diff options
author | Spencer Jackson <spencer.jackson@mongodb.com> | 2020-08-11 16:45:06 +0000 |
---|---|---|
committer | Evergreen Agent <no-reply@evergreen.mongodb.com> | 2020-09-02 00:20:03 +0000 |
commit | 2973992735143c9f6b6ff2a8bc15e5adf19d9ac6 (patch) | |
tree | 898de0308d139b2c65bd82b45a1cf4581ab282f9 /src | |
parent | 8cdfbc1bed025b640b98196cc1e2d2494b9dde27 (diff) | |
download | mongo-2973992735143c9f6b6ff2a8bc15e5adf19d9ac6.tar.gz |
SERVER-45938 Create override for createUser to allow possible cluster members
Diffstat (limited to 'src')
-rw-r--r-- | src/mongo/db/commands/user_management_commands.cpp | 19 | ||||
-rw-r--r-- | src/mongo/db/commands/user_management_commands.idl | 8 |
2 files changed, 22 insertions, 5 deletions
diff --git a/src/mongo/db/commands/user_management_commands.cpp b/src/mongo/db/commands/user_management_commands.cpp index 5694a2368cb..33c64a07122 100644 --- a/src/mongo/db/commands/user_management_commands.cpp +++ b/src/mongo/db/commands/user_management_commands.cpp @@ -812,11 +812,20 @@ void CmdUMCTyped<CreateUserCommand, void>::Invocation::typedRun(OperationContext #ifdef MONGO_CONFIG_SSL auto configuration = opCtx->getClient()->session()->getSSLConfiguration(); - uassert(ErrorCodes::BadValue, - "Cannot create an x.509 user with a subjectname that would be " - "recognized as an internal cluster member", - (dbname != "$external") || !configuration || - !configuration->isClusterMember(userName.getUser())); + + if ((dbname == "$external") && configuration && + configuration->isClusterMember(userName.getUser())) { + if (gEnforceUserClusterSeparation) { + uasserted(ErrorCodes::BadValue, + "Cannot create an x.509 user with a subjectname that would be " + "recognized as an internal cluster member"); + } else { + LOGV2(4593800, + "Creating user which would be considered a cluster member if clusterAuthMode " + "enabled X509 authentication", + "user"_attr = userName); + } + } #endif // Synthesize a user document diff --git a/src/mongo/db/commands/user_management_commands.idl b/src/mongo/db/commands/user_management_commands.idl index 53437d600c0..ca1c510a872 100644 --- a/src/mongo/db/commands/user_management_commands.idl +++ b/src/mongo/db/commands/user_management_commands.idl @@ -33,6 +33,14 @@ imports: - "mongo/db/auth/auth_types.idl" - "mongo/db/auth/address_restriction.idl" +server_parameters: + enforceUserClusterSeparation: + description: "Prevents creation of users whose names would be interpreted as cluster members" + set_at: startup + cpp_varname: "gEnforceUserClusterSeparation" + cpp_vartype: bool + default: true + structs: dropAllUsersFromDatabaseReply: description: "Response for dropAllUsersFromDatabase command" |