diff options
author | Spencer Jackson <spencer.jackson@mongodb.com> | 2017-07-31 10:56:56 -0400 |
---|---|---|
committer | Spencer Jackson <spencer.jackson@mongodb.com> | 2017-07-31 13:59:59 -0400 |
commit | 9096def9687739a40df79efe4e9e4d9b19215201 (patch) | |
tree | b2f47817d0899e0de7f04bc40e226e8c729d5860 | |
parent | 6d9d554e24b134e9cadad7e9377c5e4634c3a6af (diff) | |
download | mongo-9096def9687739a40df79efe4e9e4d9b19215201.tar.gz |
SERVER-30434: Process authenticationRestrictions in FCV 3.4
-rw-r--r-- | jstests/auth/authentication_restrictions.js | 9 | ||||
-rw-r--r-- | src/mongo/db/auth/SConscript | 3 | ||||
-rw-r--r-- | src/mongo/db/auth/address_restriction.cpp | 12 | ||||
-rw-r--r-- | src/mongo/db/auth/authorization_session_test.cpp | 76 | ||||
-rw-r--r-- | src/mongo/db/auth/authz_manager_external_state_local.cpp | 23 | ||||
-rw-r--r-- | src/mongo/db/auth/user_document_parser_test.cpp | 13 | ||||
-rw-r--r-- | src/mongo/db/auth/user_management_commands_parser.cpp | 10 |
7 files changed, 16 insertions, 130 deletions
diff --git a/jstests/auth/authentication_restrictions.js b/jstests/auth/authentication_restrictions.js index 98c4a1c586a..17d656c9f05 100644 --- a/jstests/auth/authentication_restrictions.js +++ b/jstests/auth/authentication_restrictions.js @@ -194,7 +194,7 @@ eventualDb.getSiblingDB("test").runCommand({find: "foo", batchSize: 0})); print( - "When a client downgrades featureCompatibilityVersion, users with featureCompatibilityVersions become unusable."); + "When a client downgrades featureCompatibilityVersion, authenticationRestrictions are still enforced"); assert.commandWorked(admin.runCommand({ createUser: "user13", pwd: "user", @@ -212,9 +212,12 @@ assert.commandWorked(admin.runCommand({setFeatureCompatibilityVersion: "3.4"})); sleepUntilUserDataRefreshed(); - assert.commandFailed(db.getSiblingDB("test").runCommand({find: "foo", batchSize: 0})); - assert.commandFailed( + assert(db.auth("user13", "user")); + assert.commandWorked(db.getSiblingDB("test").runCommand({find: "foo", batchSize: 0})); + assert(eventualDb.auth("user13", "user")); + assert.commandWorked( eventualDb.getSiblingDB("test").runCommand({find: "foo", batchSize: 0})); + assert(!externalDb.auth("user13", "user")); } print("Testing standalone"); diff --git a/src/mongo/db/auth/SConscript b/src/mongo/db/auth/SConscript index 396c0b4b24b..043641da879 100644 --- a/src/mongo/db/auth/SConscript +++ b/src/mongo/db/auth/SConscript @@ -276,9 +276,8 @@ env.Library( 'address_restriction.cpp', env.Idlc('address_restriction.idl')[0], ], - LIBDEPS=[ + LIBDEPS_PRIVATE=[ 'authentication_restriction', - '$BUILD_DIR/mongo/db/server_options_core', '$BUILD_DIR/mongo/base', '$BUILD_DIR/mongo/util/net/network', '$BUILD_DIR/mongo/idl/idl_parser', diff --git a/src/mongo/db/auth/address_restriction.cpp b/src/mongo/db/auth/address_restriction.cpp index 607aa3056e9..aa079a6f78b 100644 --- a/src/mongo/db/auth/address_restriction.cpp +++ b/src/mongo/db/auth/address_restriction.cpp @@ -74,12 +74,6 @@ mongo::StatusWith<mongo::SharedRestrictionDocument> mongo::parseAuthenticationRe std::unique_ptr<document_type::element_type>>::value, "SharedRestrictionDocument expected to contain a sequence of unique_ptrs"); - if (serverGlobalParams.featureCompatibility.version.load() < - ServerGlobalParams::FeatureCompatibility::Version::k36) { - return Status(ErrorCodes::UnsupportedFormat, - "'authenticationRestrictions' requires 3.6 feature compatibility version"); - } - document_type::sequence_type doc; for (const auto& elem : arr) { if (elem.type() != Object) { @@ -103,12 +97,6 @@ mongo::StatusWith<mongo::BSONArray> mongo::getRawAuthenticationRestrictions( const BSONArray& arr) noexcept try { BSONArrayBuilder builder; - if (serverGlobalParams.featureCompatibility.version.load() < - ServerGlobalParams::FeatureCompatibility::Version::k36) { - return