diff options
| -rw-r--r-- | buildscripts/resmokeconfig/suites/search_beta_auth.yml | 22 | ||||
| -rw-r--r-- | buildscripts/resmokeconfig/suites/search_beta_ssl.yml | 11 | ||||
| -rw-r--r-- | etc/evergreen.yml | 14 | ||||
| -rw-r--r-- | src/mongo/SConscript | 22 | ||||
| -rw-r--r-- | src/mongo/db/SConscript | 4 | ||||
| -rw-r--r-- | src/mongo/db/auth/SConscript | 4 | ||||
| -rw-r--r-- | src/mongo/db/cluster_auth_mode_option.idl | 48 | ||||
| -rw-r--r-- | src/mongo/db/commands/SConscript | 19 | ||||
| -rw-r--r-- | src/mongo/db/keyfile_option.idl | 45 | ||||
| -rw-r--r-- | src/mongo/db/mongod_options.cpp | 4 | ||||
| -rw-r--r-- | src/mongo/db/server_options_general.idl | 1 | ||||
| -rw-r--r-- | src/mongo/db/server_options_nongeneral.idl | 13 | ||||
| -rw-r--r-- | src/mongo/s/mongos_options_init.cpp | 12 |
13 files changed, 187 insertions, 32 deletions
diff --git a/buildscripts/resmokeconfig/suites/search_beta_auth.yml b/buildscripts/resmokeconfig/suites/search_beta_auth.yml new file mode 100644 index 00000000000..738355d4463 --- /dev/null +++ b/buildscripts/resmokeconfig/suites/search_beta_auth.yml @@ -0,0 +1,22 @@ +config_variables: +- &keyFile jstests/libs/authTestsKey +- &keyFileData Thiskeyisonlyforrunningthesuitewithauthenticationdontuseitinanytestsdirectly + +test_kind: js_test + +selector: + roots: + - src/mongo/db/modules/*/jstests/search_beta/*.js + +executor: + config: + shell_options: + global_vars: + TestData: + auth: true + authMechanism: SCRAM-SHA-1 + keyFile: *keyFile + keyFileData: *keyFileData + roleGraphInvalidationIsFatal: true + nodb: '' + readMode: commands diff --git a/buildscripts/resmokeconfig/suites/search_beta_ssl.yml b/buildscripts/resmokeconfig/suites/search_beta_ssl.yml index 5f7a3a053da..cf6b7e3fa11 100644 --- a/buildscripts/resmokeconfig/suites/search_beta_ssl.yml +++ b/buildscripts/resmokeconfig/suites/search_beta_ssl.yml @@ -1,3 +1,7 @@ +config_variables: +- &keyFile jstests/libs/authTestsKey +- &keyFileData Thiskeyisonlyforrunningthesuitewithauthenticationdontuseitinanytestsdirectly + test_kind: js_test selector: @@ -7,6 +11,13 @@ selector: executor: config: shell_options: + global_vars: + TestData: + auth: true + authMechanism: SCRAM-SHA-1 + keyFile: *keyFile + keyFileData: *keyFileData + roleGraphInvalidationIsFatal: true nodb: '' readMode: commands ssl: '' diff --git a/etc/evergreen.yml b/etc/evergreen.yml index 01138e999c1..49bf3426ae5 100644 --- a/etc/evergreen.yml +++ b/etc/evergreen.yml @@ -7978,6 +7978,15 @@ tasks: resmoke_jobs_max: 1 - <<: *task_template + name: search_beta_auth + commands: + - func: "do setup" + - func: "run tests" + vars: + resmoke_args: --suites=search_beta_auth --storageEngine=wiredTiger + resmoke_jobs_max: 1 + +- <<: *task_template name: search_beta_ssl commands: - func: "do setup" @@ -10081,6 +10090,7 @@ buildvariants: - name: .rollbackfuzzer - name: sasl - name: search_beta + - name: search_beta_auth - name: search_beta_ssl - name: session_jscore_passthrough - name: .sharding .jscore !.wo_snapshot !.multi_stmt @@ -10272,6 +10282,7 @@ buildvariants: - name: .rollbackfuzzer - name: sasl - name: search_beta + - name: search_beta_auth - name: search_beta_ssl - name: secondary_reads_passthrough_gen - name: session_jscore_passthrough @@ -10355,6 +10366,7 @@ buildvariants: - name: .rollbackfuzzer - name: sasl - name: search_beta + - name: search_beta_auth - name: search_beta_ssl - name: secondary_reads_passthrough_gen - name: session_jscore_passthrough @@ -10416,6 +10428,7 @@ buildvariants: - name: retryable_writes_jscore_passthrough_gen - name: sasl - name: search_beta + - name: search_beta_auth - name: search_beta_ssl - name: secondary_reads_passthrough_gen - name: session_jscore_passthrough @@ -10473,6 +10486,7 @@ buildvariants: - name: .replica_sets .multi_oplog - name: sasl - name: search_beta + - name: search_beta_auth - name: search_beta_ssl - name: sharding_auth_audit_gen - name: sharding_auth_gen diff --git a/src/mongo/SConscript b/src/mongo/SConscript index c8c8d009de4..735952f429b 100644 --- a/src/mongo/SConscript +++ b/src/mongo/SConscript @@ -341,15 +341,15 @@ mongod = env.Program( 'db/catalog/index_key_validate', 'db/cloner', 'db/collection_index_usage_tracker', - 'db/commands/mongod_fcv', 'db/commands/mongod', + 'db/commands/mongod_fcv', 'db/commands/server_status_servers', 'db/common', 'db/concurrency/flow_control_ticketholder', 'db/concurrency/lock_manager', 'db/concurrency/write_conflict_exception', - 'db/curop_metrics', 'db/curop', + 'db/curop_metrics', 'db/db_raii', 'db/dbdirectclient', 'db/dbhelpers', @@ -357,9 +357,10 @@ mongod = env.Program( 'db/free_mon/free_mon_mongod', 'db/ftdc/ftdc_mongod', 'db/fts/ftsmongod', - 'db/index_builds_coordinator_mongod', 'db/index/index_access_method', 'db/index/index_descriptor', + 'db/index_builds_coordinator_mongod', + 'db/initialize_server_security_state', 'db/initialize_snmp', 'db/introspect', 'db/keys_collection_client_direct', @@ -368,7 +369,6 @@ mongod = env.Program( 'db/logical_time_metadata_hook', 'db/matcher/expressions_mongod_only', 'db/mongod_options', - 'db/mongodandmongos', 'db/ops/write_ops_parsers', 'db/periodic_runner_job_abort_expired_transactions', 'db/periodic_runner_job_decrease_snapshot_cache_pressure', @@ -389,8 +389,8 @@ mongod = env.Program( 'db/repl/rs_rollback', 'db/repl/rslog', 'db/repl/serveronly_repl', - 'db/repl/storage_interface_impl', 'db/repl/storage_interface', + 'db/repl/storage_interface_impl', 'db/repl/topology_coordinator', 'db/rw_concern_d', 'db/s/balancer', @@ -406,8 +406,8 @@ mongod = env.Program( 'db/storage/biggie/storage_biggie', 'db/storage/devnull/storage_devnull', 'db/storage/ephemeral_for_test/storage_ephemeral_for_test', - 'db/storage/flow_control_parameters', 'db/storage/flow_control', + 'db/storage/flow_control_parameters', 'db/storage/storage_engine_lock_file', 'db/storage/storage_engine_metadata', 'db/storage/storage_init_d', @@ -417,8 +417,8 @@ mongod = env.Program( 'db/traffic_recorder', 'db/ttl_collection_cache', 'db/ttl_d', - 'db/update_index_data', 'db/update/update_driver', + 'db/update_index_data', 'db/views/views_mongod', 'db/windows_options' if env.TargetOSIs('windows') else [], 'executor/network_interface_factory', @@ -506,17 +506,17 @@ mongos = env.Program( LIBDEPS=[ 'db/audit', 'db/auth/authmongos', + 'db/commands/server_status', 'db/commands/server_status_core', 'db/commands/server_status_servers', - 'db/commands/server_status', 'db/curop', 'db/ftdc/ftdc_mongos', - 'db/logical_session_cache_impl', + 'db/initialize_server_security_state', 'db/logical_session_cache', + 'db/logical_session_cache_impl', 'db/logical_time_metadata_hook', - 'db/mongodandmongos', - 'db/server_options_base', 'db/server_options', + 'db/server_options_base', 'db/service_liaison_mongos', 'db/sessions_collection_sharded', 'db/startup_warnings_common', diff --git a/src/mongo/db/SConscript b/src/mongo/db/SConscript index 8d789440a4f..864d55d2248 100644 --- a/src/mongo/db/SConscript +++ b/src/mongo/db/SConscript @@ -406,6 +406,8 @@ env.Library( target='server_options_base', source=[ 