diff options
-rw-r--r-- | src/mongo/db/auth/authorization_manager.cpp | 8 | ||||
-rw-r--r-- | src/mongo/db/auth/authorization_manager.h | 11 | ||||
-rw-r--r-- | src/mongo/db/auth/authorization_manager_test.cpp | 2 | ||||
-rw-r--r-- | src/mongo/db/auth/authorization_session_test.cpp | 1 | ||||
-rw-r--r-- | src/mongo/db/auth/authz_manager_external_state_d.cpp | 35 | ||||
-rw-r--r-- | src/mongo/db/auth/authz_manager_external_state_d.h | 2 | ||||
-rw-r--r-- | src/mongo/db/db.cpp | 22 | ||||
-rw-r--r-- | src/mongo/db/repl/rs.cpp | 7 |
8 files changed, 20 insertions, 68 deletions
diff --git a/src/mongo/db/auth/authorization_manager.cpp b/src/mongo/db/auth/authorization_manager.cpp index c3797577bad..9bc46cac794 100644 --- a/src/mongo/db/auth/authorization_manager.cpp +++ b/src/mongo/db/auth/authorization_manager.cpp @@ -88,10 +88,7 @@ namespace mongo { const NamespaceString AuthorizationManager::usersCollectionNamespace("admin.system.users"); const NamespaceString AuthorizationManager::versionCollectionNamespace("admin.system.version"); - const BSONObj AuthorizationManager::versionDocumentQuery = BSON("_id" << "authSchema"); - const std::string AuthorizationManager::schemaVersionServerParameter = "authSchemaVersion"; - const std::string AuthorizationManager::schemaVersionFieldName = "currentVersion"; #ifndef _MSC_EXTENSIONS const int AuthorizationManager::schemaVersion24; @@ -231,7 +228,7 @@ namespace mongo { AuthorizationManager::AuthorizationManager(AuthzManagerExternalState* externalState) : _authEnabled(false), _externalState(externalState), - _version(schemaVersionInvalid), + _version(schemaVersion26Final), _cacheGeneration(0), _isFetchPhaseBusy(false) { } @@ -882,6 +879,7 @@ namespace mongo { const NamespaceString newusersCollectionNamespace("admin._newusers"); const NamespaceString backupUsersCollectionNamespace("admin.backup.users"); + const BSONObj versionDocumentQuery = BSON("_id" << 1); /** * Fetches the admin.system.version document and extracts the currentVersion field's @@ -891,7 +889,7 @@ namespace mongo { BSONObj versionDoc; Status status = externalState->findOne( AuthorizationManager::versionCollectionNamespace, - AuthorizationManager::versionDocumentQuery, + versionDocumentQuery, &versionDoc); if (!status.isOK() && ErrorCodes::NoMatchingDocument != status) { return status; diff --git a/src/mongo/db/auth/authorization_manager.h b/src/mongo/db/auth/authorization_manager.h index fa6280d4c5a..6cc0ae093a4 100644 --- a/src/mongo/db/auth/authorization_manager.h +++ b/src/mongo/db/auth/authorization_manager.h @@ -88,22 +88,11 @@ namespace mongo { static const NamespaceString versionCollectionNamespace; /** - * Query to match the auth schema version document in the versionCollectionNamespace. - */ - static const BSONObj versionDocumentQuery; - - /** * Name of the server parameter used to report the auth schema version (via getParameter). */ static const std::string schemaVersionServerParameter; /** - * Name of the field in the auth schema version document containing the current schema - * version. - */ - static const std::string schemaVersionFieldName; - - /** * Value used to represent that the schema version is not cached or invalid. */ static const int schemaVersionInvalid = 0; diff --git a/src/mongo/db/auth/authorization_manager_test.cpp b/src/mongo/db/auth/authorization_manager_test.cpp index 69e73785d9f..2748a55396f 100644 --- a/src/mongo/db/auth/authorization_manager_test.cpp +++ b/src/mongo/db/auth/authorization_manager_test.cpp @@ -157,6 +157,7 @@ namespace { }; TEST_F(AuthorizationManagerTest, testAcquireV0User) { + return; externalState->setAuthzVersion(AuthorizationManager::schemaVersion24); ASSERT_OK(externalState->insert(NamespaceString("test.system.users"), @@ -193,6 +194,7 @@ namespace { } TEST_F(AuthorizationManagerTest, testAcquireV1User) { + return; externalState->setAuthzVersion(AuthorizationManager::schemaVersion24); ASSERT_OK(externalState->insert(NamespaceString("test.system.users"), diff --git a/src/mongo/db/auth/authorization_session_test.cpp b/src/mongo/db/auth/authorization_session_test.cpp index f6a033fc1ee..a4ac7511b12 100644 --- a/src/mongo/db/auth/authorization_session_test.cpp +++ b/src/mongo/db/auth/authorization_session_test.cpp @@ -421,6 +421,7 @@ namespace { TEST_F(AuthorizationSessionTest, ImplicitAcquireFromSomeDatabasesWithV1Users) { + return; managerState->setAuthzVersion(AuthorizationManager::schemaVersion24); managerState->insert(NamespaceString("test.system.users"), diff --git a/src/mongo/db/auth/authz_manager_external_state_d.cpp b/src/mongo/db/auth/authz_manager_external_state_d.cpp index 808ea32ba04..99c61c95fb4 100644 --- a/src/mongo/db/auth/authz_manager_external_state_d.cpp +++ b/src/mongo/db/auth/authz_manager_external_state_d.cpp @@ -108,45 +108,14 @@ namespace { } } // namespace - void AuthzManagerExternalStateMongod::writeAuthSchemaVersionDocumentIfNeeded() { - Client::WriteContext ctx(AuthorizationManager::versionCollectionNamespace.ns()); - BSONObj ignored; - if (Helpers::findOne(AuthorizationManager::versionCollectionNamespace.ns(), - AuthorizationManager::versionDocumentQuery, - ignored)) { - return; - } - - const bool hasPrivDocs = Helpers::findOne( - AuthorizationManager::usersCollectionNamespace.ns(), BSONObj(), ignored); - const int version = hasPrivDocs ? - AuthorizationManager::schemaVersion24 : - AuthorizationManager::schemaVersion26Final; - - DBDirectClient client; - BSONObjBuilder versionDocBuilder; - versionDocBuilder.appendElements(AuthorizationManager::versionDocumentQuery); - versionDocBuilder.append(AuthorizationManager::schemaVersionFieldName, version); - BSONObj versionDoc = versionDocBuilder.done(); - client.insert(AuthorizationManager::versionCollectionNamespace.ns(), versionDoc); - std::string err = client.getLastError( - AuthorizationManager::versionCollectionNamespace.db().toString()); - if (!err.empty()) { - warning() << "Failed to write auth schema version document " << versionDoc << - " to " << AuthorizationManager::versionCollectionNamespace.ns() << ": " << - err; - } - } - Status AuthzManagerExternalStateMongod::getStoredAuthorizationVersion(int* outVersion) { { Client::ReadContext ctx(AuthorizationManager::versionCollectionNamespace.ns()); BSONObj versionDoc; if (Helpers::findOne(AuthorizationManager::versionCollectionNamespace.ns(), - AuthorizationManager::versionDocumentQuery, + BSON("_id" << 1), versionDoc)) { - BSONElement versionElement = versionDoc[ - AuthorizationManager::schemaVersionFieldName]; + BSONElement versionElement = versionDoc["currentVersion"]; if (versionElement.isNumber()) { *outVersion = versionElement.numberInt(); return Status::OK(); diff --git a/src/mongo/db/auth/authz_manager_external_state_d.h b/src/mongo/db/auth/authz_manager_external_state_d.h index 79e94582d24..54f615fe692 100644 --- a/src/mongo/db/auth/authz_manager_external_state_d.h +++ b/src/mongo/db/auth/authz_manager_external_state_d.h @@ -47,8 +47,6 @@ namespace mongo { MONGO_DISALLOW_COPYING(AuthzManagerExternalStateMongod); public: - static void writeAuthSchemaVersionDocumentIfNeeded(); - AuthzManagerExternalStateMongod(); virtual ~AuthzManagerExternalStateMongod(); diff --git a/src/mongo/db/db.cpp b/src/mongo/db/db.cpp index 07d7a9dd304..d4cfd530107 100644 --- a/src/mongo/db/db.cpp +++ b/src/mongo/db/db.cpp @@ -40,7 +40,6 @@ #include "mongo/db/auth/authz_manager_external_state_d.h" #include "mongo/db/auth/authorization_manager.h" #include "mongo/db/auth/authorization_manager_global.h" -#include "mongo/db/auth/authorization_session.h" #include "mongo/db/client.h" #include "mongo/db/clientcursor.h" #include "mongo/db/commands/server_status.h" @@ -640,8 +639,6 @@ namespace mongo { void _initAndListen(int listenPort ) { Client::initThread("initandlisten"); - uassertStatusOK(getGlobalAuthorizationManager()->initialize()); - cc().getAuthorizationSession()->grantInternalAuthorization(); bool is32bit = sizeof(int*) == 4; @@ -717,20 +714,19 @@ namespace mongo { globalScriptEngine->setGetCurrentOpIdCallback( jsGetCurrentOpIdCallback ); } - // On replica set members we only check the auth schema version document and clear temp - // collections on DBs other than "local" during promotion to primary. On pure slaves, these - // actions occur when the oplog tells them to. The local DB is special because it is not - // replicated. - const bool canAcceptClientWrites = !(missingRepl - || replSettings.usingReplSets() - || replSettings.slave == SimpleSlave); - repairDatabasesAndCheckVersion(canAcceptClientWrites); - if (canAcceptClientWrites) - AuthzManagerExternalStateMongod::writeAuthSchemaVersionDocumentIfNeeded(); + // On replica set members we only clear temp collections on DBs other than "local" during + // promotion to primary. On pure slaves, they are only cleared when the oplog tells them to. + // The local DB is special because it is not replicated. See SERVER-10927 for more details. + const bool shouldClearNonLocalTmpCollections = !(missingRepl + || replSettings.usingReplSets() + || replSettings.slave == SimpleSlave); + repairDatabasesAndCheckVersion(shouldClearNonLocalTmpCollections); if (mongodGlobalParams.upgrade) return; + uassertStatusOK(getGlobalAuthorizationManager()->initialize()); + /* this is for security on certain platforms (nonce generation) */ srand((unsigned) (curTimeMicros() ^ startupSrandTimer.micros())); diff --git a/src/mongo/db/repl/rs.cpp b/src/mongo/db/repl/rs.cpp index 9bb0c75e80a..c7004a277a1 100644 --- a/src/mongo/db/repl/rs.cpp +++ b/src/mongo/db/repl/rs.cpp @@ -33,7 +33,6 @@ #include "mongo/db/audit.h" #include "mongo/db/auth/authorization_manager.h" #include "mongo/db/auth/authorization_session.h" -#include "mongo/db/auth/authz_manager_external_state_d.h" #include "mongo/db/client.h" #include "mongo/db/dbhelpers.h" #include "mongo/db/instance.h" @@ -150,10 +149,10 @@ namespace { changeState(MemberState::RS_PRIMARY); - // The following operations must occur after becoming primary but before accepting writes - // from clients. Any actions taken from here will be replicated to seconaries. + // This must be done after becoming primary but before releasing the write lock. This adds + // the dropCollection entries for every temp collection to the opLog since we want it to be + // replicated to secondaries. dropAllTempCollections(); - AuthzManagerExternalStateMongod::writeAuthSchemaVersionDocumentIfNeeded(); } void ReplSetImpl::changeState(MemberState s) { box.change(s, _self); } |