diff options
21 files changed, 44 insertions, 292 deletions
diff --git a/buildscripts/resmokeconfig/suites/sharding_last_stable_mongos_and_mixed_shards.yml b/buildscripts/resmokeconfig/suites/sharding_last_stable_mongos_and_mixed_shards.yml index 3b3d13313d5..5be32d2a414 100644 --- a/buildscripts/resmokeconfig/suites/sharding_last_stable_mongos_and_mixed_shards.yml +++ b/buildscripts/resmokeconfig/suites/sharding_last_stable_mongos_and_mixed_shards.yml @@ -28,7 +28,6 @@ selector: - jstests/sharding/logical_time_api.js - jstests/sharding/operation_time_api.js - jstests/sharding/after_cluster_time.js - - jstests/sharding/auth_drop_user_while_logged_in.js - jstests/sharding/mongos_does_not_gossip_logical_time_without_keys.js - jstests/sharding/key_rotation.js - jstests/sharding/advance_logical_time_with_valid_signature.js diff --git a/jstests/auth/drop_user_while_logged_in.js b/jstests/auth/drop_user_while_logged_in.js deleted file mode 100644 index 20534c58f64..00000000000 --- a/jstests/auth/drop_user_while_logged_in.js +++ /dev/null @@ -1,9 +0,0 @@ -// -// Test that privileges are dropped when a user is dropped and re-added while another -// client is logged in under that username (against a standalone). -// - -load('./jstests/libs/drop_user_while_logged_in.js'); - -var conn = MongoRunner.runMongod({auth: "", smallfiles: ""}); -testDroppingUsersWhileLoggedIn(conn); diff --git a/jstests/libs/drop_user_while_logged_in.js b/jstests/libs/drop_user_while_logged_in.js deleted file mode 100644 index 43e1422d7b7..00000000000 --- a/jstests/libs/drop_user_while_logged_in.js +++ /dev/null @@ -1,42 +0,0 @@ -// -// Test that privileges are dropped when a user is dropped and re-added while another -// client is logged in under that username. -// - -function testDroppingUsersWhileLoggedIn(conn) { - var admin = conn.getDB("admin"); - - // Add users - admin.createUser({ - user: "userAdmin", - pwd: "superSecret", - roles: [{role: "userAdminAnyDatabase", db: "admin"}] - }); - admin.auth("userAdmin", "superSecret"); - admin.createUser({user: "admin", pwd: "admin", roles: ["read"]}); - admin.logout(); - - // Test privileges for the first user - assert(admin.auth("admin", "admin")); - - // Should be able to read - admin.coll.findOne(); - - // Should not be able to write - assert.writeError(admin.coll.insert({a: 1})); - - // On a new connection, log in as the second user - var conn2 = new Mongo(conn.host); - var admin2 = conn2.getDB("admin"); - admin2.auth("userAdmin", "superSecret"); - - // Replace the first user with a new user with different privileges - admin2.dropUser("admin"); - admin2.createUser({user: "admin", pwd: "topSecret", roles: [{role: "root", db: "admin"}]}); - - // The first user should not be able to read or write - assert.writeError(admin.coll.insert({a: 1})); - assert.throws(function() { - admin.coll.findOne(); - }); -} diff --git a/jstests/sharding/auth_drop_user_while_logged_in.js b/jstests/sharding/auth_drop_user_while_logged_in.js deleted file mode 100644 index 7a415553f22..00000000000 --- a/jstests/sharding/auth_drop_user_while_logged_in.js +++ /dev/null @@ -1,11 +0,0 @@ -// -// Test that privileges are dropped when a user is dropped and re-added while another -// client is logged in under that username (against a sharded cluster). -// - -load('./jstests/libs/drop_user_while_logged_in.js'); - -var st = new ShardingTest({shards: 2, mongos: 1, keyFile: 'jstests/libs/key1'}); -var mongos = st.s0; - -testDroppingUsersWhileLoggedIn(mongos); diff --git a/src/mongo/db/auth/authorization_manager.cpp b/src/mongo/db/auth/authorization_manager.cpp index 0cac76e7398..0e97504b782 100644 --- a/src/mongo/db/auth/authorization_manager.cpp +++ b/src/mongo/db/auth/authorization_manager.cpp @@ -108,7 +108,6 @@ MONGO_INITIALIZER_WITH_PREREQUISITES(SetupInternalSecurityUser, ("EndStartupOpti } const std::string AuthorizationManager::USER_NAME_FIELD_NAME = "user"; -const std::string AuthorizationManager::USER_ID_FIELD_NAME = "userId"; const std::string AuthorizationManager::USER_DB_FIELD_NAME = "db"; const std::string AuthorizationManager::ROLE_NAME_FIELD_NAME = "role"; const std::string AuthorizationManager::ROLE_DB_FIELD_NAME = "db"; @@ -411,7 +410,6 @@ Status AuthorizationManager::_initializeUserFromPrivilegeDocument(User* user, const BSONObj& privDoc) { V2UserDocumentParser parser; std::string userName = parser.extractUserNameFromUserDocument(privDoc); - if (userName != user->getName().getUser()) { return Status(ErrorCodes::BadValue, mongoutils::str::stream() << "User name from privilege document \"" @@ -422,8 +420,6 @@ Status AuthorizationManager::_initializeUserFromPrivilegeDocument(User* user, 0); } - user->setID(parser.extractUserIDFromUserDocument(privDoc)); - Status status = parser.initializeUserCredentialsFromUserDocument(user, privDoc); if (!status.isOK()) { return status; @@ -481,36 +477,9 @@ Status AuthorizationManager::getRoleDescriptionsForDB(OperationContext* opCtx, opCtx, dbname, privileges, restrictions, showBuiltinRoles, result); } -Status AuthorizationManager::acquireUserToRefreshSessionCache(OperationContext* opCtx, - const UserName& userName, - boost::optional<OID> id, - User** acquiredUser) { - // Funnel down to acquireUserForInitialAuth, and then do the id checking. - auto status = acquireUserForInitialAuth(opCtx, userName, acquiredUser); - if (!status.isOK()) { - // If we got a non-ok status, no acquiredUser should be set, so we can simply - // return without doing an id check. - return status; - } - - // Verify that the returned user matches the id that we were passed. - if (id != (*acquiredUser)->getID()) { - // If the generations don't match, then fail. - releaseUser(*acquiredUser); - *acquiredUser = nullptr; - return Status(ErrorCodes::UserNotFound, - mongoutils::str::stream() << "User id from privilege document \"" - << userName.toString() - << "\" doesn't match provided user id", - 0); - } - - return status; -} - -Status AuthorizationManager::acquireUserForInitialAuth(OperationContext* opCtx, - const UserName& userName, - User** acquiredUser) { +Status AuthorizationManager::acquireUser(OperationContext* opCtx, + const UserName& userName, + User** acquiredUser) { if (userName == internalSecurity.user->getName()) { *acquiredUser = internalSecurity.user; return Status::OK(); @@ -577,7 +546,6 @@ Status AuthorizationManager::acquireUserForInitialAuth(OperationContext* opCtx, authzVersion = schemaVersionInvalid; } - if (!status.isOK()) return status; diff --git a/src/mongo/db/auth/authorization_manager.h b/src/mongo/db/auth/authorization_manager.h index e8840838e11..578d9b384e5 100644 --- a/src/mongo/db/auth/authorization_manager.h +++ b/src/mongo/db/auth/authorization_manager.h @@ -31,8 +31,6 @@ #include <memory> #include <string> -#include <boost/optional.hpp> - #include "mongo/base/disallow_copying.h" #include "mongo/base/status.h" #include "mongo/bson/mutable/element.h" @@ -92,7 +90,6 @@ public: ~AuthorizationManager(); static const std::string USER_NAME_FIELD_NAME; - static const std::string USER_ID_FIELD_NAME; static const std::string USER_DB_FIELD_NAME; static const std::string ROLE_NAME_FIELD_NAME; static const std::string ROLE_DB_FIELD_NAME; @@ -278,41 +275,16 @@ public: std::vector<BSONObj>* result); /** - * Returns the User object for the given userName in the out parameter "acquiredUser". - * - * This method should be used only when initially authenticating a user, in contexts when - * the caller does not yet have an id for this user. When the caller already has access - * to a user document, acquireUserToRefreshSessionCache should be used instead. - * - * If no user object for this user name exists yet in the cache, read the user's privilege - * document from disk, build up a User object, sets the refcount to 1, and give that out. - * - * The returned user may be invalid by the time the caller gets access to it. - * The AuthorizationManager retains ownership of the returned User object. - * On non-OK Status return values, acquiredUser will not be modified. - */ - Status acquireUserForInitialAuth(OperationContext* opCtx, - const UserName& userName, - User** acquiredUser); - /** - * Returns the User object for the given userName in the out parameter "acquiredUser". - * - * This method must be called with a user id (the unset optional, boost::none, will be - * understood as a distinct id for a pre-3.6 user). The acquired user must match - * both the given name and given id, or this method will return an error. This method - * should be used when the caller is refresing a user document they already have. - * - * If no user object for this user name exists yet in the cache, read the user's privilege - * document from disk, build up a User object, sets the refcount to 1, and give that out. - * - * The returned user may be invalid by the time the caller gets access to it. - * The AuthorizationManager retains ownership of the returned User object. - * On non-OK Status return values, acquiredUser will not be modified. + * Returns the User object for the given userName in the out parameter "acquiredUser". + * If the user cache already has a user object for this user, it increments the refcount + * on that object and gives out a pointer to it. If no user object for this user name + * exists yet in the cache, reads the user's privilege document from disk, builds up + * a User object, sets the refcount to 1, and gives that out. The returned user may + * be invalid by the time the caller gets access to it. + * The AuthorizationManager retains ownership of the returned User object. + * On non-OK Status return values, acquiredUser will not be modified. */ - Status acquireUserToRefreshSessionCache(OperationContext* opCtx, - const UserName& userName, - boost::optional<OID> id, - User** acquiredUser); + Status acquireUser(OperationContext* opCtx, const UserName& userName, User** acquiredUser); /** * Decrements the refcount of the given User object. If the refcount has gone to zero, @@ -425,8 +397,8 @@ private: /** * Cached value of the authorization schema version. * - * May be set by acquireUserForInitialAuth(), acquireUserToRefreshSessionCache(), - * and getAuthorizationVersion(). Invalidated by invalidateUserCache(). + * May be set by acquireUser() and getAuthorizationVersion(). Invalidated by + * invalidateUserCache(). * * Reads and writes guarded by CacheGuard. */ diff --git a/src/mongo/db/auth/authorization_manager_test.cpp b/src/mongo/db/auth/authorization_manager_test.cpp index 1af1bec1f30..7eb3c980e3b 100644 --- a/src/mongo/db/auth/authorization_manager_test.cpp +++ b/src/mongo/db/auth/authorization_manager_test.cpp @@ -218,7 +218,7 @@ TEST_F(AuthorizationManagerTest, testAcquireV2User) { BSONObj())); User* v2read; - ASSERT_OK(authzManager->acquireUserForInitialAuth(&opCtx, UserName("v2read", "test"), &v2read)); + ASSERT_OK(authzManager->acquireUser(&opCtx, UserName("v2read", "test"), &v2read)); ASSERT_EQUALS(UserName("v2read", "test"), v2read->getName()); ASSERT(v2read->isValid()); ASSERT_EQUALS(1U, v2read->getRefCount()); @@ -232,8 +232,7 @@ TEST_F(AuthorizationManagerTest, testAcquireV2User) { authzManager->releaseUser(v2read); User* v2cluster; - ASSERT_OK(authzManager->acquireUserForInitialAuth( - &opCtx, UserName("v2cluster", "admin"), &v2cluster)); + ASSERT_OK(authzManager->acquireUser(&opCtx, UserName("v2cluster", "admin"), &v2cluster)); ASSERT_EQUALS(UserName("v2cluster", "admin"), v2cluster->getName()); ASSERT(v2cluster->isValid()); ASSERT_EQUALS(1U, v2cluster->getRefCount()); @@ -258,8 +257,8 @@ TEST_F(AuthorizationManagerTest, testLocalX509Authorization) { ServiceContext::UniqueOperationContext opCtx = client->makeOperationContext(); User* x509User; - ASSERT_OK(authzManager->acquireUserForInitialAuth( - opCtx.get(), UserName("CN=mongodb.com", "$external"), &x509User)); + ASSERT_OK( + authzManager->acquireUser(opCtx.get(), UserName("CN=mongodb.com", "$external"), &x509User)); ASSERT(x509User->isValid()); stdx::unordered_set<RoleName> expectedRoles{RoleName("read", "test"), @@ -292,8 +291,8 @@ TEST_F(AuthorizationManagerTest, testLocalX509AuthorizationInvalidUser) { ServiceContext::UniqueOperationContext opCtx = client->makeOperationContext(); User* x509User; - ASSERT_NOT_OK(authzManager->acquireUserForInitialAuth( - opCtx.get(), UserName("CN=10gen.com", "$external"), &x509User)); + ASSERT_NOT_OK( + authzManager->acquireUser(opCtx.get(), UserName("CN=10gen.com", "$external"), &x509User)); } TEST_F(AuthorizationManagerTest, testLocalX509AuthenticationNoAuthorization) { @@ -305,8 +304,8 @@ TEST_F(AuthorizationManagerTest, testLocalX509AuthenticationNoAuthorization) { ServiceContext::UniqueOperationContext opCtx = client->makeOperationContext(); User* x509User; - ASSERT_NOT_OK(authzManager->acquireUserForInitialAuth( - opCtx.get(), UserName("CN=mongodb.com", "$external"), &x509User)); + ASSERT_NOT_OK( + authzManager->acquireUser(opCtx.get(), UserName("CN=mongodb.com", "$external"), &x509User)); } /** @@ -404,7 +403,7 @@ TEST_F(AuthorizationManagerTest, testAcquireV2UserWithUnrecognizedActions) { BSONObj())); User* myUser; - ASSERT_OK(authzManager->acquireUserForInitialAuth(&opCtx, UserName("myUser", "test"), &myUser)); + ASSERT_OK(authzManager->acquireUser(&opCtx, UserName("myUser", "test"), &myUser)); ASSERT_EQUALS(UserName("myUser", "test"), myUser->getName()); ASSERT(myUser->isValid()); ASSERT_EQUALS(1U, myUser->getRefCount()); diff --git a/src/mongo/db/auth/authorization_session.cpp b/src/mongo/db/auth/authorization_session.cpp index a29e1c2ff5e..4c72c4677e3 100644 --- a/src/mongo/db/auth/authorization_session.cpp +++ b/src/mongo/db/auth/authorization_session.cpp @@ -140,7 +140,7 @@ Status AuthorizationSession::addAndAuthorizeUser(OperationContext* opCtx, const UserName& userName) { User* user; AuthorizationManager* authzManager = AuthorizationManager::get(opCtx->getServiceContext()); - Status status = authzManager->acquireUserForInitialAuth(opCtx, userName, &user); + Status status = authzManager->acquireUser(opCtx, userName, &user); if (!status.isOK()) { return status; } @@ -797,9 +797,7 @@ void AuthorizationSession::_refreshUserInfoAsNeeded(OperationContext* opCtx) { UserName name = user->getName(); User* updatedUser; - Status status = - authMan.acquireUserToRefreshSessionCache(opCtx, name, user->getID(), &updatedUser); - + Status status = authMan.acquireUser(opCtx, name, &updatedUser); switch (status.code()) { case ErrorCodes::OK: { diff --git a/src/mongo/db/auth/authorization_session.h b/src/mongo/db/auth/authorization_session.h index eccb2dcbbc3..7da7d21c9a1 100644 --- a/src/mongo/db/auth/authorization_session.h +++ b/src/mongo/db/auth/authorization_session.h @@ -305,12 +305,9 @@ protected: private: // If any users authenticated on this session are marked as invalid this updates them with // up-to-date information. May require a read lock on the "admin" db to read the user