diff options
author | Andy Schwerin <schwerin@10gen.com> | 2013-07-03 15:00:29 -0400 |
---|---|---|
committer | Andy Schwerin <schwerin@10gen.com> | 2013-07-03 15:40:53 -0400 |
commit | 95efa9a5dd492f8abc85e412aaec9163c7a93ad2 (patch) | |
tree | 1b2f3e62c51adb935fa31233e9dca0e6e820c45e /src/mongo | |
parent | de8ae2e2d4fa654b1ef2fbf840eeb05b24730e07 (diff) | |
download | mongo-95efa9a5dd492f8abc85e412aaec9163c7a93ad2.tar.gz |
Reapply "SERVER-7455 Common internal cluster auth function"
This reverts commit cd3101ca2f8e539a4ad425fa8e6da55a935dd2b1, but fixes a symbol
misplacement that broke linking.
Diffstat (limited to 'src/mongo')
-rw-r--r-- | src/mongo/SConscript | 2 | ||||
-rw-r--r-- | src/mongo/db/auth/authorization_session.cpp | 1 | ||||
-rw-r--r-- | src/mongo/db/auth/authz_manager_external_state.cpp | 1 | ||||
-rw-r--r-- | src/mongo/db/auth/security_key.cpp | 14 | ||||
-rw-r--r-- | src/mongo/db/auth/security_key.h | 9 | ||||
-rw-r--r-- | src/mongo/db/commands/authentication_commands.cpp | 1 | ||||
-rw-r--r-- | src/mongo/db/commands/isself.cpp | 3 | ||||
-rw-r--r-- | src/mongo/db/repl/connections.h | 7 | ||||
-rw-r--r-- | src/mongo/db/repl/oplogreader.cpp | 35 | ||||
-rw-r--r-- | src/mongo/db/repl/sync_source_feedback.cpp | 35 | ||||
-rw-r--r-- | src/mongo/s/shard.cpp | 7 |
11 files changed, 62 insertions, 53 deletions
diff --git a/src/mongo/SConscript b/src/mongo/SConscript index bdeb82b5a2b..ed2cccb461c 100644 --- a/src/mongo/SConscript +++ b/src/mongo/SConscript @@ -858,7 +858,7 @@ if shellEnv is not None: mongo_shell = shellEnv.Program( "mongo", coreShellFiles, - LIBDEPS=[ "db/auth/authcore","clientandshell", "mongocommon", "scripting", + LIBDEPS=[ "clientandshell", "mongocommon", "scripting", "$BUILD_DIR/third_party/shim_pcrecpp"] + env['MODULE_LIBDEPS_MONGOSHELL'] ) shellEnv.Install( '#/', mongo_shell ) diff --git a/src/mongo/db/auth/authorization_session.cpp b/src/mongo/db/auth/authorization_session.cpp index 24f28251f27..50e79501b0c 100644 --- a/src/mongo/db/auth/authorization_session.cpp +++ b/src/mongo/db/auth/authorization_session.cpp @@ -28,6 +28,7 @@ #include "mongo/db/auth/principal_set.h" #include "mongo/db/auth/privilege.h" #include "mongo/db/auth/privilege_set.h" +#include "mongo/db/auth/security_key.h" #include "mongo/db/client.h" #include "mongo/db/jsobj.h" #include "mongo/db/namespacestring.h" diff --git a/src/mongo/db/auth/authz_manager_external_state.cpp b/src/mongo/db/auth/authz_manager_external_state.cpp index 128b5436a2f..a2cf986ab99 100644 --- a/src/mongo/db/auth/authz_manager_external_state.cpp +++ b/src/mongo/db/auth/authz_manager_external_state.cpp @@ -18,6 +18,7 @@ #include "mongo/base/status.h" #include "mongo/db/auth/authorization_manager.h" +#include "mongo/db/auth/security_key.h" #include "mongo/db/jsobj.h" #include "mongo/db/namespacestring.h" #include "mongo/util/mongoutils/str.h" diff --git a/src/mongo/db/auth/security_key.cpp b/src/mongo/db/auth/security_key.cpp index c5f85bee877..82b82cd6c47 100644 --- a/src/mongo/db/auth/security_key.cpp +++ b/src/mongo/db/auth/security_key.cpp @@ -20,7 +20,6 @@ #include <string> #include <vector> -#include "mongo/client/dbclientinterface.h" #include "mongo/db/auth/action_set.h" #include "mongo/db/auth/action_type.h" #include "mongo/db/auth/authorization_manager.h" @@ -29,6 +28,19 @@ namespace mongo { + bool authenticateInternalUser(DBClientWithCommands* conn){ + string err; + if( !conn->auth("local", + internalSecurity.user, + internalSecurity.pwd, + err, + false) ) { + log() << "can't authenticate as internal user, error: " << err << endl; + return false; + } + return true; + } + bool setUpSecurityKey(const string& filename) { struct stat stats; diff --git a/src/mongo/db/auth/security_key.h b/src/mongo/db/auth/security_key.h index e261123dcea..f5c44c17911 