'server_options_base.cpp', + env.Idlc('cluster_auth_mode_option.idl')[0], + env.Idlc('keyfile_option.idl')[0], env.Idlc('server_options_base.idl')[0], env.Idlc('server_options_general.idl')[0], env.Idlc('server_options_nongeneral.idl')[0], @@ -448,7 +450,7 @@ env.CppUnitTest( # This library is linked into mongos and mongod only, not into the shell or any tools. env.Library( - target="mongodandmongos", + target="initialize_server_security_state", source=[ "initialize_server_security_state.cpp", ], diff --git a/src/mongo/db/auth/SConscript b/src/mongo/db/auth/SConscript index f26a2c3d5b2..f77549b799b 100644 --- a/src/mongo/db/auth/SConscript +++ b/src/mongo/db/auth/SConscript @@ -276,12 +276,12 @@ env.Library( 'saslauth', ], LIBDEPS_PRIVATE=[ - 'sasl_options_init', '$BUILD_DIR/mongo/client/sasl_client', '$BUILD_DIR/mongo/db/audit', '$BUILD_DIR/mongo/db/commands', - '$BUILD_DIR/mongo/db/commands/servers', + '$BUILD_DIR/mongo/db/commands/authentication_commands', '$BUILD_DIR/mongo/db/commands/test_commands_enabled', + 'sasl_options_init', ], ) diff --git a/src/mongo/db/cluster_auth_mode_option.idl b/src/mongo/db/cluster_auth_mode_option.idl new file mode 100644 index 00000000000..e184eff2b08 --- /dev/null +++ b/src/mongo/db/cluster_auth_mode_option.idl @@ -0,0 +1,48 @@ +# Copyright (C) 2019-present MongoDB, Inc. +# +# This program is free software: you can redistribute it and/or modify +# it under the terms of the Server Side Public License, version 1, +# as published by MongoDB, Inc. +# +# This program is distributed in the hope that it will be useful, +# but WITHOUT ANY WARRANTY; without even the implied warranty of +# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the +# Server Side Public License for more details. +# +# You should have received a copy of the Server Side Public License +# along with this program. If not, see +# <http://www.mongodb.com/licensing/server-side-public-license>. +# +# As a special exception, the copyright holders give permission to link the +# code of portions of this program with the OpenSSL library under certain +# conditions as described in each individual source file and distribute +# linked combinations including the program with the OpenSSL library. You +# must comply with the Server Side Public License in all respects for +# all of the code used other than as permitted herein. If you modify file(s) +# with this exception, you may extend this exception to your version of the +# file(s), but you are not obligated to do so. If you do not wish to do so, +# delete this exception statement from your version. If you delete this +# exception statement from all source files in the program, then also delete +# it in the license file. +# + +global: + cpp_namespace: "mongo" + cpp_includes: + - "mongo/db/server_options.h" + - "mongo/db/server_options_base.h" + configs: + section: 'General options' + source: [ cli, ini, yaml ] + initializer: + register: addClusterAuthModeServerOption + +configs: + 'security.clusterAuthMode': + description: >- + Authentication mode used for cluster authentication. Alternatives are + (keyFile|sendKeyFile|sendX509|x509) + short_name: clusterAuthMode + arg_vartype: String + validator: + callback: validateSecurityClusterAuthModeSetting diff --git a/src/mongo/db/commands/SConscript b/src/mongo/db/commands/SConscript index ef2e9fa712c..61c39a599cd 100644 --- a/src/mongo/db/commands/SConscript +++ b/src/mongo/db/commands/SConscript @@ -133,7 +133,6 @@ env.Library( env.Library( target='servers', source=[ - 'authentication_commands.cpp', 'conn_pool_stats.cpp', 'conn_pool_sync.cpp', 