diff options
Diffstat (limited to 'src/mongo/db/commands')
| -rw-r--r-- | src/mongo/db/commands/user_management_commands.cpp | 19 | ||||
| -rw-r--r-- | src/mongo/db/commands/user_management_commands.idl | 8 |
2 files changed, 22 insertions, 5 deletions
diff --git a/src/mongo/db/commands/user_management_commands.cpp b/src/mongo/db/commands/user_management_commands.cpp index 5694a2368cb..33c64a07122 100644 --- a/src/mongo/db/commands/user_management_commands.cpp +++ b/src/mongo/db/commands/user_management_commands.cpp @@ -812,11 +812,20 @@ void CmdUMCTyped<CreateUserCommand, void>::Invocation::typedRun(OperationContext #ifdef MONGO_CONFIG_SSL auto configuration = opCtx->getClient()->session()->getSSLConfiguration(); - uassert(ErrorCodes::BadValue, - "Cannot create an x.509 user with a subjectname that would be " - "recognized as an internal cluster member", - (dbname != "$external") || !configuration || - !configuration->isClusterMember(userName.getUser())); + + if ((dbname == "$external") && configuration && + configuration->isClusterMember(userName.getUser())) { + if (gEnforceUserClusterSeparation) { + uasserted(ErrorCodes::BadValue, + "Cannot create an x.509 user with a subjectname that would be " + "recognized as an internal cluster member"); + } else { + LOGV2(4593800, + "Creating user which would be considered a cluster member if clusterAuthMode " + "enabled X509 authentication", + "user"_attr = userName); + } + } #endif // Synthesize a user document diff --git a/src/mongo/db/commands/user_management_commands.idl b/src/mongo/db/commands/user_management_commands.idl index 53437d600c0..ca1c510a872 100644 --- a/src/mongo/db/commands/user_management_commands.idl +++ b/src/mongo/db/commands/user_management_commands.idl @@ -33,6 +33,14 @@ imports: - "mongo/db/auth/auth_types.idl" - "mongo/db/auth/address_restriction.idl" +server_parameters: + enforceUserClusterSeparation: + description: "Prevents creation of users whose names would be interpreted as cluster members" + set_at: startup + cpp_varname: "gEnforceUserClusterSeparation" + cpp_vartype: bool + default: true + structs: dropAllUsersFromDatabaseReply: description: "Response for dropAllUsersFromDatabase command" |