diff options
| author | Spencer T Brody <spencer@10gen.com> | 2012-06-18 19:52:22 -0400 |
|---|---|---|
| committer | Spencer T Brody <spencer@10gen.com> | 2012-06-20 15:25:10 -0400 |
| commit | 2a2689e7a5823291b125fabddf981ca87ef9a3f0 (patch) | |
| tree | 096b17b0fa07d0c23ce9ac84502028cfaf2c4f69 /src | |
| parent | 849a4fa53f6c99b7b72a9772bef908cb7e88a416 (diff) | |
| download | mongo-2a2689e7a5823291b125fabddf981ca87ef9a3f0.tar.gz | |
Always use internal credetials when connecting to the config servers. SERVER-1456
Diffstat (limited to 'src')
| -rw-r--r-- | src/mongo/client/connpool.cpp | 4 | ||||
| -rw-r--r-- | src/mongo/client/dbclient.cpp | 8 | ||||
| -rw-r--r-- | src/mongo/client/dbclientinterface.h | 7 | ||||
| -rw-r--r-- | src/mongo/client/syncclusterconnection.cpp | 21 | ||||
| -rw-r--r-- | src/mongo/client/syncclusterconnection.h | 3 | ||||
| -rw-r--r-- | src/mongo/s/chunk.cpp | 2 | ||||
| -rw-r--r-- | src/mongo/s/chunk_diff.hpp | 3 | ||||
| -rw-r--r-- | src/mongo/s/commands_admin.cpp | 12 | ||||
| -rw-r--r-- | src/mongo/s/config.cpp | 16 | ||||
| -rw-r--r-- | src/mongo/s/config_migrate.cpp | 2 | ||||
| -rw-r--r-- | src/mongo/s/d_chunk_manager.cpp | 2 | ||||
| -rw-r--r-- | src/mongo/s/d_migrate.cpp | 14 | ||||
| -rw-r--r-- | src/mongo/s/d_split.cpp | 10 | ||||
| -rw-r--r-- | src/mongo/s/grid.cpp | 11 | ||||
| -rw-r--r-- | src/mongo/s/shard.cpp | 10 |
15 files changed, 87 insertions, 38 deletions
diff --git a/src/mongo/client/connpool.cpp b/src/mongo/client/connpool.cpp index d79265d070f..ebfc187346a 100644 --- a/src/mongo/client/connpool.cpp +++ b/src/mongo/client/connpool.cpp @@ -80,7 +80,11 @@ namespace mongo { _pool.pop(); all.push_back( c ); bool res; + // When a connection is in the pool it doesn't have an AuthenticationTable set. + c.conn->setAuthenticationTable( + AuthenticationTable::getInternalSecurityAuthenticationTable() ); c.conn->isMaster( res ); + c.conn->clearAuthenticationTable(); } for ( vector<StoredConnection>::iterator i=all.begin(); i != all.end(); ++i ) { diff --git a/src/mongo/client/dbclient.cpp b/src/mongo/client/dbclient.cpp index 56307760e91..6441105107c 100644 --- a/src/mongo/client/dbclient.cpp +++ b/src/mongo/client/dbclient.cpp @@ -330,6 +330,14 @@ namespace mongo { _hasAuthentication = false; } + bool DBClientWithCommands::hasAuthenticationTable() { + return _hasAuthentication; + } + + AuthenticationTable& DBClientWithCommands::getAuthenticationTable() { + return _authTable; + } + inline bool DBClientWithCommands::runCommand(const string &dbname, const BSONObj& cmd, BSONObj &info, diff --git a/src/mongo/client/dbclientinterface.h b/src/mongo/client/dbclientinterface.h index 475701c061d..336033299f0 100644 --- a/src/mongo/client/dbclientinterface.h +++ b/src/mongo/client/dbclientinterface.h @@ -819,8 +819,8 @@ namespace mongo { bool exists( const string& ns ); - void setAuthenticationTable ( const AuthenticationTable& auth ); - void clearAuthenticationTable (); + virtual void setAuthenticationTable( const AuthenticationTable& auth ); + virtual void clearAuthenticationTable(); /** Create an index if it does not already exist. ensureIndex calls are remembered so it is safe/fast to call this function many @@ -883,6 +883,9 @@ namespace mongo { virtual QueryOptions _lookupAvailableOptions(); + bool hasAuthenticationTable(); + AuthenticationTable& getAuthenticationTable(); + private: