diff options
author | Andreas Nilsson <andreas.nilsson@10gen.com> | 2013-10-28 17:44:18 -0400 |
---|---|---|
committer | Andreas Nilsson <andreas.nilsson@10gen.com> | 2013-10-29 09:14:54 -0400 |
commit | f64377ea68e0f0003639672b886fc9e7be37942c (patch) | |
tree | 392c74cdc83b9b389a322fd8f5444d8fb2e01997 /src/mongo/db/commands/authentication_commands.cpp | |
parent | 202fe3e238fc378656482291d724728786581a2b (diff) | |
download | mongo-f64377ea68e0f0003639672b886fc9e7be37942c.tar.gz |
SERVER-10353 Option to disable MONGODB-X509, server portion
Diffstat (limited to 'src/mongo/db/commands/authentication_commands.cpp')
-rw-r--r-- | src/mongo/db/commands/authentication_commands.cpp | 26 |
1 files changed, 20 insertions, 6 deletions
diff --git a/src/mongo/db/commands/authentication_commands.cpp b/src/mongo/db/commands/authentication_commands.cpp index bfb15aff3a5..d8857a1845a 100644 --- a/src/mongo/db/commands/authentication_commands.cpp +++ b/src/mongo/db/commands/authentication_commands.cpp @@ -54,11 +54,21 @@ namespace mongo { - static bool _areNonceAuthenticateCommandsEnabled = true; - static const char _nonceAuthenticateCommandsDisabledMessage[] = + static bool _isCRAuthDisabled; + static bool _isX509AuthDisabled; + static const char _nonceAuthenticationDisabledMessage[] = "Challenge-response authentication using getnonce and authenticate commands is disabled."; - - void CmdAuthenticate::disableCommand() { _areNonceAuthenticateCommandsEnabled = false; } + static const char _x509AuthenticationDisabledMessage[] = + "x.509 authentication is disabled."; + + void CmdAuthenticate::disableAuthMechanism(std::string authMechanism) { + if (authMechanism == "MONGODB-CR") { + _isCRAuthDisabled = true; + } + if (authMechanism == "MONGODB-X509") { + _isX509AuthDisabled = true; + } + } /* authentication @@ -171,11 +181,11 @@ namespace mongo { "Mechanism x509 is required for internal cluster authentication"); } - if (!_areNonceAuthenticateCommandsEnabled) { + if (_isCRAuthDisabled) { // SERVER-8461, MONGODB-CR must be enabled for authenticating the internal user, so that // cluster members may communicate with each other. if (user != internalSecurity.user->getName()) { - return Status(ErrorCodes::BadValue, _nonceAuthenticateCommandsDisabledMessage); + return Status(ErrorCodes::BadValue, _nonceAuthenticationDisabledMessage); } } @@ -285,6 +295,10 @@ namespace mongo { } // Handle normal client authentication, only applies to client-server connections else { + if (_isX509AuthDisabled) { + return Status(ErrorCodes::BadValue, + _x509AuthenticationDisabledMessage); + } Status status = authorizationSession->addAndAuthorizeUser(user); if (!status.isOK()) { return status; |