SERVER-74999 Determine cluster membership based on X.509 extension

2 files changed, 23 insertions, 2 deletions

diff --git a/src/mongo/db/commands/authentication_commands.cpp b/src/mongo/db/commands/authentication_commands.cpp
index c8fdf9e9be7..302654f40e7 100644
--- a/src/mongo/db/commands/authentication_commands.cpp
+++ b/src/mongo/db/commands/authentication_commands.cpp
@@ -229,7 +229,15 @@ void _authenticateX509(OperationContext* opCtx, AuthenticationSession* session)
         uassertStatusOK(authorizationSession->addAndAuthorizeUser(opCtx, request, boost::none));
     };
 
-    if (sslConfiguration.isClusterMember(clientName)) {
+    const bool isClusterMember = ([&] {
+        const auto& requiredValue = sslGlobalParams.clusterAuthX509ExtensionValue;
+        if (requiredValue.empty()) {
+            return sslConfiguration.isClusterMember(clientName);
+        }
+        return sslPeerInfo.getClusterMembership() == requiredValue;
+    })();
+
+    if (isClusterMember) {
         // Handle internal cluster member auth, only applies to server-server connections
         if (!clusterAuthMode.allowsX509()) {
             uassert(ErrorCodes::AuthenticationFailed,
@@ -247,6 +255,19 @@ void _authenticateX509(OperationContext* opCtx, AuthenticationSession* session)
                     "with cluster membership");
             }
 
+            if (gEnforceUserClusterSeparation &&
+                !sslGlobalParams.clusterAuthX509ExtensionValue.empty()) {
+                auto* am = AuthorizationManager::get(opCtx->getServiceContext());
+                BSONObj ignored;
+                const bool userExists =
+                    am->getUserDescription(opCtx, request.name, &ignored).isOK();
+                uassert(ErrorCodes::AuthenticationFailed,
+                        "The provided certificate represents both a cluster member and an "
+                        "explicit user which exists in the authzn database. "
+                        "Prohibiting authentication due to enforceUserClusterSeparation setting.",
+                        !userExists);
+            }
+
             session->setAsClusterMember();
             authorizationSession->grantInternalAuthorization(client);
         }
diff --git a/src/mongo/db/commands/user_management_commands.cpp b/src/mongo/db/commands/user_management_commands.cpp
index 4384a88ebbf..82ace1c063c 100644
--- a/src/mongo/db/commands/user_management_commands.cpp
+++ b/src/mongo/db/commands/user_management_commands.cpp
@@ -1030,7 +1030,7 @@ void CmdUMCTyped<CreateUserCommand>::Invocation::typedRun(OperationContext* opCt
 #ifdef MONGO_CONFIG_SSL
     auto& sslManager = opCtx->getClient()->session()->getSSLManager();
 
-    if (isExternal && sslManager &&
+    if (isExternal && sslManager && sslGlobalParams.clusterAuthX509ExtensionValue.empty() &&
         sslManager->getSSLConfiguration().isClusterMember(userName.getUser())) {
         if (gEnforceUserClusterSeparation) {
             uasserted(ErrorCodes::BadValue,