SERVER-22708 Insecure configuration startup warnings

(cherry picked from commit ef2130288e7d2c89dcd1a503dfd701263d5563fe)

5 files changed, 63 insertions, 40 deletions

diff --git a/src/mongo/db/auth/auth_decorations.cpp b/src/mongo/db/auth/auth_decorations.cpp
index bc93e494ff2..2bd2264e0f9 100644
--- a/src/mongo/db/auth/auth_decorations.cpp
+++ b/src/mongo/db/auth/auth_decorations.cpp
@@ -54,7 +54,8 @@ MONGO_INITIALIZER_WITH_PREREQUISITES(CreateAuthorizationManager,
 (InitializerContext* context) {
     auto authzManager =
         stdx::make_unique<AuthorizationManager>(AuthzManagerExternalState::create());
-    authzManager->setAuthEnabled(serverGlobalParams.isAuthEnabled);
+    authzManager->setAuthEnabled(serverGlobalParams.authState ==
+                                 ServerGlobalParams::AuthState::kEnabled);
     AuthorizationManager::set(getGlobalServiceContext(), std::move(authzManager));
     return Status::OK();
 }
diff --git a/src/mongo/db/mongod_options.cpp b/src/mongo/db/mongod_options.cpp
index 1c754d5c1fc..e8facbaa850 100644
--- a/src/mongo/db/mongod_options.cpp
+++ b/src/mongo/db/mongod_options.cpp
@@ -102,10 +102,6 @@ Status addMongodOptions(moe::OptionSection* options) {
         .setSources(moe::SourceAllLegacy)
         .incompatibleWith("noauth");
 
-    general_options.addOptionChaining("noauth", "noauth", moe::Switch, "run without security")
-        .setSources(moe::SourceAllLegacy)
-        .incompatibleWith("auth");
-
     // Way to enable or disable auth in JSON Config
     general_options
         .addOptionChaining(
@@ -773,21 +769,8 @@ Status canonicalizeMongodOptions(moe::Environment* params) {
         }
     }
 
-    // "security.authorization" comes from the config file, so override it if "noauth" or
-    // "auth" are set since those come from the command line.
-    if (params->count("noauth")) {
-        Status ret =
-            params->set("security.authorization",
-                        (*params)["noauth"].as<bool>() ? moe::Value(std::string("disabled"))
-                                                       : moe::Value(std::string("enabled")));
-        if (!ret.isOK()) {
-            return ret;
-        }
-        ret = params->remove("noauth");
-        if (!ret.isOK()) {
-            return ret;
-        }
-    }
+    // "security.authorization" comes from the config file, so override it if "auth" is
+    // set since those come from the command line.
     if (params->count("auth")) {
         Status ret =
             params->set("security.authorization",
@@ -1019,14 +1002,6 @@ Status storeMongodOptions(const moe::Environment& params, const std::vector<std:
     if (params.count("cpu")) {
         serverGlobalParams.cpu = params["cpu"].as<bool>();
     }
-    if (params.count("security.authorization") &&
-        params["security.authorization"].as<std::string>() == "disabled") {
-        serverGlobalParams.isAuthEnabled = false;
-    }
-    if (params.count("security.authorization") &&
-        params["security.authorization"].as<std::string>() == "enabled") {
-        serverGlobalParams.isAuthEnabled = true;
-    }
     if (params.count("storage.mmapv1.quota.enforced")) {
         mmapv1GlobalOptions.quota = params["storage.mmapv1.quota.enforced"].as<bool>();
     }
diff --git a/src/mongo/db/server_options.h b/src/mongo/db/server_options.h
index 33cddbc3d6b..fee65aa1971 100644
--- a/src/mongo/db/server_options.h
+++ b/src/mongo/db/server_options.h
@@ -128,7 +128,11 @@ struct ServerGlobalParams {
 
     BSONArray argvArray;
     BSONObj parsedOpts;
-    bool isAuthEnabled = false;
+
+    enum AuthState { kEnabled, kDisabled, kUndefined };
+
+    AuthState authState = AuthState::kUndefined;
+
     AtomicInt32 clusterAuthMode;  // --clusterAuthMode, the internal cluster auth mode
 
     enum ClusterAuthModes {
diff --git a/src/mongo/db/server_options_helpers.cpp b/src/mongo/db/server_options_helpers.cpp
index 527d48150f8..2c90d6ebdf1 100644
--- a/src/mongo/db/server_options_helpers.cpp
+++ b/src/mongo/db/server_options_helpers.cpp
@@ -271,6 +271,12 @@ Status addGeneralServerOptions(moe::OptionSection* options) {
                                moe::String,
                                "private key for cluster authentication").incompatibleWith("noauth");
 
+    options->addOptionChaining("noauth", "noauth", moe::Switch, "run without security")
+        .setSources(moe::SourceAllLegacy)
+        .incompatibleWith("auth")
+        .incompatibleWith("keyFile")
+        .incompatibleWith("clusterAuthMode");
+
     options->addOptionChaining(
                  "setParameter", "setParameter", moe::StringMap, "Set a configurable parameter")
         .composing();
@@ -688,6 +694,19 @@ Status canonicalizeServerOptions(moe::Environment* params) {
         }
     }
 