100644 --- a/src/mongo/db/auth/security_key.h +++ b/src/mongo/db/auth/security_key.h @@ -18,9 +18,18 @@ #include <string> +#include "mongo/client/dbclientinterface.h" + namespace mongo { /** + * This method authenticates to another cluster member using appropriate + * authentication data + * @return true if the authentication was succesful + */ + extern bool authenticateInternalUser(DBClientWithCommands* conn); + + /** * This method checks the validity of filename as a security key, hashes its * contents, and stores it in the internalSecurity variable. Prints an * error message to the logs if there's an error. diff --git a/src/mongo/db/commands/authentication_commands.cpp b/src/mongo/db/commands/authentication_commands.cpp index 3372fe40c60..1f89d79c0d9 100644 --- a/src/mongo/db/commands/authentication_commands.cpp +++ b/src/mongo/db/commands/authentication_commands.cpp @@ -29,6 +29,7 @@ #include "mongo/db/auth/authorization_session.h" #include "mongo/db/auth/mongo_authentication_session.h" #include "mongo/db/auth/privilege.h" +#include "mongo/db/auth/security_key.h" #include "mongo/db/client_basic.h" #include "mongo/db/commands.h" #include "mongo/db/jsobj.h" diff --git a/src/mongo/db/commands/isself.cpp b/src/mongo/db/commands/isself.cpp index a33c0f8e7a7..055f966c3fe 100644 --- a/src/mongo/db/commands/isself.cpp +++ b/src/mongo/db/commands/isself.cpp @@ -25,6 +25,7 @@ #include "mongo/db/auth/action_type.h" #include "mongo/db/auth/authorization_manager.h" #include "mongo/db/auth/privilege.h" +#include "mongo/db/auth/security_key.h" #include "mongo/db/jsobj.h" #include "../../util/net/listen.h" #include "../commands.h" @@ -244,7 +245,7 @@ namespace mongo { } if (AuthorizationManager::isAuthEnabled() && !cmdLine.keyFile.empty() ) { - if (!conn.auth("local", internalSecurity.user, internalSecurity.pwd, errmsg, false)) { + if (!authenticateInternalUser(&conn)) { return false; } } diff --git a/src/mongo/db/repl/connections.h b/src/mongo/db/repl/connections.h index 0ebc162eed1..753c28f42f3 100644 --- a/src/mongo/db/repl/connections.h +++ b/src/mongo/db/repl/connections.h @@ -21,6 +21,7 @@ #include <map> #include "mongo/db/auth/authorization_manager.h" +#include "mongo/db/auth/security_key.h" #include "mongo/db/repl/rs.h" // extern Tee* rslog namespace mongo { @@ -128,11 +129,7 @@ namespace mongo { // be rebooting. if their file has to change, they'll be rebooted so the // connection created above will go dead, reconnect, and reauth. if (AuthorizationManager::isAuthEnabled()) { - if (!connInfo->cc->auth("local", - internalSecurity.user, - internalSecurity.pwd, - err, - false)) { + if (!authenticateInternalUser(connInfo->cc.get())) { log() << "could not authenticate against " << _hostport << ", " << err << rsLog; return false; } diff --git a/src/mongo/db/repl/oplogreader.cpp b/src/mongo/db/repl/oplogreader.cpp index b2154ba0868..994ea872a30 100644 --- a/src/mongo/db/repl/oplogreader.cpp +++ b/src/mongo/db/repl/oplogreader.cpp @@ -21,9 +21,9 @@ #include "mongo/base/counter.h" #include "mongo/client/dbclientinterface.h" -#include "mongo/db/auth/authorization_manager.h" #include "mongo/db/auth/authorization_session.h" #include "mongo/db/commands/server_status.h" +#include "mongo/db/auth/security_key.h" #include "mongo/db/dbhelpers.h" #include "mongo/db/jsobj.h" #include "mongo/db/repl/rs.h" // theReplSet @@ -58,30 +58,25 @@ namespace mongo { return false; } - string u; - string p; if (internalSecurity.pwd.length() > 0) { - u = internalSecurity.user; - p = internalSecurity.pwd; + return authenticateInternalUser(conn); } - else { - BSONObj user; - { - Client::ReadContext ctxt("local."); - if( !Helpers::findOne("local.system.users", userReplQuery, user) || - // try the first user in local - !Helpers::getSingleton("local.system.users", user) ) { - log() << "replauthenticate: no user in local.system.users to use for authentication" << endl; - return false; - } + BSONObj user; + { + Client::ReadContext ctxt("local."); + if( !Helpers::findOne("local.system.users", userReplQuery, user) || + // try the first user in local + !Helpers::getSingleton("local.system.users", user) ) { + log() << "replauthenticate: no user in local.system.users to use for authentication" << endl; + return false; } - u = user.getStringField("user"); - p = user.getStringField("pwd"); - massert( 10392 , "bad user object? [1]", !u.empty()); - massert( 10393 , "bad user object? [2]", !p.empty()); } + std::string u = user.getStringField("user"); + std::string p = user.getStringField("pwd"); + massert( 10392 , "bad user object? [1]", !u.empty()); + massert( 10393 , "bad user object? [2]", !p.empty()); - string err; + std::string err; if( !conn->auth("local", u.c_str(), p.c_str(), err, false) ) { log() << "replauthenticate: can't authenticate to master server, user:" << u << endl; return false; diff --git a/src/mongo/db/repl/sync_source_feedback.cpp b/src/mongo/db/repl/sync_source_feedback.cpp index 985f5a63c85..b26a7a644b9 100644 --- a/src/mongo/db/repl/sync_source_feedback.cpp +++ b/src/mongo/db/repl/sync_source_feedback.cpp @@ -18,8 +18,8 @@ #include "mongo/client/constants.h" #include "mongo/client/dbclientcursor.h" -#include "mongo/db/auth/authorization_manager.h" #include "mongo/db/auth/authorization_session.h" +#include "mongo/db/auth/security_key.h" #include "mongo/db/dbhelpers.h" #include "mongo/db/repl/bgsync.h" #include "mongo/db/repl/rs.h" // theReplSet @@ -47,29 +47,24 @@ namespace mongo { return false; } - string u; - string p; if (internalSecurity.pwd.length() > 0) { - u = internalSecurity.user; - p = internalSecurity.pwd; + return authenticateInternalUser(_connection.get()); } - else { - BSONObj user; - { - Client::ReadContext ctxt("local."); - if(!Helpers::findOne("local.system.users", userReplQuery, user) || - // try the first user in local - !Helpers::getSingleton("local.system.users", user)) { - log() << "replauthenticate: no user in local.system.users to use" - << "for authentication" << endl; - return false; - } + BSONObj user; + { + Client::ReadContext ctxt("local."); + if(!Helpers::findOne("local.system.users", userReplQuery, user) || + // try the first user in local + !Helpers::getSingleton("local.system.users", user)) { + log() << "replauthenticate: no user in local.system.users to use" + << "for authentication" << endl; + return false; } - u = user.getStringField("user"); - p = user.getStringField("pwd"); - massert(16889, "bad user object? [1]", !u.empty()); - massert(16887, "bad user object? [2]", !p.empty()); } + std::string u = user.getStringField("user"); + std::string p = user.getStringField("pwd"); + massert(16889, "bad user object? [1]", !u.empty()); + massert(16887, "bad user object? [2]", !p.empty()); string err; if( !_connection->auth("local", u.c_str(), p.c_str(), err, false) ) { diff --git a/src/mongo/s/shard.cpp b/src/mongo/s/shard.cpp index c5516d6e6d2..b57bf714cae 100644 --- a/src/mongo/s/shard.cpp +++ b/src/mongo/s/shard.cpp @@ -28,6 +28,7 @@ #include "mongo/db/auth/action_type.h" #include "mongo/db/auth/authorization_manager.h" #include "mongo/db/auth/privilege.h" +#include "mongo/db/auth/security_key.h" #include "mongo/db/commands.h" #include "mongo/db/jsobj.h" #include "mongo/s/client_info.h" @@ -406,11 +407,7 @@ namespace mongo { string err; LOG(2) << "calling onCreate auth for " << conn->toString() << endl; - bool result = conn->auth( "local", - internalSecurity.user, - internalSecurity.pwd, - err, - false ); + bool result = authenticateInternalUser(conn); uassert( 15847, str::stream() << "can't authenticate to server " << conn->getServerAddress() << causedBy( err ), |