data. - // - // When refreshing a user document, we will use the current user's id to confirm that our - // user is of the same generation as the refreshed user document. If the generations don't - // match we will remove the outdated user document from the cache. void _refreshUserInfoAsNeeded(OperationContext* opCtx); + // Checks if this connection is authorized for the given Privilege, ignoring whether or not // we should even be doing authorization checks in general. Note: this may acquire a read // lock on the admin database (to update out-of-date user privilege information). diff --git a/src/mongo/db/auth/sasl_plain_server_conversation.cpp b/src/mongo/db/auth/sasl_plain_server_conversation.cpp index 67ad4d52272..03b58dc1819 100644 --- a/src/mongo/db/auth/sasl_plain_server_conversation.cpp +++ b/src/mongo/db/auth/sasl_plain_server_conversation.cpp @@ -91,12 +91,11 @@ StatusWith<bool> SaslPLAINServerConversation::step(StringData inputData, std::st User* userObj; // The authentication database is also the source database for the user. - Status status = _saslAuthSession->getAuthorizationSession() - ->getAuthorizationManager() - .acquireUserForInitialAuth( - _saslAuthSession->getOpCtxt(), - UserName(_user, _saslAuthSession->getAuthenticationDatabase()), - &userObj); + Status status = + _saslAuthSession->getAuthorizationSession()->getAuthorizationManager().acquireUser( + _saslAuthSession->getOpCtxt(), + UserName(_user, _saslAuthSession->getAuthenticationDatabase()), + &userObj); if (!status.isOK()) { return StatusWith<bool>(status); diff --git a/src/mongo/db/auth/sasl_scramsha1_server_conversation.cpp b/src/mongo/db/auth/sasl_scramsha1_server_conversation.cpp index 5ade83dc708..98469c1137d 100644 --- a/src/mongo/db/auth/sasl_scramsha1_server_conversation.cpp +++ b/src/mongo/db/auth/sasl_scramsha1_server_conversation.cpp @@ -168,9 +168,9 @@ StatusWith<bool> SaslSCRAMSHA1ServerConversation::_firstStep(std::vector<string> // The authentication database is also the source database for the user. User* userObj; - Status status = _saslAuthSession->getAuthorizationSession() - ->getAuthorizationManager() - .acquireUserForInitialAuth(_saslAuthSession->getOpCtxt(), user, &userObj); + Status status = + _saslAuthSession->getAuthorizationSession()->getAuthorizationManager().acquireUser( + _saslAuthSession->getOpCtxt(), user, &userObj); if (!status.isOK()) { return StatusWith<bool>(status); diff --git a/src/mongo/db/auth/user.cpp b/src/mongo/db/auth/user.cpp index 36039d2ef14..698e78297fd 100644 --- a/src/mongo/db/auth/user.cpp +++ b/src/mongo/db/auth/user.cpp @@ -43,20 +43,15 @@ namespace mongo { namespace { -SHA256Block computeDigest(const UserName& name, const boost::optional<OID>& id) { +SHA256Block computeDigest(const UserName& name) { const auto& fn = name.getFullName(); - - if (id) { - return SHA256Block::computeHash({id->toCDR(), ConstDataRange(fn.c_str(), fn.size())}); - } else { - return SHA256Block::computeHash({ConstDataRange(fn.c_str(), fn.size())}); - } + return SHA256Block::computeHash({ConstDataRange(fn.c_str(), fn.size())}); }; } // namespace User::User(const UserName& name) - : _name(name), _id(), _digest(computeDigest(_name, _id)), _refCount(0), _isValid(1) {} + : _name(name), _digest(computeDigest(_name)), _refCount(0), _isValid(1) {} User::~User() { dassert(_refCount == 0); @@ -66,10 +61,6 @@ const UserName& User::getName() const { return _name; } -const boost::optional<OID>& User::getID() const { - return _id; -} - const SHA256Block& User::getDigest() const { return _digest; } @@ -106,11 +97,6 @@ const ActionSet User::getActionsForResource(const ResourcePattern& resource) con return it->second.getActions(); } -void User::setID(boost::optional<OID> id) { - _id = std::move(id); - _digest = computeDigest(_name, _id); -} - void User::setCredentials(const CredentialData& credentials) { _credentials = credentials; } diff --git a/src/mongo/db/auth/user.h b/src/mongo/db/auth/user.h index 7807043652d..8deead28046 100644 --- a/src/mongo/db/auth/user.h +++ b/src/mongo/db/auth/user.h @@ -31,8 +31,6 @@ #include <vector> #include "mongo/base/disallow_copying.h" -#include "mongo/bson/oid.h" -#include "mongo/crypto/sha256_block.h" #include "mongo/db/auth/privilege.h" #include "mongo/db/auth/resource_pattern.h" #include "mongo/db/auth/restriction_set.h" @@ -89,11 +87,6 @@ public: const UserName& getName() const; /** - * Returns the user's id. - */ - const boost::optional<OID>& getID() const; - - /** * Returns a digest of the user's identity */ const SHA256Block& getDigest() const; @@ -146,11 +139,6 @@ public: // Mutators below. Mutation functions should *only* be called by the AuthorizationManager /** - * Set the id for this user. - */ - void setID(boost::optional<OID> id); - - /** * Sets this user's authentication credentials. */ void setCredentials(const CredentialData& credentials); @@ -232,12 +220,6 @@ public: private: UserName _name; - // An id for this user. We use this to identify different "generations" of the same username - // (ie a user "Lily" is dropped and then added). This field is optional to facilitate the - // upgrade path from 3.4 to 3.6. When comparing User documents' generations, we consider - // an unset _id field to be a distinct value that will fail to compare to any other id value. - boost::optional<OID> _id; - // Digest of the full username SHA256Block _digest; diff --git a/src/mongo/db/auth/user_document_parser.cpp b/src/mongo/db/auth/user_document_parser.cpp index 1b778ed4e17..aca408636a3 100644 --- a/src/mongo/db/auth/user_document_parser.cpp +++ b/src/mongo/db/auth/user_document_parser.cpp @@ -228,7 +228,6 @@ Status _checkV2RolesArray(const BSONElement& rolesElement) { Status V2UserDocumentParser::checkValidUserDocument(const BSONObj& doc) const { BSONElement userElement = doc[AuthorizationManager::USER_NAME_FIELD_NAME]; - BSONElement userIDElement = doc[AuthorizationManager::USER_ID_FIELD_NAME]; BSONElement userDBElement = doc[AuthorizationManager::USER_DB_FIELD_NAME]; BSONElement credentialsElement = doc[CREDENTIALS_FIELD_NAME]; BSONElement rolesElement = doc[ROLES_FIELD_NAME]; @@ -239,11 +238,6 @@ Status V2UserDocumentParser::checkValidUserDocument(const BSONObj& doc) const { if (userElement.valueStringData().empty()) return _badValue("User document needs 'user' field to be non-empty", 0); - // If we have an id field, make sure it is an OID - if (!userIDElement.eoo() && (userIDElement.type() != BSONType::jstOID)) { - return _badValue("User document 'userId' field must be an OID", 0); - } - // Validate the "db" element if (userDBElement.type() != String || userDBElement.valueStringData().empty()) { return _badValue("User document needs 'db' field to be a non-empty string", 0); @@ -317,15 +311,6 @@ std::string V2UserDocumentParser::extractUserNameFromUserDocument(const BSONObj& return doc[AuthorizationManager::USER_NAME_FIELD_NAME].str(); } -boost::optional<OID> V2UserDocumentParser::extractUserIDFromUserDocument(const BSONObj& doc) const { - BSONElement e = doc[AuthorizationManager::USER_ID_FIELD_NAME]; - if (e.type() == BSONType::EOO) { - return boost::optional<OID>(); - } - - return e.OID(); -} - Status V2UserDocumentParser::initializeUserCredentialsFromUserDocument( User* user, const BSONObj& privDoc) const { User::CredentialData credentials; diff --git a/src/mongo/db/auth/user_document_parser.h b/src/mongo/db/auth/user_document_parser.h index 2deb27d05e2..2e8aadc2a25 100644 --- a/src/mongo/db/auth/user_document_parser.h +++ b/src/mongo/db/auth/user_document_parser.h @@ -68,8 +68,6 @@ public: std::string extractUserNameFromUserDocument(const BSONObj& doc) const; - boost::optional<OID> extractUserIDFromUserDocument(const BSONObj& doc) const; - Status initializeUserCredentialsFromUserDocument(User* user, const BSONObj& privDoc) const; Status initializeUserRolesFromUserDocument(const BSONObj& doc, User* user) const; diff --git a/src/mongo/db/auth/user_document_parser_test.cpp b/src/mongo/db/auth/user_document_parser_test.cpp index ae27f0d0c6c..0ce0d378ea9 100644 --- a/src/mongo/db/auth/user_document_parser_test.cpp +++ b/src/mongo/db/auth/user_document_parser_test.cpp @@ -32,7 +32,6 @@ #include "mongo/platform/basic.h" #include "mongo/base/status.h" -#include "mongo/bson/oid.h" #include "mongo/db/auth/action_set.h" #include "mongo/db/auth/action_type.h" #include "mongo/db/auth/authorization_manager.h" @@ -260,32 +259,6 @@ TEST_F(V2UserDocumentParsing, V2DocumentValidation) { << "roles" << emptyArray))); - // Id field should be OID - ASSERT_OK(v2parser.checkValidUserDocument(BSON("user" - << "spencer" - << "userId" - << OID::gen() - << "db" - << "test" - << "credentials" - << BSON("MONGODB-CR" - << "a") - << "roles" - << emptyArray))); - - // Non-OID id fields are rejected - ASSERT_NOT_OK(v2parser.checkValidUserDocument(BSON("user" - << "spencer" - << "userId" - << "notAnOID" - << "db" - << "test" - << "credentials" - << BSON("MONGODB-CR" - << "a") - << "roles" - << emptyArray))); - // Need source field ASSERT_NOT_OK(v2parser.checkValidUserDocument(BSON("user" << "spencer" @@ -459,25 +432,6 @@ TEST_F(V2UserDocumentParsing, V2DocumentValidation) { << "dbA"))))); } -TEST_F(V2UserDocumentParsing, V2UserIDExtraction) { - OID oid = OID::gen(); - - // No id is present - ASSERT(!v2parser.extractUserIDFromUserDocument(BSON("user" - << "sam" - << "db" - << "test"))); - // Valid OID is present - auto res = v2parser.extractUserIDFromUserDocument(BSON("user" - << "sam" - << "userId" - << oid - << "db" - << "test")); - ASSERT(res); - ASSERT(res == oid); -} - TEST_F(V2UserDocumentParsing, V2CredentialExtraction) { // Old "pwd" field not valid ASSERT_NOT_OK(v2parser.initializeUserCredentialsFromUserDocument(user.get(), diff --git a/src/mongo/db/commands/authentication_commands.cpp b/src/mongo/db/commands/authentication_commands.cpp index 4c088f97493..c5229b8daa3 100644 --- a/src/mongo/db/commands/authentication_commands.cpp +++ b/src/mongo/db/commands/authentication_commands.cpp @@ -263,8 +263,7 @@ Status CmdAuthenticate::_authenticateCR(OperationContext* opCtx, } User* userObj; - Status status = - getGlobalAuthorizationManager()->acquireUserForInitialAuth(opCtx, user, &userObj); + Status status = getGlobalAuthorizationManager()->acquireUser(opCtx, user, &userObj); if (!status.isOK()) { // Failure to find the privilege document indicates no-such-user, a fact that we do not // wish to reveal to the client. So, we return AuthenticationFailed rather than passing diff --git a/src/mongo/db/commands/user_management_commands.cpp b/src/mongo/db/commands/user_management_commands.cpp index 65a9ffd3164..8e4842b87f5 100644 --- a/src/mongo/db/commands/user_management_commands.cpp +++ b/src/mongo/db/commands/user_management_commands.cpp @@ -39,7 +39,6 @@ #include "mongo/bson/mutable/algorithm.h" #include "mongo/bson/mutable/document.h" #include "mongo/bson/mutable/element.h" -#include "mongo/bson/oid.h" #include "mongo/bson/util/bson_extract.h" #include "mongo/client/dbclientinterface.h" #include "mongo/config.h" @@ -140,7 +139,7 @@ Status getCurrentUserRoles(OperationContext* opCtx, unordered_set<RoleName>* roles) { User* user; authzManager->invalidateUserByName(userName); // Need