SERVER-54868 Regenerate test tenant migration certificates with only the necessary privileges

author: Cheahuychou Mao <mao.cheahuychou@gmail.com> 2021-03-01 22:32:47 +0000
committer: Evergreen Agent <no-reply@evergreen.mongodb.com> 2021-03-02 17:57:12 +0000
commit: 1f39f0c300eee9a0b53614e6d7f2cca2595f51a8 (patch)
tree: 3fec6c47dde7af544dadc2d2ba6df27a74e1756a /jstests/ssl
parent: 8ba3957bc307c2b37228b616a77f395fd135d05f (diff)
download: mongo-1f39f0c300eee9a0b53614e6d7f2cca2595f51a8.tar.gz
1 files changed, 37 insertions, 75 deletions
diff --git a/jstests/ssl/x509/certs.yml b/jstests/ssl/x509/certs.yml
index f1ab1ec16f2..be4f96d8f38 100644
--- a/jstests/ssl/x509/certs.yml
+++ b/jstests/ssl/x509/certs.yml
@@ -311,55 +311,21 @@ certs:
     extendedKeyUsage: [serverAuth]
     authorityKeyIdentifier: issuer
 
-- name: 'rs0_tenant_migration.pem'
-  description: Client certificate file for tenant migration donor or recipient.
-  Subject:
-    OU: 'rs0_tenant_migration'
-  extensions:
-    basicConstraints: {CA: false}
-    subjectKeyIdentifier: hash
-    keyUsage: [digitalSignature, keyEncipherment]
-    extendedKeyUsage: [clientAuth]
-    mongoRoles:
-    - {role: backup, db: admin}
-    - {role: findInternalClusterTimeKeysRole, db: admin}
-    - {role: findAggregateNamespacesRole, db: admin}
-
-- name: 'rs0_tenant_migration_expired.pem'
-  description:
-    Client certificate file for tenant migration donor or recipient which has passed its expiration
-    date.
-  not_before: -10000000
-  not_after: -1000000
-  Subject:
-    OU: 'rs0_tenant_migration'
-  extensions:
-    basicConstraints: {CA: false}
-    subjectKeyIdentifier: hash
-    keyUsage: [digitalSignature, keyEncipherment]
-    extendedKeyUsage: [clientAuth]
-    mongoRoles:
-    - {role: backup, db: admin}
-    - {role: findInternalClusterTimeKeysRole, db: admin}
-
-- name: 'rs0_tenant_migration_no_find_cluster_time_keys_role.pem'
-  description:
-    Client certificate file for tenant migration donor or recipient without role to run find command
-    against admin.system.keys.
+- name: 'rs1.pem'
+  description: General purpose server certificate file.
   Subject:
-    OU: 'rs0_tenant_migration'
+    OU: 'rs1'
   extensions:
     basicConstraints: {CA: false}
     subjectKeyIdentifier: hash
     keyUsage: [digitalSignature, keyEncipherment]
-    extendedKeyUsage: [clientAuth]
-    mongoRoles:
-    - {role: backup, db: admin}
+    extendedKeyUsage: [serverAuth]
+    authorityKeyIdentifier: issuer
 
-- name: 'rs1.pem'
+- name: 'rs2.pem'
   description: General purpose server certificate file.
   Subject:
-    OU: 'rs1'
+    OU: 'rs2'
   extensions:
     basicConstraints: {CA: false}
     subjectKeyIdentifier: hash
@@ -367,88 +333,84 @@ certs:
     extendedKeyUsage: [serverAuth]
     authorityKeyIdentifier: issuer
 
-- name: 'rs1_tenant_migration.pem'
-  description: Client certificate file for tenant migration donor or recipient.
+- name: 'tenant_migration_donor.pem'
+  description: Client certificate file for tenant migration donor.
   Subject:
-    OU: 'rs1_tenant_migration'
+    OU: 'tenant_migration_donor'
   extensions:
     basicConstraints: {CA: false}
     subjectKeyIdentifier: hash
     keyUsage: [digitalSignature, keyEncipherment]
     extendedKeyUsage: [clientAuth]
     mongoRoles:
-    - {role: backup, db: admin}
-    - {role: findInternalClusterTimeKeysRole, db: admin}
-    - {role: findAggregateNamespacesRole, db: admin}
+    - {role: tenantMigrationDonorRole, db: admin}
 
