diff options
author | Amalia Hawkins <amalia.hawkins@10gen.com> | 2015-04-24 11:54:40 -0400 |
---|---|---|
committer | Amalia Hawkins <amalia.hawkins@10gen.com> | 2015-04-28 16:41:22 -0400 |
commit | 3fe79932f7f20a78bd55f879863899c2443ab1a7 (patch) | |
tree | 8a465c8464c57ce323987a261168fe2c7355d0a5 /src/mongo/db/auth | |
parent | fdfd8e79061f9ea12840875290d159dfafdcbc96 (diff) | |
download | mongo-3fe79932f7f20a78bd55f879863899c2443ab1a7.tar.gz |
SERVER-18140: Allow getParameter to be executed locally against an arbiter in an authenticated replica set
Diffstat (limited to 'src/mongo/db/auth')
8 files changed, 41 insertions, 4 deletions
diff --git a/src/mongo/db/auth/SConscript b/src/mongo/db/auth/SConscript index c306fb4d7a4..934bb31496d 100644 --- a/src/mongo/db/auth/SConscript +++ b/src/mongo/db/auth/SConscript @@ -86,7 +86,11 @@ env.Library('authmongod', ['authz_manager_external_state_d.cpp', 'authz_session_external_state_d.cpp', 'auth_index_d.cpp'], - LIBDEPS=['authservercommon', '$BUILD_DIR/mongo/server_parameters']) + LIBDEPS=[ + 'authservercommon', + '$BUILD_DIR/mongo/db/repl/repl_coordinator_global', + '$BUILD_DIR/mongo/server_parameters', + ]) env.Library('authmongos', ['authz_manager_external_state_s.cpp', diff --git a/src/mongo/db/auth/authorization_session.cpp b/src/mongo/db/auth/authorization_session.cpp index b2f934042dd..bcc66f45d17 100644 --- a/src/mongo/db/auth/authorization_session.cpp +++ b/src/mongo/db/auth/authorization_session.cpp @@ -158,11 +158,19 @@ namespace { Privilege(externalDBResource, ActionType::createUser); ActionSet setupServerConfigActionSet; + + // If this server is an arbiter, add specific privileges meant to circumvent + // the behavior of an arbiter in an authenticated replset. See SERVER-5479. + if (_externalState->serverIsArbiter()) { + setupServerConfigActionSet.addAction(ActionType::getCmdLineOpts); + setupServerConfigActionSet.addAction(ActionType::getParameter); + setupServerConfigActionSet.addAction(ActionType::serverStatus); + setupServerConfigActionSet.addAction(ActionType::shutdown); + } + setupServerConfigActionSet.addAction(ActionType::addShard); - setupServerConfigActionSet.addAction(ActionType::getCmdLineOpts); setupServerConfigActionSet.addAction(ActionType::replSetConfigure); setupServerConfigActionSet.addAction(ActionType::replSetGetStatus); - setupServerConfigActionSet.addAction(ActionType::serverStatus); Privilege setupServerConfigPrivilege = Privilege(ResourcePattern::forClusterResource(), setupServerConfigActionSet); diff --git a/src/mongo/db/auth/authz_session_external_state.h b/src/mongo/db/auth/authz_session_external_state.h index 8b22b046bbd..d49e5eb35bf 100644 --- a/src/mongo/db/auth/authz_session_external_state.h +++ b/src/mongo/db/auth/authz_session_external_state.h @@ -67,6 +67,11 @@ namespace mongo { // shouldAllowLocalhost or we could ignore auth checks incorrectly. virtual bool shouldAllowLocalhost() const = 0; + // Returns true if this connection should allow extra server configuration actions under + // the localhost exception. This condition is used to allow special privileges on arbiters. + // See SERVER-5479 for details on when this may be removed. + virtual bool serverIsArbiter() const = 0; + // Should be called at the beginning of every new request. This performs the checks // necessary to determine if localhost connections should be given full access. virtual void startRequest(OperationContext* txn) = 0; diff --git a/src/mongo/db/auth/authz_session_external_state_d.cpp b/src/mongo/db/auth/authz_session_external_state_d.cpp index dc78555b707..65f30b5ce75 100644 --- a/src/mongo/db/auth/authz_session_external_state_d.cpp +++ b/src/mongo/db/auth/authz_session_external_state_d.cpp @@ -36,6 +36,7 @@ #include "mongo/db/instance.h" #include "mongo/db/jsobj.h" #include "mongo/db/operation_context.h" +#include "mongo/db/repl/replication_coordinator_global.h" #include "mongo/scripting/engine.h" #include "mongo/util/assert_util.h" @@ -60,4 +61,11 @@ namespace mongo { AuthzSessionExternalStateServerCommon::shouldIgnoreAuthChecks(); } + bool AuthzSessionExternalStateMongod::serverIsArbiter() const { + // Arbiters have access to extra privileges under localhost. See SERVER-5479. + return (repl::getGlobalReplicationCoordinator()->getReplicationMode() == + repl::ReplicationCoordinator::modeReplSet && + repl::getGlobalReplicationCoordinator()->getMemberState().arbiter()); + } + } // namespace mongo diff --git a/src/mongo/db/auth/authz_session_external_state_d.h b/src/mongo/db/auth/authz_session_external_state_d.h index 0df26d507c7..8af5cc41e61 100644 --- a/src/mongo/db/auth/authz_session_external_state_d.h +++ b/src/mongo/db/auth/authz_session_external_state_d.h @@ -47,6 +47,8 @@ namespace mongo { virtual bool shouldIgnoreAuthChecks() const; + virtual bool serverIsArbiter() const; + virtual void startRequest(OperationContext* txn); }; diff --git a/src/mongo/db/auth/authz_session_external_state_mock.h b/src/mongo/db/auth/authz_session_external_state_mock.h index 0acc98366ea..6e26c1bbceb 100644 --- a/src/mongo/db/auth/authz_session_external_state_mock.h +++ b/src/mongo/db/auth/authz_session_external_state_mock.h @@ -44,7 +44,7 @@ namespace mongo { public: AuthzSessionExternalStateMock(AuthorizationManager* authzManager) : AuthzSessionExternalState(authzManager), _ignoreAuthChecksReturnValue(false), - _allowLocalhostReturnValue(false) {} + _allowLocalhostReturnValue(false), _serverIsArbiterReturnValue(false) {} virtual bool shouldIgnoreAuthChecks() const { return _ignoreAuthChecksReturnValue; @@ -54,6 +54,10 @@ namespace mongo { return _allowLocalhostReturnValue; } + virtual bool serverIsArbiter() const { + return _serverIsArbiterReturnValue; + } + void setReturnValueForShouldIgnoreAuthChecks(bool returnValue) { _ignoreAuthChecksReturnValue = returnValue; } @@ -67,6 +71,7 @@ namespace mongo { private: bool _ignoreAuthChecksReturnValue; bool _allowLocalhostReturnValue; + bool _serverIsArbiterReturnValue; }; } // namespace mongo diff --git a/src/mongo/db/auth/authz_session_external_state_server_common.cpp b/src/mongo/db/auth/authz_session_external_state_server_common.cpp index 4ffc69d59e7..453980e19f7 100644 --- a/src/mongo/db/auth/authz_session_external_state_server_common.cpp +++ b/src/mongo/db/auth/authz_session_external_state_server_common.cpp @@ -75,6 +75,10 @@ namespace { } } + bool AuthzSessionExternalStateServerCommon::serverIsArbiter() const { + return false; + } + bool AuthzSessionExternalStateServerCommon::shouldAllowLocalhost() const { ClientBasic* client = ClientBasic::getCurrent(); return _allowLocalhost && client->getIsLocalHostConnection(); diff --git a/src/mongo/db/auth/authz_session_external_state_server_common.h b/src/mongo/db/auth/authz_session_external_state_server_common.h index 59599a6befd..f96035dcade 100644 --- a/src/mongo/db/auth/authz_session_external_state_server_common.h +++ b/src/mongo/db/auth/authz_session_external_state_server_common.h @@ -46,6 +46,7 @@ namespace mongo { virtual bool shouldAllowLocalhost() const; virtual bool shouldIgnoreAuthChecks() const; + virtual bool serverIsArbiter() const; protected: AuthzSessionExternalStateServerCommon(AuthorizationManager* authzManager); |