Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

DOCS-14389 swap deprecated whitelist language for allowlist #5604

Closed
wants to merge 1 commit into from
Closed

DOCS-14389 swap deprecated whitelist language for allowlist #5604

Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
1 commit
Select commit
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
4 changes: 2 additions & 2 deletions source/administration/security-checklist.txt
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -123,13 +123,13 @@ Pre-production Checklist/Considerations

- the :setting:`net.bindIp` configuration setting

- the :setting:`security.clusterIpSourceWhitelist` configuration
- the :setting:`security.clusterIpSourceAllowlist` configuration
setting

- the :ref:`authenticationRestrictions
<db-createUser-authenticationRestrictions>` field to the
:method:`db.createUser()` command to specify a per-user IP
whitelist.
allow list.


|arrow| Audit System Activity
Expand Down
48 changes: 45 additions & 3 deletions source/reference/configuration-options.txt
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -2215,7 +2215,7 @@ Core Options
transitionToAuth: <boolean>
javascriptEnabled: <boolean>
redactClientLogData: <boolean>
clusterIpSourceWhitelist:
clusterIpSourceAllowlist:
- <string>
sasl:
hostName: <string>
Expand Down Expand Up @@ -2433,13 +2433,55 @@ Core Options
:parameter:`redactClientLogData` parameter to configure this setting.


.. setting:: security.clusterIpSourceWhitelist
.. setting:: security.clusterIpSourceAllowlist

*Type*: list

.. versionadded:: 5.0

A list of IP addresses/CIDR (`Classless Inter-Domain Routing
<https://tools.ietf.org/html/rfc4632>`__) ranges against which the
:binary:`~bin.mongod` validates authentication requests from other
members of the replica set and, if part of a sharded cluster, the
:binary:`~bin.mongos` instances. The :binary:`~bin.mongod` verifies
that the originating IP is either explicitly in the list or belongs
to a CIDR range in the list. If the IP address is not present, the
server does not authenticate the :binary:`~bin.mongod` or
:binary:`~bin.mongos`.

:setting:`security.clusterIpSourceAllowlist` has no effect on a
:binary:`~bin.mongod` started without
:ref:`authentication <authentication>`.


.. versionadded:: 3.6
:setting:`security.clusterIpSourceAllowlist` requires specifying each
IPv4/6 address or Classless Inter-Domain Routing
(`CIDR <https://tools.ietf.org/html/rfc4632>`_) range as a YAML list:

.. code-block:: yaml

security:
clusterIpSourceAllowlist:
- 192.0.2.0/24
- 127.0.0.1
- ::1


.. important::

Ensure :setting:`security.clusterIpSourceAllowlist` includes the
IP address *or* CIDR ranges that include the IP address of each
replica set member or :binary:`~bin.mongos` in the deployment to
ensure healthy communication between cluster components.


.. setting:: security.clusterIpSourceWhitelist

*Type*: list

*Deprecated in version 5.0:* Use
:setting:`security.clusterIpSourceAllowlist` instead.

A list of IP addresses/CIDR (`Classless Inter-Domain Routing
<https://tools.ietf.org/html/rfc4632>`__) ranges against which the
:binary:`~bin.mongod` validates authentication requests from other members of
Expand Down
35 changes: 33 additions & 2 deletions source/reference/program/mongod.txt
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -267,13 +267,44 @@ Core Options

``--bind_ip`` and ``--bind_ip_all`` are mutually exclusive. That
is, you can specify one or the other, but not both.


.. option:: --clusterIpSourceAllowlist <string>

.. versionadded:: 5.0

A list of IP addresses/CIDR (`Classless Inter-Domain Routing
<https://tools.ietf.org/html/rfc4632>`__) ranges against which the
:binary:`~bin.mongod` validates authentication requests from other members of
the replica set and, if part of a sharded cluster, the :binary:`~bin.mongos`
instances. The :binary:`~bin.mongod` verifies that the originating IP is
either explicitly in the list or belongs to a CIDR range in the list. If the
IP address is not present, the server does not authenticate the
:binary:`~bin.mongod` or :binary:`~bin.mongos`.

:option:`--clusterIpSourceAllowlist` has no effect on a :binary:`~bin.mongod` started without
:ref:`authentication <authentication>`.


:option:`--clusterIpSourceAllowlist` accepts multiple comma-separated IPv4/6 addresses or Classless
Inter-Domain Routing (`CIDR <https://tools.ietf.org/html/rfc4632>`_) ranges:

.. code-block:: bash

mongod --clusterIpSourceAllowlist 192.0.2.0/24,127.0.0.1,::1


.. important::

Ensure :option:`--clusterIpSourceAllowlist` includes the IP address *or* CIDR ranges that include the
IP address of each replica set member or :binary:`~bin.mongos` in the
deployment to ensure healthy communication between cluster components.


.. option:: --clusterIpSourceWhitelist <string>


.. versionadded:: 3.6
*Deprecated in version 5.0:*
Use :option:`--clusterIpSourceAllowlist` instead.

A list of IP addresses/CIDR (`Classless Inter-Domain Routing
<https://tools.ietf.org/html/rfc4632>`__) ranges against which the
Expand Down