Revert "SERVER-74999 Determine cluster membership based on X.509 extension"

This reverts commit 2dcf180fa810ec81054db8249337255495e41647.
author: auto-revert-processor <dev-prod-dag@mongodb.com> 2023-04-01 21:54:57 +0000
committer: Evergreen Agent <no-reply@evergreen.mongodb.com> 2023-04-01 23:02:49 +0000
commit: 128fe164fb93ef1233158019e59f43570f6e0df0 (patch)
tree: 02f8ccbfb4535eaba744331a885ab712ea4cb5f3 /src/mongo/db/commands/authentication_commands.cpp
parent: 7312503e32ac20a4551de4b014dd4a6bced2f076 (diff)
download: mongo-128fe164fb93ef1233158019e59f43570f6e0df0.tar.gz
1 files changed, 1 insertions, 21 deletions
diff --git a/src/mongo/db/commands/authentication_commands.cpp b/src/mongo/db/commands/authentication_commands.cpp
index 8f1dd94b2f5..c8fdf9e9be7 100644
--- a/src/mongo/db/commands/authentication_commands.cpp
+++ b/src/mongo/db/commands/authentication_commands.cpp
@@ -229,15 +229,7 @@ void _authenticateX509(OperationContext* opCtx, AuthenticationSession* session)
         uassertStatusOK(authorizationSession->addAndAuthorizeUser(opCtx, request, boost::none));
     };
 
-    const bool isClusterMember = ([&] {
-        const auto& requiredValue = sslGlobalParams.clusterAuthX509ExtensionValue;
-        if (requiredValue.empty()) {
-            return sslConfiguration.isClusterMember(clientName);
-        }
-        return sslPeerInfo.getClusterMembership() == requiredValue;
-    })();
-
-    if (isClusterMember) {
+    if (sslConfiguration.isClusterMember(clientName)) {
         // Handle internal cluster member auth, only applies to server-server connections
         if (!clusterAuthMode.allowsX509()) {
             uassert(ErrorCodes::AuthenticationFailed,
@@ -255,18 +247,6 @@ void _authenticateX509(OperationContext* opCtx, AuthenticationSession* session)
                     "with cluster membership");
             }
 
-            if (gEnforceUserClusterSeparation) {
-                auto* am = AuthorizationManager::get(opCtx->getServiceContext());
-                BSONObj ignored;
-                const bool userExists =
-                    am->getUserDescription(opCtx, request.name, &ignored).isOK();
-                uassert(ErrorCodes::AuthenticationFailed,
-                        "The provided certificate represents both a cluster member and an "
-                        "explicit user which exists in the authzn database. "
-                        "Prohibiting authentication due to enforceUserClusterSeparation setting.",
-                        !userExists);
-            }
-
             session->setAsClusterMember();
             authorizationSession->grantInternalAuthorization(client);
         }
author	auto-revert-processor <dev-prod-dag@mongodb.com>	2023-04-01 21:54:57 +0000
committer	Evergreen Agent <no-reply@evergreen.mongodb.com>	2023-04-01 23:02:49 +0000
commit	128fe164fb93ef1233158019e59f43570f6e0df0 (patch)
tree	02f8ccbfb4535eaba744331a885ab712ea4cb5f3 /src/mongo/db/commands/authentication_commands.cpp
parent	7312503e32ac20a4551de4b014dd4a6bced2f076 (diff)
download	mongo-128fe164fb93ef1233158019e59f43570f6e0df0.tar.gz