SERVER-9518 Implement functions in mongos and mongod for locking authorization data

5 files changed, 36 insertions, 4 deletions

diff --git a/src/mongo/db/auth/authz_manager_external_state.h b/src/mongo/db/auth/authz_manager_external_state.h
index 19fa865abe2..0769c2bf98f 100644
--- a/src/mongo/db/auth/authz_manager_external_state.h
+++ b/src/mongo/db/auth/authz_manager_external_state.h
@@ -154,12 +154,14 @@ namespace mongo {
          * to authorization, namely the admin.system.users, admin.system.roles, and
          * admin.system.version collections.  This serializes all writers to the authorization
          * documents, but does not impact readers.
+         * This can only be called when already in the AuthorizationManager's _lock.
          */
         virtual bool tryAcquireAuthzUpdateLock() = 0;
 
         /**
          * Releases the lock guarding modifications to persistent authorization data, which must
          * already be held.
+         * This can only be called when already in the AuthorizationManager's _lock.
          */
         virtual void releaseAuthzUpdateLock() = 0;
 
diff --git a/src/mongo/db/auth/authz_manager_external_state_d.cpp b/src/mongo/db/auth/authz_manager_external_state_d.cpp
index 72e01e5f29e..9afc9784bc3 100644
--- a/src/mongo/db/auth/authz_manager_external_state_d.cpp
+++ b/src/mongo/db/auth/authz_manager_external_state_d.cpp
@@ -28,6 +28,9 @@
 
 #include "mongo/db/auth/authz_manager_external_state_d.h"
 
+#include <string>
+#include <boost/thread/mutex.hpp>
+
 #include "mongo/base/status.h"
 #include "mongo/db/auth/authorization_manager.h"
 #include "mongo/db/auth/user_name.h"
@@ -232,11 +235,11 @@ namespace {
     }
 
     bool AuthzManagerExternalStateMongod::tryAcquireAuthzUpdateLock() {
-        fassertFailed(17099);
+        return _authzDataUpdateLock.try_lock();
     }
 
     void AuthzManagerExternalStateMongod::releaseAuthzUpdateLock() {
-        fassertFailed(17100);
+        return _authzDataUpdateLock.unlock();
     }
 
 } // namespace mongo
diff --git a/src/mongo/db/auth/authz_manager_external_state_d.h b/src/mongo/db/auth/authz_manager_external_state_d.h
index a9c050be5cb..ebb2b4fb022 100644
--- a/src/mongo/db/auth/authz_manager_external_state_d.h
+++ b/src/mongo/db/auth/authz_manager_external_state_d.h
@@ -28,6 +28,7 @@
 
 #pragma once
 
+#include <boost/thread/mutex.hpp>
 #include <string>
 
 #include "mongo/base/disallow_copying.h"
@@ -86,6 +87,9 @@ namespace mongo {
         virtual Status _findUser(const string& usersNamespace,
                                  const BSONObj& query,
                                  BSONObj* result);
+
+    private:
+        boost::mutex _authzDataUpdateLock;
     };
 
 } // namespace mongo
diff --git a/src/mongo/db/auth/authz_manager_external_state_s.cpp b/src/mongo/db/auth/authz_manager_external_state_s.cpp
index 79bda6f4f8b..96a4894c06f 100644
--- a/src/mongo/db/auth/authz_manager_external_state_s.cpp
+++ b/src/mongo/db/auth/authz_manager_external_state_s.cpp
@@ -28,12 +28,15 @@
 
 #include "mongo/db/auth/authz_manager_external_state_s.h"
 
+#include <boost/scoped_ptr.hpp>
 #include <string>
 
 #include "mongo/client/dbclientinterface.h"
+#include "mongo/client/distlock.h"
 #include "mongo/db/auth/authorization_manager.h"
 #include "mongo/db/auth/user_name.h"
 #include "mongo/db/jsobj.h"
+#include "mongo/s/config.h"
 #include "mongo/s/type_database.h"
 #include "mongo/s/grid.h"
 #include "mongo/util/assert_util.h"
@@ -46,6 +49,7 @@ namespace {
 }
 
     AuthzManagerExternalStateMongos::AuthzManagerExternalStateMongos() {}
+
     AuthzManagerExternalStateMongos::~AuthzManagerExternalStateMongos() {}
 
     namespace {
@@ -259,11 +263,25 @@ namespace {
     }
 
     bool AuthzManagerExternalStateMongos::tryAcquireAuthzUpdateLock() {
-        fassertFailed(17109);
+        if (_authzDataUpdateLock.get()) {
+            return false;
+        }
+        _authzDataUpdateLock.reset(new ScopedDistributedLock(
+                configServer.getConnectionString(), "authorizationData"));
+
+        std::string errmsg;
+        if (!_authzDataUpdateLock->tryAcquire(&errmsg)) {
+            warning() <<
+                    "Error while attempting to acquire distributed lock for user modification: " <<
+                    errmsg << endl;
+            _authzDataUpdateLock.reset();
+            return false;
+        }
+        return true;
     }
 
     void AuthzManagerExternalStateMongos::releaseAuthzUpdateLock() {
-        fassertFailed(17110);
+        _authzDataUpdateLock.reset();
     }
 
 } // namespace mongo
diff --git a/src/mongo/db/auth/authz_manager_external_state_s.h b/src/mongo/db/auth/authz_manager_external_state_s.h
index 903143e707f..baec4d73dca 100644
--- a/src/mongo/db/auth/authz_manager_external_state_s.h
+++ b/src/mongo/db/auth/authz_manager_external_state_s.h
@@ -28,10 +28,12 @@
 
 #pragma once
 
+#include <boost/scoped_ptr.hpp>
 #include <string>
 
 #include "mongo/base/disallow_copying.h"
 #include "mongo/base/status.h"
+#include "mongo/client/distlock.h"
 #include "mongo/db/auth/authz_manager_external_state.h"
 #include "mongo/db/auth/user_name.h"
 
@@ -86,6 +88,9 @@ namespace mongo {
         virtual Status _findUser(const string& usersNamespace,
                                  const BSONObj& query,
                                  BSONObj* result);
+
+    private:
+        scoped_ptr<ScopedDistributedLock> _authzDataUpdateLock;
     };
 
 } // namespace mongo