SERVER-21378 add setParameter startupAuthSchemaValidation used to bypass auth metadata startup validation checks

4 files changed, 68 insertions, 25 deletions

diff --git a/src/mongo/db/auth/authorization_manager.cpp b/src/mongo/db/auth/authorization_manager.cpp
index 12d8cf45b9e..69cba1e9733 100644
--- a/src/mongo/db/auth/authorization_manager.cpp
+++ b/src/mongo/db/auth/authorization_manager.cpp
@@ -268,6 +268,14 @@ std::unique_ptr<AuthorizationSession> AuthorizationManager::makeAuthorizationSes
         _externalState->makeAuthzSessionExternalState(this));
 }
 
+void AuthorizationManager::setShouldValidateAuthSchemaOnStartup(bool validate) {
+    _startupAuthSchemaValidation = validate;
+}
+
+bool AuthorizationManager::shouldValidateAuthSchemaOnStartup() {
+    return _startupAuthSchemaValidation;
+}
+
 Status AuthorizationManager::getAuthorizationVersion(OperationContext* txn, int* version) {
     CacheGuard guard(this, CacheGuard::fetchSynchronizationManual);
     int newVersion = _version;
diff --git a/src/mongo/db/auth/authorization_manager.h b/src/mongo/db/auth/authorization_manager.h
index 995207723c8..028b0478171 100644
--- a/src/mongo/db/auth/authorization_manager.h
+++ b/src/mongo/db/auth/authorization_manager.h
@@ -165,6 +165,16 @@ public:
     std::unique_ptr<AuthorizationSession> makeAuthorizationSession();
 
     /**
+     * Sets whether or not startup AuthSchema validation checks should be applied in this manager.
+     */
+    void setShouldValidateAuthSchemaOnStartup(bool validate);
+
+    /**
+     * Returns true if startup AuthSchema validation checks should be applied in this manager.
+     */
+    bool shouldValidateAuthSchemaOnStartup();
+
+    /**
      * Sets whether or not access control enforcement is enabled for this manager.
      */
     void setAuthEnabled(bool enabled);
@@ -351,6 +361,14 @@ private:
                         std::unique_ptr<User>* acquiredUser);
 
     /**
+     * True if AuthSchema startup checks should be applied in this AuthorizationManager.
+     *
+     * Defaults to true.  Changes to its value are not synchronized, so it should only be set
+     * at initalization-time.
+     */
+    bool _startupAuthSchemaValidation;
+
+    /**
      * True if access control enforcement is enabled in this AuthorizationManager.
      *
      * Defaults to false.  Changes to its value are not synchronized, so it should only be set
diff --git a/src/mongo/db/auth/authorization_manager_global.cpp b/src/mongo/db/auth/authorization_manager_global.cpp
index 66ceab0bc08..07a391bc02e 100644
--- a/src/mongo/db/auth/authorization_manager_global.cpp
+++ b/src/mongo/db/auth/authorization_manager_global.cpp
@@ -87,6 +87,8 @@ AuthorizationManager* getGlobalAuthorizationManager() {
     return globalAuthManager;
 }
 
+MONGO_EXPORT_STARTUP_SERVER_PARAMETER(startupAuthSchemaValidation, bool, true);
+
 MONGO_INITIALIZER_WITH_PREREQUISITES(CreateAuthorizationManager,
                                      ("SetupInternalSecurityUser",
                                       "OIDGeneration",
@@ -98,6 +100,7 @@ MONGO_INITIALIZER_WITH_PREREQUISITES(CreateAuthorizationManager,
         stdx::make_unique<AuthorizationManager>(AuthzManagerExternalState::create());
     authzManager->setAuthEnabled(serverGlobalParams.authState ==
                                  ServerGlobalParams::AuthState::kEnabled);
+    authzManager->setShouldValidateAuthSchemaOnStartup(startupAuthSchemaValidation);
     AuthorizationManager::set(getGlobalServiceContext(), std::move(authzManager));
     return Status::OK();
 }
diff --git a/src/mongo/db/db.cpp b/src/mongo/db/db.cpp
index 92049d1f2a6..e18b60efb17 100644
--- a/src/mongo/db/db.cpp
+++ b/src/mongo/db/db.cpp
@@ -679,32 +679,46 @@ static void _initAndListen(int listenPort) {
 #ifndef _WIN32
         mongo::signalForkSuccess();
 #endif
+        AuthorizationManager* globalAuthzManager = getGlobalAuthorizationManager();
+        if (globalAuthzManager->shouldValidateAuthSchemaOnStartup()) {
+            Status status = authindex::verifySystemIndexes(startupOpCtx.get());
+            if (!status.isOK()) {
+                log() << status.reason();
+                exitCleanly(EXIT_NEED_UPGRADE);
+            }
 
