diff options
| author | Dwight <dmerriman@gmail.com> | 2009-12-30 15:55:00 -0500 |
|---|---|---|
| committer | Dwight <dmerriman@gmail.com> | 2009-12-30 15:55:00 -0500 |
| commit | 1c65a22de4fc0d7b4a9e519045c6fec27e7839e7 (patch) | |
| tree | da7ac50dfd03eae19eb20747e9a90f87b2dfcda4 | |
| parent | b2105cd91f8ec229bd8962c5d1d5ffe17d1f5524 (diff) | |
| download | mongo-1c65a22de4fc0d7b4a9e519045c6fec27e7839e7.tar.gz | |
prep for fsync exec option
| -rw-r--r-- | db/commands.h | 7 | ||||
| -rw-r--r-- | db/dbcommands.cpp | 20 | ||||
| -rw-r--r-- | db/dbcommands_admin.cpp | 15 |
3 files changed, 30 insertions, 12 deletions
diff --git a/db/commands.h b/db/commands.h index 523a740056f..3795c3822ef 100644 --- a/db/commands.h +++ b/db/commands.h @@ -54,6 +54,13 @@ namespace mongo { return false; } + /* Like adminOnly, but even stricter: we must either be authenticated for admin db, + or, if running without auth, on the local interface. + + When localHostOnlyIfNoAuth() is true, adminOnly() must also be true. + */ + virtual bool localHostOnlyIfNoAuth(const BSONObj& cmdObj) { return false; } + /* Return true if slaves of a replication pair are allowed to execute the command (the command directly from a client -- if fromRepl, always allowed). */ diff --git a/db/dbcommands.cpp b/db/dbcommands.cpp index 0f9739ec560..7288f37870e 100644 --- a/db/dbcommands.cpp +++ b/db/dbcommands.cpp @@ -48,6 +48,7 @@ namespace mongo { public: virtual bool requiresAuth() { return true; } virtual bool adminOnly() { return true; } + virtual bool localHostOnlyIfNoAuth(const BSONObj& cmdObj) { return true; } virtual bool logTheOp() { return false; } @@ -59,15 +60,6 @@ namespace mongo { } CmdShutdown() : Command("shutdown") {} bool run(const char *ns, BSONObj& cmdObj, string& errmsg, BSONObjBuilder& result, bool fromRepl) { - if( noauth ) { - // if running without auth, you must be on localhost - AuthenticationInfo *ai = currentClient.get()->ai; - if( !ai->isLocalHost ) { - log() << "ignoring shutdown cmd from client, not from localhost and running without auth" << endl; - errmsg = "unauthorized [2]"; - return false; - } - } log() << "terminating, shutdown command received" << endl; dbexit( EXIT_CLEAN ); return true; @@ -1373,10 +1365,16 @@ namespace mongo { uassert( 10045 , "unauthorized", ai->isAuthorized(cc().database()->name.c_str()) || !c->requiresAuth()); bool admin = c->adminOnly(); - if ( admin && !fromRepl && strncmp(ns, "admin", 5) != 0 ) { + + if( admin && c->localHostOnlyIfNoAuth(jsobj) && noauth && !ai->isLocalHost ) { + ok = false; + errmsg = "unauthorized: this command must run from localhost when running db without auth"; + log() << "command denied: " << jsobj.toString() << endl; + } + else if ( admin && !fromRepl && strncmp(ns, "admin", 5) != 0 ) { ok = false; errmsg = "access denied"; - cout << "command denied: " << jsobj.toString() << endl; + log() << "command denied: " << jsobj.toString() << endl; } else if ( isMaster() || c->slaveOk() || diff --git a/db/dbcommands_admin.cpp b/db/dbcommands_admin.cpp index ab5d1db36c9..aa1b42ee267 100644 --- a/db/dbcommands_admin.cpp +++ b/db/dbcommands_admin.cpp @@ -255,12 +255,25 @@ namespace mongo { virtual bool slaveOk(){ return true; } virtual bool adminOnly(){ return true; } - + virtual bool localHostOnlyIfNoAuth(const BSONObj& cmdObj) { + string x = cmdObj["exec"].valuestrsafe(); + return !x.empty(); + } virtual bool run(const char *ns, BSONObj& cmdObj, string& errmsg, BSONObjBuilder& result, bool fromRepl) { /* async means do an fsync, but return immediately */ bool sync = ! cmdObj["async"].trueValue(); + string exec = cmdObj["exec"].valuestrsafe(); log() << "CMD fsync: sync:" << sync << endl; result.append( "numFiles" , MemoryMappedFile::flushAll( sync ) ); + if( !exec.empty() ) { + uassert(12032, "fsync: sync option must be true when using exec", sync); + assert( localHostOnlyIfNoAuth(cmdObj) ); + log() << "execing: " << exec << " (db will be locked during operation)" << endl; + // ADD EXEC HERE + log() << "ERROR: exec call not yet implemented" << endl; + result.append("execOutput", "exec not yet implemented"); + log() << "exec complete" << endl; + } return 1; } |