Status(ErrorCodes::UnsupportedFormat, - "'authenticationRestrictions' requires 3.6 feature compatibility version"); - } - for (auto const& elem : arr) { if (elem.type() != Object) { return Status(ErrorCodes::UnsupportedFormat, diff --git a/src/mongo/db/auth/authorization_session_test.cpp b/src/mongo/db/auth/authorization_session_test.cpp index 9cdbe4aa730..e6626c58576 100644 --- a/src/mongo/db/auth/authorization_session_test.cpp +++ b/src/mongo/db/auth/authorization_session_test.cpp @@ -572,82 +572,6 @@ TEST_F(AuthorizationSessionTest, UseOldUserInfoInFaceOfConnectivityProblems) { authzSession->isAuthorizedForActionsOnResource(testFooCollResource, ActionType::insert)); } -TEST_F(AuthorizationSessionTest, AcquireUserFailsWithOldFeatureCompatibilityVersion) { - ASSERT_OK(managerState->insertPrivilegeDocument(_opCtx.get(), - BSON("user" - << "spencer" - << "db" - << "test" - << "credentials" - << BSON("MONGODB-CR" - << "a") - << "roles" - << BSON_ARRAY(BSON("role" - << "readWrite" - << "db" - << "test")) - << "authenticationRestrictions" - << BSON_ARRAY(BSON( - "clientSource" - << BSON_ARRAY("192.168.0.0/24" - << "192.168.2.10") - << "serverAddress" - << BSON_ARRAY("192.168.0.2")))), - BSONObj())); - - serverGlobalParams.featureCompatibility.version.store( - ServerGlobalParams::FeatureCompatibility::Version::k34); - - RestrictionEnvironment::set( - session, - stdx::make_unique<RestrictionEnvironment>(SockAddr("192.168.0.6", 5555, AF_UNSPEC), - SockAddr("192.168.0.2", 5555, AF_UNSPEC))); - - ASSERT_NOT_OK(authzSession->addAndAuthorizeUser(_opCtx.get(), UserName("spencer", "test"))); -} - -TEST_F(AuthorizationSessionTest, RefreshRemovesRestrictedUsersDuringFeatureCompatibilityDowngrade) { - ASSERT_OK(managerState->insertPrivilegeDocument( - _opCtx.get(), - BSON("user" - << "spencer" - << "db" - << "test" - << "credentials" - << BSON("MONGODB-CR" - << "a") - << "roles" - << BSON_ARRAY(BSON("role" - << "readWrite" - << "db" - << "test")) - << "authenticationRestrictions" - << BSON_ARRAY(BSON("clientSource" << BSON_ARRAY("192.168.0.0/24") << "serverAddress" - << BSON_ARRAY("192.168.0.2")))), - BSONObj())); - - RestrictionEnvironment::set( - session, - stdx::make_unique<RestrictionEnvironment>(SockAddr("192.168.0.6", 5555, AF_UNSPEC), - SockAddr("192.168.0.2", 5555, AF_UNSPEC))); - - ASSERT_OK(authzSession->addAndAuthorizeUser(_opCtx.get(), UserName("spencer", "test"))); - - serverGlobalParams.featureCompatibility.version.store( - ServerGlobalParams::FeatureCompatibility::Version::k34); - - ASSERT_TRUE(authzSession->lookupUser(UserName("spencer", "test"))); - ASSERT_TRUE( - authzSession->isAuthorizedForActionsOnResource(testFooCollResource, ActionType::find)); - - authzManager->invalidateUserCache(); - authzSession->startRequest(_opCtx.get()); - - ASSERT_FALSE(authzSession->lookupUser(UserName("spencer", "test"))); - ASSERT_FALSE( - authzSession->isAuthorizedForActionsOnResource(testFooCollResource, ActionType::find)); -} - TEST_F(AuthorizationSessionTest, AcquireUserObtainsAndValidatesAuthenticationRestrictions) { ASSERT_OK(managerState->insertPrivilegeDocument( _opCtx.get(), diff --git a/src/mongo/db/auth/authz_manager_external_state_local.cpp b/src/mongo/db/auth/authz_manager_external_state_local.cpp index b4a37379529..c391dff44b0 100644 --- a/src/mongo/db/auth/authz_manager_external_state_local.cpp +++ b/src/mongo/db/auth/authz_manager_external_state_local.cpp @@ -31,6 +31,7 @@ #include "mongo/db/auth/authz_manager_external_state_local.h" #include "mongo/base/status.h" +#include "mongo/bson/mutable/algorithm.h" #include "mongo/bson/mutable/document.h" #include "mongo/bson/mutable/element.h" #include "mongo/bson/util/bson_extract.h" @@ -197,21 +198,6 @@ Status AuthzManagerExternalStateLocal::getUserDescription(OperationContext* opCt resolveUserRoles(&resultDoc, directRoles); *result = resultDoc.getObject(); - const auto isNonEmptyArray = [](const BSONObj& doc, StringData element) { - const auto& e = doc[element]; - return !e.eoo() && (e.type() == Array) && !e.Obj().isEmpty(); - }; - - if ((isNonEmptyArray(*result, "authenticationRestrictions") || - isNonEmptyArray(*result, "inheritedAuthenticationRestrictions")) && - serverGlobalParams.featureCompatibility.version.load() < - ServerGlobalParams::FeatureCompatibility::Version::k36) { - // Mongos isn't able to evaluate whether documents are valid under the current - // featureCompatibilityVersion. We must make the decision before it sees them. - return Status(ErrorCodes::UnsupportedFormat, - "'authenticationRestrictions' requires 3.6 feature compatibility version"); - } - return Status::OK(); } @@ -300,13 +286,6 @@ Status AuthzManagerExternalStateLocal::_getUserDocument(OperationContext* opCtx, status = Status(ErrorCodes::UserNotFound, mongoutils::str::stream() << "Could not find user " << userName.getFullName()); - } else if ((*userDoc)["authenticationRestrictions"] && - serverGlobalParams.featureCompatibility.version.load() < - ServerGlobalParams::FeatureCompatibility::Version::k36) { - // Mongos isn't able to evaluate whether documents are valid under the current - // featureCompatibilityVersion. We must make the decision before it sees them. - status = Status(ErrorCodes::UnsupportedFormat, - "'authenticationRestrictions' requires 3.6 feature compatibility version"); } return status; } diff --git a/src/mongo/db/auth/user_document_parser_test.cpp b/src/mongo/db/auth/user_document_parser_test.cpp index 12f5bffed87..ae27f0d0c6c 100644 --- a/src/mongo/db/auth/user_document_parser_test.cpp +++ b/src/mongo/db/auth/user_document_parser_test.cpp @@ -613,19 +613,6 @@ TEST_F(V2UserDocumentParsing, V2RoleExtraction) { ASSERT_FALSE(roles.more()); } -TEST_F(V2UserDocumentParsing, - V2AuthenticationRestrictionsExtractioniFailsOnOldFeatureCompatibilityVersion) { - serverGlobalParams.featureCompatibility.version.store( - ServerGlobalParams::FeatureCompatibility::Version::k34); - Status status = v2parser.initializeAuthenticationRestrictionsFromUserDocument( - BSON("user" - << "spencer" - << "authenticationRestrictions" - << BSON_ARRAY(BSON("clientSource" << BSON_ARRAY("::1")))), - user.get()); - ASSERT_EQ(ErrorCodes::UnsupportedFormat, status.code()); -} - TEST_F(V2UserDocumentParsing, V2AuthenticationRestrictionsExtraction) { const auto emptyArray = BSONArrayBuilder().arr(); const auto emptyObj = BSONObjBuilder().obj(); diff --git a/src/mongo/db/auth/user_management_commands_parser.cpp b/src/mongo/db/auth/user_management_commands_parser.cpp index 9a7742d14a4..f1ab1f40735 100644 --- a/src/mongo/db/auth/user_management_commands_parser.cpp +++ b/src/mongo/db/auth/user_management_commands_parser.cpp @@ -192,7 +192,10 @@ Status parseCreateOrUpdateUserCommands(const BSONObj& cmdObj, validFieldNames.insert("digestPassword"); validFieldNames.insert("pwd"); validFieldNames.insert("roles"); - validFieldNames.insert("authenticationRestrictions"); + if (serverGlobalParams.featureCompatibility.version.load() >= + ServerGlobalParams::FeatureCompatibility::Version::k36) { + validFieldNames.insert("authenticationRestrictions"); + } Status status = _checkNoExtraFields(cmdObj, cmdName, validFieldNames); if (!status.isOK()) { @@ -490,7 +493,10 @@ Status parseCreateOrUpdateRoleCommands(const BSONObj& cmdObj, validFieldNames.insert(cmdName.toString()); validFieldNames.insert("privileges"); validFieldNames.insert("roles"); - validFieldNames.insert("authenticationRestrictions"); + if (serverGlobalParams.featureCompatibility.version.load() >= + ServerGlobalParams::FeatureCompatibility::Version::k36) { + validFieldNames.insert("authenticationRestrictions"); + } Status status = _checkNoExtraFields(cmdObj, cmdName, validFieldNames); if (!status.isOK()) { |