to make sure cache entry is up to date - Status status = authzManager->acquireUserForInitialAuth(opCtx, userName, &user); + Status status = authzManager->acquireUser(opCtx, userName, &user); if (!status.isOK()) { return status; } @@ -673,7 +672,6 @@ public: userObjBuilder.append( "_id", str::stream() << args.userName.getDB() << "." << args.userName.getUser()); userObjBuilder.append(AuthorizationManager::USER_NAME_FIELD_NAME, args.userName.getUser()); - userObjBuilder.append(AuthorizationManager::USER_ID_FIELD_NAME, OID::gen()); userObjBuilder.append(AuthorizationManager::USER_DB_FIELD_NAME, args.userName.getDB()); ServiceContext* serviceContext = opCtx->getClient()->getServiceContext(); @@ -1231,9 +1229,7 @@ public: // to be stripped out BSONObjBuilder strippedUser(usersArrayBuilder.subobjStart()); for (const BSONElement& e : userDetails) { - if (!args.showCredentials && - (e.fieldNameStringData() == "credentials" || - e.fieldNameStringData() == AuthorizationManager::USER_ID_FIELD_NAME)) { + if (!args.showCredentials && e.fieldNameStringData() == "credentials") { continue; } @@ -1270,7 +1266,6 @@ public: BSONObjBuilder projection; projection.append("authenticationRestrictions", 0); if (!args.showCredentials) { - projection.append(AuthorizationManager::USER_ID_FIELD_NAME, 0); projection.append("credentials", 0); } const stdx::function<void(const BSONObj&)> function = stdx::bind( diff --git a/src/mongo/db/logical_session_id.idl b/src/mongo/db/logical_session_id.idl index c540c3c2174..24b58226f51 100644 --- a/src/mongo/db/logical_session_id.idl +++ b/src/mongo/db/logical_session_id.idl @@ -64,16 +64,6 @@ structs: id: LogicalSessionIdToClient timeoutMinutes: int - UserNameWithId: - description: "A struct representing the combination of a UserName and an id" - strict: true - fields: - name: - type: string - id: - type: objectid - optional: true - LogicalSessionRecord: description: "A struct representing a LogicalSessionRecord" strict: true @@ -83,7 +73,7 @@ structs: cpp_name: id lastUse: date user: - type: UserNameWithId + type: string optional: true LogicalSessionFromClient: diff --git a/src/mongo/db/logical_session_id_helpers.cpp b/src/mongo/db/logical_session_id_helpers.cpp index ae68e5037bf..fe8d2a1bb54 100644 --- a/src/mongo/db/logical_session_id_helpers.cpp +++ b/src/mongo/db/logical_session_id_helpers.cpp @@ -105,11 +105,7 @@ LogicalSessionRecord makeLogicalSessionRecord(OperationContext* opCtx, Date_t la invariant(user); id.setUid(user->getDigest()); - - UserNameWithId userDoc{}; - userDoc.setName(StringData(user->getName().toString())); - userDoc.setId(user->getID()); - lsr.setUser(userDoc); + lsr.setUser(StringData(user->getName().toString())); } else { id.setUid(kNoAuthDigest); } @@ -143,10 +139,7 @@ LogicalSessionRecord makeLogicalSessionRecord(OperationContext* opCtx, invariant(user); if (user->getDigest() == lsid.getUid()) { - UserNameWithId userDoc{}; - userDoc.setName(StringData(user->getName().toString())); - userDoc.setId(user->getID()); - lsr.setUser(userDoc); + lsr.setUser(StringData(user->getName().toString())); } } diff --git a/src/mongo/db/sessions_collection.cpp b/src/mongo/db/sessions_collection.cpp index 867ad0a1a82..04f73281234 100644 --- a/src/mongo/db/sessions_collection.cpp +++ b/src/mongo/db/sessions_collection.cpp @@ -63,7 +63,7 @@ BSONObj updateQuery(const LogicalSessionRecord& record, Date_t refreshTime) { if (record.getUser()) { BSONObjBuilder setBuilder(updateBuilder.subobjStart("$setOnInsert")); - setBuilder.append(LogicalSessionRecord::kUserFieldName, record.getUser()->toBSON()); + setBuilder.append(LogicalSessionRecord::kUserFieldName, BSON("name" << *record.getUser())); } return updateBuilder.obj(); |