-- name: 'rs1_tenant_migration_expired.pem'
+- name: 'tenant_migration_donor_expired.pem'
   description:
-    Client certificate file for tenant migration donor or recipient which has passed its expiration
-    date.
+    Client certificate file for tenant migration donor which has passed its expiration date.
   not_before: -10000000
   not_after: -1000000
   Subject:
-    OU: 'rs1_tenant_migration'
+    OU: 'tenant_migration_donor'
   extensions:
     basicConstraints: {CA: false}
     subjectKeyIdentifier: hash
     keyUsage: [digitalSignature, keyEncipherment]
     extendedKeyUsage: [clientAuth]
     mongoRoles:
-    - {role: backup, db: admin}
-    - {role: findInternalClusterTimeKeysRole, db: admin}
+    - {role: tenantMigrationDonorRole, db: admin}
 
-- name: 'rs1_tenant_migration_no_backup_role.pem'
-  description:
-    Client certificate file for tenant migration donor or recipient without backup role.
+- name: 'tenant_migration_donor_insufficient_privileges.pem'
+  description: Client certificate file for tenant migration donor without the required privileges.
   Subject:
-    OU: 'rs1_tenant_migration'
+    OU: 'tenant_migration_donor'
   extensions:
     basicConstraints: {CA: false}
     subjectKeyIdentifier: hash
     keyUsage: [digitalSignature, keyEncipherment]
     extendedKeyUsage: [clientAuth]
     mongoRoles:
-    - {role: findInternalClusterTimeKeysRole, db: admin}
+    - {role: readAnyDatabase, db: admin}
 
-- name: 'rs1_tenant_migration_no_find_cluster_time_keys_role.pem'
-  description:
-    Client certificate file for tenant migration donor or recipient without role to run find command
-    against admin.system.keys.
+- name: 'tenant_migration_recipient.pem'
+  description: Client certificate file for tenant migration recipient.
   Subject:
-    OU: 'rs1_tenant_migration'
+    OU: 'tenant_migration_recipient'
   extensions:
     basicConstraints: {CA: false}
     subjectKeyIdentifier: hash
     keyUsage: [digitalSignature, keyEncipherment]
     extendedKeyUsage: [clientAuth]
     mongoRoles:
-    - {role: backup, db: admin}
+    - {role: tenantMigrationRecipientRole, db: admin}
 
-- name: 'rs2.pem'
-  description: General purpose server certificate file.
+- name: 'tenant_migration_recipient_expired.pem'
+  description:
+    Client certificate file for tenant migration recipient which has passed its expiration date.
+  not_before: -10000000
+  not_after: -1000000
   Subject:
-    OU: 'rs2'
+    OU: 'tenant_migration_recipient'
   extensions:
     basicConstraints: {CA: false}
     subjectKeyIdentifier: hash
     keyUsage: [digitalSignature, keyEncipherment]
-    extendedKeyUsage: [serverAuth]
-    authorityKeyIdentifier: issuer
+    extendedKeyUsage: [clientAuth]
+    mongoRoles:
+    - {role: tenantMigrationRecipientRole, db: admin}
 
-- name: 'rs2_tenant_migration.pem'
-  description: Client certificate file for tenant migration donor or recipient.
+- name: 'tenant_migration_recipient_insufficient_privileges.pem'
+  description:
+    Client certificate file for tenant migration recipient without the required privileges.
   Subject:
-    OU: 'rs2_tenant_migration'
+    OU: 'tenant_migration_recipient'
   extensions:
     basicConstraints: {CA: false}
     subjectKeyIdentifier: hash
     keyUsage: [digitalSignature, keyEncipherment]
     extendedKeyUsage: [clientAuth]
     mongoRoles:
-    - {role: backup, db: admin}
-    - {role: findInternalClusterTimeKeysRole, db: admin}
-    - {role: findAggregateNamespacesRole, db: admin}
+    - {role: readAnyDatabase, db: admin}
 
 ###
 # Certificates not based on the primary root ca.pem
author	Cheahuychou Mao <mao.cheahuychou@gmail.com>	2021-03-01 22:32:47 +0000
committer	Evergreen Agent <no-reply@evergreen.mongodb.com>	2021-03-02 17:57:12 +0000
commit	1f39f0c300eee9a0b53614e6d7f2cca2595f51a8 (patch)
tree	3fec6c47dde7af544dadc2d2ba6df27a74e1756a /jstests/ssl
parent	8ba3957bc307c2b37228b616a77f395fd135d05f (diff)
download	mongo-1f39f0c300eee9a0b53614e6d7f2cca2595f51a8.tar.gz