diff options
author | Andy Schwerin <schwerin@10gen.com> | 2014-02-27 15:34:46 -0500 |
---|---|---|
committer | Andy Schwerin <schwerin@10gen.com> | 2014-02-28 11:39:58 -0500 |
commit | 944807590b5d7a6a5b7b53f02bd032faf9406507 (patch) | |
tree | 23d2ce9f21dd483fba311d390194b1d155b3fe65 | |
parent | 7851431d5b4b1dc0a5df17c1f7964d2bfc3ff623 (diff) | |
download | mongo-944807590b5d7a6a5b7b53f02bd032faf9406507.tar.gz |
SERVER-11770 Support changing the default gssapiServiceName from the shell command line.
This patch allows the user to specify an alternate gssapiServiceName (default is mongodb)
when authenticating using GSSAPI/Kerberos. It also allows the user to specify the host
name to use for authentication purposes, when this does not match the DNS host name.
Both of these functions were previously exposed only through the db.auth() method,
and not for command-line authentication.
-rw-r--r-- | src/mongo/shell/db.js | 8 | ||||
-rw-r--r-- | src/mongo/shell/dbshell.cpp | 23 | ||||
-rw-r--r-- | src/mongo/shell/shell_options.cpp | 33 | ||||
-rw-r--r-- | src/mongo/shell/shell_options.h | 2 |
4 files changed, 54 insertions, 12 deletions
diff --git a/src/mongo/shell/db.js b/src/mongo/shell/db.js index 2bf1d0b85fa..8c75ed21d4f 100644 --- a/src/mongo/shell/db.js +++ b/src/mongo/shell/db.js @@ -1178,6 +1178,7 @@ DB.prototype.__pwHash = function( nonce, username, pass ) { } DB.prototype._defaultAuthenticationMechanism = "MONGODB-CR"; +DB.prototype._defaultGssapiServiceName = null; DB.prototype._authOrThrow = function () { var params; @@ -1201,6 +1202,13 @@ DB.prototype._authOrThrow = function () { throw Error("Do not override db field on db.auth(). Use getMongo().auth(), instead."); } + if (params.mechanism == "GSSAPI" && + params.serviceName == null && + this._defaultGssapiServiceName != null) { + + params.serviceName = this._defaultGssapiServiceName; + } + params.db = this.getName(); var good = this.getMongo().auth(params); if (good) { diff --git a/src/mongo/shell/dbshell.cpp b/src/mongo/shell/dbshell.cpp index 38e2a2017a7..b00ef67e522 100644 --- a/src/mongo/shell/dbshell.cpp +++ b/src/mongo/shell/dbshell.cpp @@ -699,34 +699,45 @@ int _main( int argc, char* argv[], char **envp ) { // }()) stringstream authStringStream; authStringStream << "(function() { " << endl; - if ( !shellGlobalParams.authenticationMechanism.empty() ) { + if (!shellGlobalParams.authenticationMechanism.empty()) { authStringStream << "DB.prototype._defaultAuthenticationMechanism = \"" << - shellGlobalParams.authenticationMechanism << "\";" << endl; + escape(shellGlobalParams.authenticationMechanism) << "\";" << endl; + } + + if (!shellGlobalParams.gssapiServiceName.empty()) { + authStringStream << "DB.prototype._defaultGssapiServiceName = \"" << + escape(shellGlobalParams.gssapiServiceName) << "\";" << endl; } if (!shellGlobalParams.nodb && shellGlobalParams.username.size()) { - authStringStream << "var username = \"" << shellGlobalParams.username << "\";" << endl; + authStringStream << "var username = \"" << escape(shellGlobalParams.username) << "\";" << + endl; if (shellGlobalParams.usingPassword) { - authStringStream << "var password = \"" << shellGlobalParams.password << "\";" << endl; + authStringStream << "var password = \"" << escape(shellGlobalParams.password) << "\";" + << endl; } if (shellGlobalParams.authenticationDatabase.empty()) { authStringStream << "var authDb = db;" << endl; } else { authStringStream << "var authDb = db.getSiblingDB(\"" - << shellGlobalParams.authenticationDatabase << "\");" << endl; + << escape(shellGlobalParams.authenticationDatabase) << "\");" << endl; } authStringStream << "authDb._authOrThrow({ " << saslCommandUserFieldName << ": username "; if (shellGlobalParams.usingPassword) { authStringStream << ", " << saslCommandPasswordFieldName << ": password "; } + + if (!shellGlobalParams.gssapiHostName.empty()) { + authStringStream << ", " << saslCommandServiceHostnameFieldName << ": \"" + << escape(shellGlobalParams.gssapiHostName) << '"' << endl; + } authStringStream << "});" << endl; } authStringStream << "}())"; mongo::shell_utils::_dbAuth = authStringStream.str(); - mongo::ScriptEngine::setConnectCallback( mongo::shell_utils::onConnect ); mongo::ScriptEngine::setup(); mongo::globalScriptEngine->setScopeInitCallback( mongo::shell_utils::initScope ); diff --git a/src/mongo/shell/shell_options.cpp b/src/mongo/shell/shell_options.cpp index 2832989ffe3..906b0b8a106 100644 --- a/src/mongo/shell/shell_options.cpp +++ b/src/mongo/shell/shell_options.cpp @@ -32,6 +32,7 @@ #include "mongo/base/status.h" #include "mongo/bson/util/builder.h" +#include "mongo/client/sasl_client_authenticate.h" #include "mongo/db/server_options.h" #include "mongo/shell/shell_utils.h" #include "mongo/util/mongoutils/str.h" @@ -63,21 +64,33 @@ namespace mongo { options->addOptionChaining("eval", "eval", moe::String, "evaluate javascript"); - options->addOptionChaining("username", "username,u", moe::String, + moe::OptionSection authenticationOptions("Authentication Options"); + + authenticationOptions.addOptionChaining("username", "username,u", moe::String, "username for authentication"); - options->addOptionChaining("password", "password,p", moe::String, + authenticationOptions.addOptionChaining("password", "password,p", moe::String, "password for authentication") .setImplicit(moe::Value(std::string(""))); - options->addOptionChaining("authenticationDatabase", "authenticationDatabase", moe::String, - "user source (defaults to dbname)") + authenticationOptions.addOptionChaining("authenticationDatabase", "authenticationDatabase", + moe::String, "user source (defaults to dbname)") .setDefault(moe::Value(std::string(""))); - options->addOptionChaining("authenticationMechanism", "authenticationMechanism", - moe::String, "authentication mechanism") + authenticationOptions.addOptionChaining("authenticationMechanism", + "authenticationMechanism", moe::String, "authentication mechanism") .setDefault(moe::Value(std::string("MONGODB-CR"))); + authenticationOptions.addOptionChaining("gssapiServiceName", "gssapiServiceName", + moe::String, + "Service name to use when authenticating using GSSAPI/Kerberos") + .setDefault(moe::Value(std::string(saslDefaultServiceName))); + + authenticationOptions.addOptionChaining("gssapiHostName", "gssapiHostName", moe::String, + "Remote host name to use for purpose of GSSAPI/Kerberos authentication"); + + options->addSection(authenticationOptions); + options->addOptionChaining("help", "help,h", moe::Switch, "show this usage information"); options->addOptionChaining("version", "version", moe::Switch, "show version information"); @@ -203,6 +216,14 @@ namespace mongo { params["authenticationMechanism"].as<string>(); } + if (params.count("gssapiServiceName")) { + shellGlobalParams.gssapiServiceName = params["gssapiServiceName"].as<string>(); + } + + if (params.count("gssapiHostName")) { + shellGlobalParams.gssapiHostName = params["gssapiHostName"].as<string>(); + } + if (params.count("shell")) { shellGlobalParams.runShell = true; } diff --git a/src/mongo/shell/shell_options.h b/src/mongo/shell/shell_options.h index 12d0ed5c89c..1d4a74a8f34 100644 --- a/src/mongo/shell/shell_options.h +++ b/src/mongo/shell/shell_options.h @@ -53,6 +53,8 @@ namespace mongo { bool usingPassword; std::string authenticationMechanism; std::string authenticationDatabase; + std::string gssapiServiceName; + std::string gssapiHostName; bool runShell; bool nodb; |