-        Status status = authindex::verifySystemIndexes(startupOpCtx.get());
-        if (!status.isOK()) {
-            log() << status.reason();
-            exitCleanly(EXIT_NEED_UPGRADE);
-        }
-
-        // SERVER-14090: Verify that auth schema version is schemaVersion26Final.
-        int foundSchemaVersion;
-        status = getGlobalAuthorizationManager()->getAuthorizationVersion(startupOpCtx.get(),
-                                                                          &foundSchemaVersion);
-        if (!status.isOK()) {
-            log() << "Auth schema version is incompatible: "
-                  << "User and role management commands require auth data to have "
-                  << "at least schema version " << AuthorizationManager::schemaVersion26Final
-                  << " but startup could not verify schema version: " << status.toString() << endl;
-            exitCleanly(EXIT_NEED_UPGRADE);
-        }
-        if (foundSchemaVersion < AuthorizationManager::schemaVersion26Final) {
-            log() << "Auth schema version is incompatible: "
-                  << "User and role management commands require auth data to have "
-                  << "at least schema version " << AuthorizationManager::schemaVersion26Final
-                  << " but found " << foundSchemaVersion << ". In order to upgrade "
-                  << "the auth schema, first downgrade MongoDB binaries to version "
-                  << "2.6 and then run the authSchemaUpgrade command." << endl;
-            exitCleanly(EXIT_NEED_UPGRADE);
+            // SERVER-14090: Verify that auth schema version is schemaVersion26Final.
+            int foundSchemaVersion;
+            status = globalAuthzManager->getAuthorizationVersion(startupOpCtx.get(),
+                                                                 &foundSchemaVersion);
+            if (!status.isOK()) {
+                log() << "Auth schema version is incompatible: "
+                      << "User and role management commands require auth data to have "
+                      << "at least schema version " << AuthorizationManager::schemaVersion26Final
+                      << " but startup could not verify schema version: " << status.toString()
+                      << endl;
+                exitCleanly(EXIT_NEED_UPGRADE);
+            }
+            if (foundSchemaVersion < AuthorizationManager::schemaVersion26Final) {
+                log() << "Auth schema version is incompatible: "
+                      << "User and role management commands require auth data to have "
+                      << "at least schema version " << AuthorizationManager::schemaVersion26Final
+                      << " but found " << foundSchemaVersion << ". In order to upgrade "
+                      << "the auth schema, first downgrade MongoDB binaries to version "
+                      << "2.6 and then run the authSchemaUpgrade command." << endl;
+                exitCleanly(EXIT_NEED_UPGRADE);
+            }
+        } else if (globalAuthzManager->isAuthEnabled()) {
+            error() << "Auth must be disabled when starting without auth schema validation";
+            exitCleanly(EXIT_BADOPTIONS);
+        } else {
+            // If authSchemaValidation is disabled and server is running without auth,
+            // warn the user and continue startup without authSchema metadata checks.
+            log() << startupWarningsLog;
+            log() << "** WARNING: Startup auth schema validation checks are disabled for the "
+                     "database." << startupWarningsLog;
+            log() << "**          This mode should only be used to manually repair corrupted auth "
+                     "data." << startupWarningsLog;
         }
 
         getDeleter()->startWorkers();