+    if (params->count("noauth")) {
+        Status ret =
+            params->set("security.authorization",
+                        (*params)["noauth"].as<bool>() ? moe::Value(std::string("disabled"))
+                                                       : moe::Value(std::string("enabled")));
+        if (!ret.isOK()) {
+            return ret;
+        }
+        ret = params->remove("noauth");
+        if (!ret.isOK()) {
+            return ret;
+        }
+    }
     return Status::OK();
 }
 
@@ -783,6 +802,7 @@ Status storeServerOptions(const moe::Environment& params, const std::vector<std:
             return Status(ErrorCodes::BadValue,
                           "unsupported value for clusterAuthMode " + clusterAuthMode);
         }
+        serverGlobalParams.authState = ServerGlobalParams::AuthState::kEnabled;
     } else {
         serverGlobalParams.clusterAuthMode.store(ServerGlobalParams::ClusterAuthMode_undefined);
     }
@@ -807,15 +827,6 @@ Status storeServerOptions(const moe::Environment& params, const std::vector<std:
         serverGlobalParams.objcheck = params["net.wireObjectCheck"].as<bool>();
     }
 
-    if (params.count("net.bindIp")) {
-        // passing in wildcard is the same as default behavior; remove and warn
-        if (serverGlobalParams.bind_ip == "0.0.0.0") {
-            std::cout << "warning: bind_ip of 0.0.0.0 is unnecessary; "
-                      << "listens on all ips by default" << endl;
-            serverGlobalParams.bind_ip = "";
-        }
-    }
-
 #ifndef _WIN32
     if (params.count("net.unixDomainSocket.pathPrefix")) {
         serverGlobalParams.socket = params["net.unixDomainSocket.pathPrefix"].as<string>();
@@ -940,6 +951,14 @@ Status storeServerOptions(const moe::Environment& params, const std::vector<std:
             boost::filesystem::absolute(params["security.keyFile"].as<string>()).generic_string();
     }
 
+    if (params.count("security.authorization") &&
+        params["security.authorization"].as<std::string>() == "disabled") {
+        serverGlobalParams.authState = ServerGlobalParams::AuthState::kDisabled;
+    } else if (params.count("security.authorization") &&
+               params["security.authorization"].as<std::string>() == "enabled") {
+        serverGlobalParams.authState = ServerGlobalParams::AuthState::kEnabled;
+    } 
+
     if (params.count("processManagement.pidFilePath")) {
         serverGlobalParams.pidFile = params["processManagement.pidFilePath"].as<string>();
     }
diff --git a/src/mongo/db/startup_warnings_common.cpp b/src/mongo/db/startup_warnings_common.cpp
index 54af64faff5..e3010bcb0a9 100644
--- a/src/mongo/db/startup_warnings_common.cpp
+++ b/src/mongo/db/startup_warnings_common.cpp
@@ -61,8 +61,7 @@ void logCommonStartupWarnings(const ServerGlobalParams& serverParams) {
         }
     }
 
-    if ((serverParams.isAuthEnabled ||
-         serverParams.clusterAuthMode.load() != ServerGlobalParams::ClusterAuthMode_undefined) &&
+    if (serverParams.authState == ServerGlobalParams::AuthState::kEnabled &&
         (serverParams.rest || serverParams.isHttpInterfaceEnabled || serverParams.jsonp)) {
         log() << startupWarningsLog;
         log()
@@ -75,6 +74,31 @@ void logCommonStartupWarnings(const ServerGlobalParams& serverParams) {
         warned = true;
     }
 
+    if (serverParams.authState == ServerGlobalParams::AuthState::kUndefined) {
+        log() << startupWarningsLog;
+        if (serverParams.bind_ip.empty()) {
+            log() << "** WARNING: Insecure configuration, access control is not "
+                     "enabled and no --bind_ip has been specified." << startupWarningsLog;
+            log() << "**          Read and write access to data and configuration is "
+                     "unrestricted, " << startupWarningsLog;
+            log() << "**          and the server listens on all available network interfaces."
+                  << startupWarningsLog;
+        } else {
+            log() << "** WARNING: Access control is not enabled for the database."
+                  << startupWarningsLog;
+            log() << "**          Read and write access to data and configuration is "
+                     "unrestricted." << startupWarningsLog;
+        }
+        warned = true;
+    } else if (serverParams.bind_ip.empty()) {
+        log() << startupWarningsLog;
+        log() << "** WARNING: The server was started without specifying a "
+                 "--bind_ip " << startupWarningsLog;
+        log() << "**          and listens for connections on all available "
+                 "network interfaces." << startupWarningsLog;
+        warned = true;
+    }
+
     const bool is32bit = sizeof(int*) == 4;
     if (is32bit) {
         log() << startupWarningsLog;