diff options
author | auto-revert-processor <dev-prod-dag@mongodb.com> | 2023-04-01 21:54:57 +0000 |
---|---|---|
committer | Evergreen Agent <no-reply@evergreen.mongodb.com> | 2023-04-01 23:02:49 +0000 |
commit | 128fe164fb93ef1233158019e59f43570f6e0df0 (patch) | |
tree | 02f8ccbfb4535eaba744331a885ab712ea4cb5f3 /src/mongo/db/commands/authentication_commands.cpp | |
parent | 7312503e32ac20a4551de4b014dd4a6bced2f076 (diff) | |
download | mongo-128fe164fb93ef1233158019e59f43570f6e0df0.tar.gz |
Revert "SERVER-74999 Determine cluster membership based on X.509 extension"
This reverts commit 2dcf180fa810ec81054db8249337255495e41647.
Diffstat (limited to 'src/mongo/db/commands/authentication_commands.cpp')
-rw-r--r-- | src/mongo/db/commands/authentication_commands.cpp | 22 |
1 files changed, 1 insertions, 21 deletions
diff --git a/src/mongo/db/commands/authentication_commands.cpp b/src/mongo/db/commands/authentication_commands.cpp index 8f1dd94b2f5..c8fdf9e9be7 100644 --- a/src/mongo/db/commands/authentication_commands.cpp +++ b/src/mongo/db/commands/authentication_commands.cpp @@ -229,15 +229,7 @@ void _authenticateX509(OperationContext* opCtx, AuthenticationSession* session) uassertStatusOK(authorizationSession->addAndAuthorizeUser(opCtx, request, boost::none)); }; - const bool isClusterMember = ([&] { - const auto& requiredValue = sslGlobalParams.clusterAuthX509ExtensionValue; - if (requiredValue.empty()) { - return sslConfiguration.isClusterMember(clientName); - } - return sslPeerInfo.getClusterMembership() == requiredValue; - })(); - - if (isClusterMember) { + if (sslConfiguration.isClusterMember(clientName)) { // Handle internal cluster member auth, only applies to server-server connections if (!clusterAuthMode.allowsX509()) { uassert(ErrorCodes::AuthenticationFailed, @@ -255,18 +247,6 @@ void _authenticateX509(OperationContext* opCtx, AuthenticationSession* session) "with cluster membership"); } - if (gEnforceUserClusterSeparation) { - auto* am = AuthorizationManager::get(opCtx->getServiceContext()); - BSONObj ignored; - const bool userExists = - am->getUserDescription(opCtx, request.name, &ignored).isOK(); - uassert(ErrorCodes::AuthenticationFailed, - "The provided certificate represents both a cluster member and an " - "explicit user which exists in the authzn database. " - "Prohibiting authentication due to enforceUserClusterSeparation setting.", - !userExists); - } - session->setAsClusterMember(); authorizationSession->grantInternalAuthorization(client); } |