enum QueryOptions _cachedAvailableOptions; bool _haveCachedAvailableOptions; diff --git a/src/mongo/client/syncclusterconnection.cpp b/src/mongo/client/syncclusterconnection.cpp index 158b1dab3f2..b3ccdf829cc 100644 --- a/src/mongo/client/syncclusterconnection.cpp +++ b/src/mongo/client/syncclusterconnection.cpp @@ -21,6 +21,7 @@ #include "mongo/client/syncclusterconnection.h" #include "mongo/client/dbclientcursor.h" +#include "mongo/client/dbclientinterface.h" #include "mongo/db/dbmessage.h" // error codes 8000-8009 @@ -210,6 +211,20 @@ namespace mongo { return true; } + void SyncClusterConnection::setAuthenticationTable( const AuthenticationTable& auth ) { + for( size_t i = 0; i < _conns.size(); ++i ) { + _conns[i]->setAuthenticationTable( auth ); + } + DBClientWithCommands::setAuthenticationTable( auth ); + } + + void SyncClusterConnection::clearAuthenticationTable() { + for( size_t i = 0; i < _conns.size(); ++i ) { + _conns[i]->clearAuthenticationTable( auth ); + } + DBClientWithCommands::clearAuthenticationTable(); + } + auto_ptr<DBClientCursor> SyncClusterConnection::query(const string &ns, Query query, int nToReturn, int nToSkip, const BSONObj *fieldsToReturn, int queryOptions, int batchSize ) { _lastErrors.clear(); @@ -223,7 +238,11 @@ namespace mongo { } bool SyncClusterConnection::_commandOnActive(const string &dbname, const BSONObj& cmd, BSONObj &info, int options ) { - auto_ptr<DBClientCursor> cursor = _queryOnActive( dbname + ".$cmd" , cmd , 1 , 0 , 0 , options , 0 ); + BSONObj actualCmd = cmd; + if ( hasAuthenticationTable() ) { + actualCmd = getAuthenticationTable().copyCommandObjAddingAuth( cmd ); + } + auto_ptr<DBClientCursor> cursor = _queryOnActive( dbname + ".$cmd" , actualCmd , 1 , 0 , 0 , options , 0 ); if ( cursor->more() ) info = cursor->next().copy(); else diff --git a/src/mongo/client/syncclusterconnection.h b/src/mongo/client/syncclusterconnection.h index 611869b437b..3907f7e50a0 100644 --- a/src/mongo/client/syncclusterconnection.h +++ b/src/mongo/client/syncclusterconnection.h @@ -102,6 +102,9 @@ namespace mongo { virtual bool auth(const string &dbname, const string &username, const string &password_text, string& errmsg, bool digestPassword, Auth::Level* level=NULL); + virtual void setAuthenticationTable( const AuthenticationTable& auth ); + virtual void clearAuthenticationTable(); + virtual bool lazySupported() const { return false; } private: SyncClusterConnection( SyncClusterConnection& prev, double socketTimeout = 0 ); diff --git a/src/mongo/s/chunk.cpp b/src/mongo/s/chunk.cpp index 756e6040bc9..e9dfc8183f0 100644 --- a/src/mongo/s/chunk.cpp +++ b/src/mongo/s/chunk.cpp @@ -1232,7 +1232,7 @@ namespace mongo { // remove chunk data scoped_ptr<ScopedDbConnection> conn( - ScopedDbConnection::getScopedDbConnection( configServer.modelServer() ) ); + ScopedDbConnection::getInternalScopedDbConnection( configServer.modelServer() ) ); conn->get()->remove( Chunk::chunkMetadataNS , BSON( "ns" << _ns ) ); conn->done(); LOG(1) << "ChunkManager::drop : " << _ns << "\t removed chunk data" << endl; diff --git a/src/mongo/s/chunk_diff.hpp b/src/mongo/s/chunk_diff.hpp index 59927b95ce8..47b700457db 100644 --- a/src/mongo/s/chunk_diff.hpp +++ b/src/mongo/s/chunk_diff.hpp @@ -81,7 +81,8 @@ namespace mongo { // Get the diff query required Query diffQuery = configDiffQuery( extraMinorVersions ); - scoped_ptr<ScopedDbConnection> conn( ScopedDbConnection::getScopedDbConnection( config ) ); + scoped_ptr<ScopedDbConnection> conn( + ScopedDbConnection::getInternalScopedDbConnection( config ) ); try { diff --git a/src/mongo/s/commands_admin.cpp b/src/mongo/s/commands_admin.cpp index e680a919e86..19c672855c7 100644 --- a/src/mongo/s/commands_admin.cpp +++ b/src/mongo/s/commands_admin.cpp @@ -868,8 +868,8 @@ namespace mongo { } bool run(const string& , BSONObj& cmdObj, int, string& errmsg, BSONObjBuilder& result, bool) { scoped_ptr<ScopedDbConnection> conn( - ScopedDbConnection::getScopedDbConnection( configServer.getPrimary() - .getConnString() ) ); + ScopedDbConnection::getInternalScopedDbConnection( configServer.getPrimary() + .getConnString() ) ); vector<BSONObj> all; auto_ptr<DBClientCursor> cursor = conn->get()->query( "config.shards" , BSONObj() ); @@ -973,8 +973,8 @@ namespace mongo { } scoped_ptr<ScopedDbConnection> connPtr( - ScopedDbConnection::getScopedDbConnection( configServer.getPrimary() - .getConnString() ) ); + ScopedDbConnection::getInternalScopedDbConnection( configServer.getPrimary() + .getConnString() ) ); ScopedDbConnection& conn = *connPtr; if (conn->count("config.shards", BSON("_id" << NE << s.getName() << ShardFields::draining(true)))){ @@ -1296,8 +1296,8 @@ namespace mongo { if ( sizes.find( "config" ) == sizes.end() ){ scoped_ptr<ScopedDbConnection> conn( - ScopedDbConnection::getScopedDbConnection( configServer.getPrimary() - .getConnString() ) ); + ScopedDbConnection::getInternalScopedDbConnection( configServer.getPrimary() + .getConnString() ) ); BSONObj x; if ( conn->get()->simpleCommand( "config" , &x , "dbstats" ) ){ BSONObjBuilder b; diff --git a/src/mongo/s/config.cpp b/src/mongo/s/config.cpp index 0b9bde1e195..0825378ce3c 100644 --- a/src/mongo/s/config.cpp +++ b/src/mongo/s/config.cpp @@ -327,8 +327,8 @@ namespace mongo { BSONObj newest; if ( oldVersion.isSet() && ! forceReload ) { - scoped_ptr<ScopedDbConnection> conn( - ScopedDbConnection::getScopedDbConnection( configServer.modelServer(), 30.0 ) ); + scoped_ptr<ScopedDbConnection> conn( ScopedDbConnection::getInternalScopedDbConnection( + configServer.modelServer(), 30.0 ) ); newest = conn->get()->findOne( ShardNS::chunk , Query( BSON( "ns" << ns ) ).sort( "lastmod" , -1 ) ); conn->done(); @@ -460,8 +460,8 @@ namespace mongo { } bool DBConfig::_load() { - scoped_ptr<ScopedDbConnection> conn( - ScopedDbConnection::getScopedDbConnection( configServer.modelServer(), 30.0 ) ); + scoped_ptr<ScopedDbConnection> conn( ScopedDbConnection::getInternalScopedDbConnection( + configServer.modelServer(), 30.0 ) ); BSONObj o = conn->get()->findOne( ShardNS::database , BSON( "_id" << _name ) ); @@ -504,8 +504,8 @@ namespace mongo { } void DBConfig::_save( bool db, bool coll ) { - scoped_ptr<ScopedDbConnection> conn( - ScopedDbConnection::getScopedDbConnection( configServer.modelServer(), 30.0 ) ); + scoped_ptr<ScopedDbConnection> conn( ScopedDbConnection::getInternalScopedDbConnection( + configServer.modelServer(), 30.0 ) ); if( db ){ @@ -579,8 +579,8 @@ namespace mongo { // 2 grid.removeDB( _name ); { - scoped_ptr<ScopedDbConnection> conn( - ScopedDbConnection::getScopedDbConnection(configServer.modelServer(), 30.0 ) ); + scoped_ptr<ScopedDbConnection> conn( ScopedDbConnection::getInternalScopedDbConnection( + configServer.modelServer(), 30.0 ) ); conn->get()->remove( ShardNS::database , BSON( "_id" << _name ) ); errmsg = conn->get()->getLastError(); if ( ! errmsg.empty() ) { diff --git a/src/mongo/s/config_migrate.cpp b/src/mongo/s/config_migrate.cpp index fc88fce1538..aa15f1eda7b 100644 --- a/src/mongo/s/config_migrate.cpp +++ b/src/mongo/s/config_migrate.cpp @@ -37,7 +37,7 @@ namespace mongo { if ( cur == 0 ) { scoped_ptr<ScopedDbConnection> conn( - ScopedDbConnection::getScopedDbConnection( _primary.getConnString() ) ); + ScopedDbConnection::getInternalScopedDbConnection( _primary.getConnString() ) ); // If the cluster has not previously been initialized, we need to set the version before using so // subsequent mongoses use the config data the same way. This requires all three config servers online diff --git a/src/mongo/s/d_chunk_manager.cpp b/src/mongo/s/d_chunk_manager.cpp index 9d162a64d04..a39fa4a684a 100644 --- a/src/mongo/s/d_chunk_manager.cpp +++ b/src/mongo/s/d_chunk_manager.cpp @@ -81,7 +81,7 @@ namespace mongo { conn = direct.get(); } else { - scoped.reset( ScopedDbConnection::getScopedDbConnection( configServer, 30.0 ) ); + scoped.reset( ScopedDbConnection::getInternalScopedDbConnection( configServer, 30.0 ) ); conn = scoped->get(); } diff --git a/src/mongo/s/d_migrate.cpp b/src/mongo/s/d_migrate.cpp index 9ada8735cb5..36b7189132c 100644 --- a/src/mongo/s/d_migrate.cpp +++ b/src/mongo/s/d_migrate.cpp @@ -887,8 +887,9 @@ namespace mongo { ShardChunkVersion maxVersion; string myOldShard; { - scoped_ptr<ScopedDbConnection> conn( ScopedDbConnection::getScopedDbConnection( - shardingState.getConfigServer() ) ); + scoped_ptr<ScopedDbConnection> conn( + ScopedDbConnection::getInternalScopedDbConnection( + shardingState.getConfigServer() ) ); BSONObj x; BSONObj currChunk; @@ -1234,8 +1235,9 @@ namespace mongo { bool ok = false; BSONObj cmdResult; try { - scoped_ptr<ScopedDbConnection> conn( ScopedDbConnection::getScopedDbConnection( - shardingState.getConfigServer() ) ); + scoped_ptr<ScopedDbConnection> conn( + ScopedDbConnection::getInternalScopedDbConnection( + shardingState.getConfigServer() ) ); ok = conn->get()->runCommand( "config" , cmd , cmdResult ); conn->done(); } @@ -1261,8 +1263,8 @@ namespace mongo { try { scoped_ptr<ScopedDbConnection> conn( - ScopedDbConnection::getScopedDbConnection( shardingState - .getConfigServer() ) ); + ScopedDbConnection::getInternalScopedDbConnection( + shardingState.getConfigServer() ) ); // look for the chunk in this shard whose version got bumped // we assume that if that mod made it to the config, the applyOps was successful diff --git a/src/mongo/s/d_split.cpp b/src/mongo/s/d_split.cpp index f1b96416272..4309c9ee13a 100644 --- a/src/mongo/s/d_split.cpp +++ b/src/mongo/s/d_split.cpp @@ -559,8 +559,9 @@ namespace mongo { string shard; ChunkInfo origChunk; { - scoped_ptr<ScopedDbConnection> conn( ScopedDbConnection::getScopedDbConnection( - shardingState.getConfigServer() ) ); + scoped_ptr<ScopedDbConnection> conn( + ScopedDbConnection::getInternalScopedDbConnection( + shardingState.getConfigServer() ) ); BSONObj x = conn->get()->findOne( ShardNS::chunk, Query( BSON( "ns" << ns ) ) @@ -702,8 +703,9 @@ namespace mongo { bool ok; BSONObj cmdResult; { - scoped_ptr<ScopedDbConnection> conn( ScopedDbConnection::getScopedDbConnection( - shardingState.getConfigServer() ) ); + scoped_ptr<ScopedDbConnection> conn( + ScopedDbConnection::getInternalScopedDbConnection( + shardingState.getConfigServer() ) ); ok = conn->get()->runCommand( "config" , cmd , cmdResult ); conn->done(); } diff --git a/src/mongo/s/grid.cpp b/src/mongo/s/grid.cpp index 83448245e8c..638420037d9 100644 --- a/src/mongo/s/grid.cpp +++ b/src/mongo/s/grid.cpp @@ -77,7 +77,8 @@ namespace mongo { { // lets check case scoped_ptr<ScopedDbConnection> conn( - ScopedDbConnection::getScopedDbConnection( configServer.modelServer() )); + ScopedDbConnection::getInternalScopedDbConnection( + configServer.modelServer() )); BSONObjBuilder b; b.appendRegex( "_id" , (string)"^" + @@ -398,7 +399,7 @@ namespace mongo { } bool Grid::knowAboutShard( const string& name ) const { - scoped_ptr<ScopedDbConnection> conn( ScopedDbConnection::getScopedDbConnection( + scoped_ptr<ScopedDbConnection> conn( ScopedDbConnection::getInternalScopedDbConnection( configServer.getPrimary().getConnString() ) ); BSONObj shard = conn->get()->findOne( ShardNS::shard , BSON( "host" << name ) ); conn->done(); @@ -411,7 +412,7 @@ namespace mongo { bool ok = false; int count = 0; - scoped_ptr<ScopedDbConnection> conn( ScopedDbConnection::getScopedDbConnection( + scoped_ptr<ScopedDbConnection> conn( ScopedDbConnection::getInternalScopedDbConnection( configServer.getPrimary().getConnString() ) ); BSONObj o = conn->get()->findOne( ShardNS::shard , Query( fromjson ( "{_id: /^shard/}" ) ) @@ -439,7 +440,7 @@ namespace mongo { */ bool Grid::shouldBalance( const string& ns, BSONObj* balancerDocOut ) const { - scoped_ptr<ScopedDbConnection> conn( ScopedDbConnection::getScopedDbConnection( + scoped_ptr<ScopedDbConnection> conn( ScopedDbConnection::getInternalScopedDbConnection( configServer.getPrimary().getConnString() ) ); BSONObj balancerDoc; BSONObj collDoc; @@ -554,7 +555,7 @@ namespace mongo { } BSONObj Grid::getConfigSetting( string name ) const { - scoped_ptr<ScopedDbConnection> conn( ScopedDbConnection::getScopedDbConnection( + scoped_ptr<ScopedDbConnection> conn( ScopedDbConnection::getInternalScopedDbConnection( configServer.getPrimary().getConnString() ) ); BSONObj result = conn->get()->findOne( ShardNS::settings, BSON( "_id" << name ) ); conn->done(); diff --git a/src/mongo/s/shard.cpp b/src/mongo/s/shard.cpp index 221d900dcb6..d966ee780c7 100644 --- a/src/mongo/s/shard.cpp +++ b/src/mongo/s/shard.cpp @@ -37,8 +37,9 @@ namespace mongo { list<BSONObj> all; { - scoped_ptr<ScopedDbConnection> conn( ScopedDbConnection::getScopedDbConnection( - configServer.getPrimary().getConnString() ) ); + scoped_ptr<ScopedDbConnection> conn( + ScopedDbConnection::getInternalScopedDbConnection( + configServer.getPrimary().getConnString() ) ); auto_ptr<DBClientCursor> c = conn->get()->query( ShardNS::shard , Query() ); massert( 13632 , "couldn't get updated shard list from config server" , c.get() ); while ( c->more() ) { @@ -391,6 +392,11 @@ namespace mongo { LOG(2) << "calling onCreate auth for " << conn->toString() << endl; uassert( 15847, "can't authenticate to shard server", conn->auth("local", internalSecurity.user, internalSecurity.pwd, err, false)); + if ( conn->type() == ConnectionString::SYNC ) { + // Connections to the config servers should always have full access. + conn->setAuthenticationTable( + AuthenticationTable::getInternalSecurityAuthenticationTable() ); + } } if ( _shardedConnections && versionManager.isVersionableCB( conn ) ) { |