8f38 100644 --- a/jstests/ssl/x509/certs.yml +++ b/jstests/ssl/x509/certs.yml @@ -311,55 +311,21 @@ certs: extendedKeyUsage: [serverAuth] authorityKeyIdentifier: issuer -- name: 'rs0_tenant_migration.pem' - description: Client certificate file for tenant migration donor or recipient. - Subject: - OU: 'rs0_tenant_migration' - extensions: - basicConstraints: {CA: false} - subjectKeyIdentifier: hash - keyUsage: [digitalSignature, keyEncipherment] - extendedKeyUsage: [clientAuth] - mongoRoles: - - {role: backup, db: admin} - - {role: findInternalClusterTimeKeysRole, db: admin} - - {role: findAggregateNamespacesRole, db: admin} - -- name: 'rs0_tenant_migration_expired.pem' - description: - Client certificate file for tenant migration donor or recipient which has passed its expiration - date. - not_before: -10000000 - not_after: -1000000 - Subject: - OU: 'rs0_tenant_migration' - extensions: - basicConstraints: {CA: false} - subjectKeyIdentifier: hash - keyUsage: [digitalSignature, keyEncipherment] - extendedKeyUsage: [clientAuth] - mongoRoles: - - {role: backup, db: admin} - - {role: findInternalClusterTimeKeysRole, db: admin} - -- name: 'rs0_tenant_migration_no_find_cluster_time_keys_role.pem' - description: - Client certificate file for tenant migration donor or recipient without role to run find command - against admin.system.keys. +- name: 'rs1.pem' + description: General purpose server certificate file. Subject: - OU: 'rs0_tenant_migration' + OU: 'rs1' extensions: basicConstraints: {CA: false} subjectKeyIdentifier: hash keyUsage: [digitalSignature, keyEncipherment] - extendedKeyUsage: [clientAuth] - mongoRoles: - - {role: backup, db: admin} + extendedKeyUsage: [serverAuth] + authorityKeyIdentifier: issuer -- name: 'rs1.pem' +- name: 'rs2.pem' description: General purpose server certificate file. Subject: - OU: 'rs1' + OU: 'rs2' extensions: basicConstraints: {CA: false} subjectKeyIdentifier: hash @@ -367,88 +333,84 @@ certs: extendedKeyUsage: [serverAuth] authorityKeyIdentifier: issuer -- name: 'rs1_tenant_migration.pem' - description: Client certificate file for tenant migration donor or recipient. +- name: 'tenant_migration_donor.pem' + description: Client certificate file for tenant migration donor. Subject: - OU: 'rs1_tenant_migration' + OU: 'tenant_migration_donor' extensions: basicConstraints: {CA: false} subjectKeyIdentifier: hash keyUsage: [digitalSignature, keyEncipherment] extendedKeyUsage: [clientAuth] mongoRoles: - - {role: backup, db: admin} - - {role: findInternalClusterTimeKeysRole, db: admin} - - {role: findAggregateNamespacesRole, db: admin} + - {role: tenantMigrationDonorRole, db: admin} -- name: 'rs1_tenant_migration_expired.pem' +- name: 'tenant_migration_donor_expired.pem' description: - Client certificate file for tenant migration donor or recipient which has passed its expiration - date. + Client certificate file for tenant migration donor which has passed its expiration date. not_before: -10000000 not_after: -1000000 Subject: - OU: 'rs1_tenant_migration' + OU: 'tenant_migration_donor' extensions: basicConstraints: {CA: false} subjectKeyIdentifier: hash keyUsage: [digitalSignature, keyEncipherment] extendedKeyUsage: [clientAuth] mongoRoles: - - {role: backup, db: admin} - - {role: findInternalClusterTimeKeysRole, db: admin} + - {role: tenantMigrationDonorRole, db: admin} -- name: 'rs1_tenant_migration_no_backup_role.pem' - description: - Client certificate file for tenant migration donor or recipient without backup role. +- name: 'tenant_migration_donor_insufficient_privileges.pem' + description: Client certificate file for tenant migration donor without the required privileges. Subject: - OU: 'rs1_tenant_migration' + OU: 'tenant_migration_donor' extensions: basicConstraints: {CA: false} subjectKeyIdentifier: hash keyUsage: [digitalSignature, keyEncipherment] extendedKeyUsage: [clientAuth] mongoRoles: - - {role: findInternalClusterTimeKeysRole, db: admin} + - {role: readAnyDatabase, db: admin} -- name: 'rs1_tenant_migration_no_find_cluster_time_keys_role.pem' - description: - Client certificate file for tenant migration donor or recipient without role to run find command - against admin.system.keys. +- name: 'tenant_migration_recipient.pem' + description: Client certificate file for tenant migration recipient. Subject: - OU: 'rs1_tenant_migration' + OU: 'tenant_migration_recipient' extensions: basicConstraints: {CA: false} subjectKeyIdentifier: hash keyUsage: [digitalSignature, keyEncipherment] extendedKeyUsage: [clientAuth] mongoRoles: - - {role: backup, db: admin} + - {role: tenantMigrationRecipientRole, db: admin} -- name: 'rs2.pem' - description: General purpose server certificate file. +- name: 'tenant_migration_recipient_expired.pem' + description: + Client certificate file for tenant migration recipient which has passed its expiration date. + not_before: -10000000 + not_after: -1000000 Subject: - OU: 'rs2' + OU: 'tenant_migration_recipient' extensions: basicConstraints: {CA: false} subjectKeyIdentifier: hash keyUsage: [digitalSignature, keyEncipherment] - extendedKeyUsage: [serverAuth] - authorityKeyIdentifier: issuer + extendedKeyUsage: [clientAuth] + mongoRoles: + - {role: tenantMigrationRecipientRole, db: admin} -- name: 'rs2_tenant_migration.pem' - description: Client certificate file for tenant migration donor or recipient. +- name: 'tenant_migration_recipient_insufficient_privileges.pem' + description: + Client certificate file for tenant migration recipient without the required privileges. Subject: - OU: 'rs2_tenant_migration' + OU: 'tenant_migration_recipient' extensions: basicConstraints: {CA: false} subjectKeyIdentifier: hash keyUsage: [digitalSignature, keyEncipherment] extendedKeyUsage: [clientAuth] mongoRoles: - - {role: backup, db: admin} - - {role: findInternalClusterTimeKeysRole, db: admin} - - {role: findAggregateNamespacesRole, db: admin} + - {role: readAnyDatabase, db: admin} ### # Certificates not based on the primary root ca.pem |