diff options
author | Sara Golemon <sara.golemon@mongodb.com> | 2023-03-21 16:34:12 -0500 |
---|---|---|
committer | Evergreen Agent <no-reply@evergreen.mongodb.com> | 2023-04-03 18:55:21 +0000 |
commit | dc2ff7aa916ef1412ea939b0eaf49a063665d309 (patch) | |
tree | 1008fdea299ed3f78c22e945a214d0a84ea32051 /src/mongo/db/commands | |
parent | fe3275102df92e99c7e83a860c63e6ac54218f35 (diff) | |
download | mongo-dc2ff7aa916ef1412ea939b0eaf49a063665d309.tar.gz |
SERVER-74999 Determine cluster membership based on X.509 extension
Diffstat (limited to 'src/mongo/db/commands')
-rw-r--r-- | src/mongo/db/commands/authentication_commands.cpp | 23 | ||||
-rw-r--r-- | src/mongo/db/commands/user_management_commands.cpp | 2 |
2 files changed, 23 insertions, 2 deletions
diff --git a/src/mongo/db/commands/authentication_commands.cpp b/src/mongo/db/commands/authentication_commands.cpp index c8fdf9e9be7..302654f40e7 100644 --- a/src/mongo/db/commands/authentication_commands.cpp +++ b/src/mongo/db/commands/authentication_commands.cpp @@ -229,7 +229,15 @@ void _authenticateX509(OperationContext* opCtx, AuthenticationSession* session) uassertStatusOK(authorizationSession->addAndAuthorizeUser(opCtx, request, boost::none)); }; - if (sslConfiguration.isClusterMember(clientName)) { + const bool isClusterMember = ([&] { + const auto& requiredValue = sslGlobalParams.clusterAuthX509ExtensionValue; + if (requiredValue.empty()) { + return sslConfiguration.isClusterMember(clientName); + } + return sslPeerInfo.getClusterMembership() == requiredValue; + })(); + + if (isClusterMember) { // Handle internal cluster member auth, only applies to server-server connections if (!clusterAuthMode.allowsX509()) { uassert(ErrorCodes::AuthenticationFailed, @@ -247,6 +255,19 @@ void _authenticateX509(OperationContext* opCtx, AuthenticationSession* session) "with cluster membership"); } + if (gEnforceUserClusterSeparation && + !sslGlobalParams.clusterAuthX509ExtensionValue.empty()) { + auto* am = AuthorizationManager::get(opCtx->getServiceContext()); + BSONObj ignored; + const bool userExists = + am->getUserDescription(opCtx, request.name, &ignored).isOK(); + uassert(ErrorCodes::AuthenticationFailed, + "The provided certificate represents both a cluster member and an " + "explicit user which exists in the authzn database. " + "Prohibiting authentication due to enforceUserClusterSeparation setting.", + !userExists); + } + session->setAsClusterMember(); authorizationSession->grantInternalAuthorization(client); } diff --git a/src/mongo/db/commands/user_management_commands.cpp b/src/mongo/db/commands/user_management_commands.cpp index 4384a88ebbf..82ace1c063c 100644 --- a/src/mongo/db/commands/user_management_commands.cpp +++ b/src/mongo/db/commands/user_management_commands.cpp @@ -1030,7 +1030,7 @@ void CmdUMCTyped<CreateUserCommand>::Invocation::typedRun(OperationContext* opCt #ifdef MONGO_CONFIG_SSL auto& sslManager = opCtx->getClient()->session()->getSSLManager(); - if (isExternal && sslManager && + if (isExternal && sslManager && sslGlobalParams.clusterAuthX509ExtensionValue.empty() && sslManager->getSSLConfiguration().isClusterMember(userName.getUser())) { if (gEnforceUserClusterSeparation) { uasserted(ErrorCodes::BadValue, |