2 files changed, 9 insertions, 0 deletions

diff --git a/src/mongo/db/auth/SConscript b/src/mongo/db/auth/SConscript
index 9ef91280636..8add083a5b9 100644
--- a/src/mongo/db/auth/SConscript
+++ b/src/mongo/db/auth/SConscript
@@ -46,6 +46,7 @@ env.Library('authcore', ['action_set.cpp',
                      '$BUILD_DIR/mongo/db/common',
                      '$BUILD_DIR/mongo/db/ops/update_driver',
                      '$BUILD_DIR/mongo/db/namespace_string',
+                     '$BUILD_DIR/mongo/db/server_parameters',
                      '$BUILD_DIR/mongo/db/service_context',
                      '$BUILD_DIR/mongo/util/md5'])
 
diff --git a/src/mongo/db/auth/authz_manager_external_state.cpp b/src/mongo/db/auth/authz_manager_external_state.cpp
index 0403af8e256..1e2ec025ea3 100644
--- a/src/mongo/db/auth/authz_manager_external_state.cpp
+++ b/src/mongo/db/auth/authz_manager_external_state.cpp
@@ -32,9 +32,13 @@
 #include "mongo/db/auth/authz_manager_external_state.h"
 #include "mongo/db/auth/user_name.h"
 #include "mongo/db/operation_context.h"
+#include "mongo/db/server_parameters.h"
 #include "mongo/util/net/ssl_types.h"
 
 namespace mongo {
+namespace {
+MONGO_EXPORT_STARTUP_SERVER_PARAMETER(allowRolesFromX509Certificates, bool, true);
+}
 
 stdx::function<std::unique_ptr<AuthzManagerExternalState>()> AuthzManagerExternalState::create;
 
@@ -48,6 +52,10 @@ bool AuthzManagerExternalState::shouldUseRolesFromConnection(OperationContext* t
         return false;
     }
 
+    if (!allowRolesFromX509Certificates) {
+        return false;
+    }
+
     auto sslPeerInfo = txn->getClient()->session()->getX509PeerInfo();
     return sslPeerInfo.subjectName.toString() == userName.getUser() &&
         userName.getDB() == "$external" && !sslPeerInfo.roles.empty();