SERVER-12476 Set internalAuth params when changing clusterAuthMode

3 files changed, 18 insertions, 15 deletions

diff --git a/src/mongo/db/auth/authorization_manager.h b/src/mongo/db/auth/authorization_manager.h
index 18419090902..589f20ad59f 100644
--- a/src/mongo/db/auth/authorization_manager.h
+++ b/src/mongo/db/auth/authorization_manager.h
@@ -58,7 +58,6 @@ namespace mongo {
      */
     struct AuthInfo {
         User* user;
-        BSONObj authParams;
     };
     extern AuthInfo internalSecurity; // set at startup and not changed after initialization.
 
diff --git a/src/mongo/db/auth/security_key.cpp b/src/mongo/db/auth/security_key.cpp
index 382086609e0..ee26889ad5b 100644
--- a/src/mongo/db/auth/security_key.cpp
+++ b/src/mongo/db/auth/security_key.cpp
@@ -40,24 +40,24 @@
 #include "mongo/client/sasl_client_authenticate.h"
 #include "mongo/util/password_digest.h"
 
-static bool authParamsSet = false;
-
 namespace mongo {
+    // not guarded by the authParams mutex never changed in
+    // multi-threaded operation
+    static bool authParamsSet = false;
+    // guarded by the authParams mutex
+    static BSONObj authParams;
+    static boost::mutex authParamMutex; 
 
     bool isInternalAuthSet() {
        return authParamsSet; 
     }
 
-    bool setInternalUserAuthParams(BSONObj authParams) {
+    void setInternalUserAuthParams(const BSONObj& authParamsIn) {
         if (!isInternalAuthSet()) {
-            internalSecurity.authParams = authParams.copy();
             authParamsSet = true;
-            return true;
-        }
-        else {
-            log() << "Internal auth params have already been set" << endl;
-            return false;
         }
+        boost::mutex::scoped_lock lk(authParamMutex);
+        authParams = authParamsIn.copy();
     }
  
     bool authenticateInternalUser(DBClientWithCommands* conn){
@@ -65,8 +65,13 @@ namespace mongo {
             log() << "ERROR: No authentication params set for internal user" << endl;
             return false;
         }
-        try {
-            conn->auth(internalSecurity.authParams); 
+        try { 
+            BSONObj outgoingAuthParams;
+            {
+                boost::mutex::scoped_lock lk(authParamMutex);
+                outgoingAuthParams = authParams.copy();
+            }                
+            conn->auth(outgoingAuthParams);
             return true;
         } catch(const UserException& ex) {
             log() << "can't authenticate to " << conn->toString() << " as internal user, error: "
diff --git a/src/mongo/db/auth/security_key.h b/src/mongo/db/auth/security_key.h
index 94f80f2c65a..298a5cf0906 100644
--- a/src/mongo/db/auth/security_key.h
+++ b/src/mongo/db/auth/security_key.h
@@ -40,10 +40,9 @@ namespace mongo {
 
     /**
      * This method initializes the internalSecurity object with authentication
-     * credentials to be used by authenticateInternalUser. This method should 
-     * only be called once when setting up authentication method for the system.
+     * credentials to be used by authenticateInternalUser. 
      */
-    extern bool setInternalUserAuthParams(BSONObj authParams);
+    extern void setInternalUserAuthParams(const BSONObj& authParamsIn);
 
     /**
      * This method authenticates to another cluster member using appropriate