'connection_status.cpp', @@ -149,9 +148,6 @@ env.Library( ], LIBDEPS_PRIVATE=[ '$BUILD_DIR/mongo/client/clientdriver_minimal', - '$BUILD_DIR/mongo/db/audit', - '$BUILD_DIR/mongo/db/auth/sasl_options', - '$BUILD_DIR/mongo/db/auth/user_document_parser', '$BUILD_DIR/mongo/db/commands', '$BUILD_DIR/mongo/db/common', '$BUILD_DIR/mongo/db/log_process_details', @@ -170,6 +166,7 @@ env.Library( '$BUILD_DIR/mongo/s/sharding_legacy_api', '$BUILD_DIR/mongo/scripting/scripting_common', '$BUILD_DIR/mongo/util/ntservice', + 'authentication_commands', 'core', 'feature_compatibility_parsers', 'server_status', @@ -178,6 +175,20 @@ env.Library( ) env.Library( + target="authentication_commands", + source=[ + 'authentication_commands.cpp', + ], + LIBDEPS_PRIVATE=[ + '$BUILD_DIR/mongo/db/audit', + '$BUILD_DIR/mongo/db/auth/sasl_options', + '$BUILD_DIR/mongo/db/auth/user_document_parser', + '$BUILD_DIR/mongo/db/commands', + '$BUILD_DIR/mongo/util/net/ssl_manager', + ] +) + +env.Library( target="mongod_fsync", source=[ "fsync.cpp", diff --git a/src/mongo/db/keyfile_option.idl b/src/mongo/db/keyfile_option.idl new file mode 100644 index 00000000000..09c1f66a145 --- /dev/null +++ b/src/mongo/db/keyfile_option.idl @@ -0,0 +1,45 @@ +# Copyright (C) 2019-present MongoDB, Inc. +# +# This program is free software: you can redistribute it and/or modify +# it under the terms of the Server Side Public License, version 1, +# as published by MongoDB, Inc. +# +# This program is distributed in the hope that it will be useful, +# but WITHOUT ANY WARRANTY; without even the implied warranty of +# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the +# Server Side Public License for more details. +# +# You should have received a copy of the Server Side Public License +# along with this program. If not, see +# <http://www.mongodb.com/licensing/server-side-public-license>. +# +# As a special exception, the copyright holders give permission to link the +# code of portions of this program with the OpenSSL library under certain +# conditions as described in each individual source file and distribute +# linked combinations including the program with the OpenSSL library. You +# must comply with the Server Side Public License in all respects for +# all of the code used other than as permitted herein. If you modify file(s) +# with this exception, you may extend this exception to your version of the +# file(s), but you are not obligated to do so. If you do not wish to do so, +# delete this exception statement from your version. If you delete this +# exception statement from all source files in the program, then also delete +# it in the license file. +# + +global: + cpp_namespace: "mongo" + cpp_includes: + - "mongo/db/server_options.h" + - "mongo/db/server_options_base.h" + configs: + section: 'General options' + source: [ cli, ini, yaml ] + initializer: + register: addKeyfileServerOption + +configs: + 'security.keyFile': + description: 'Private key for cluster authentication' + short_name: keyFile + arg_vartype: String + conflicts: noauth diff --git a/src/mongo/db/mongod_options.cpp b/src/mongo/db/mongod_options.cpp index cdbff5a8d20..756263a6ff5 100644 --- a/src/mongo/db/mongod_options.cpp +++ b/src/mongo/db/mongod_options.cpp @@ -40,7 +40,9 @@ #include "mongo/bson/json.h" #include "mongo/bson/util/builder.h" #include "mongo/config.h" +#include "mongo/db/cluster_auth_mode_option_gen.h" #include "mongo/db/global_settings.h" +#include "mongo/db/keyfile_option_gen.h" #include "mongo/db/mongod_options_general_gen.h" #include "mongo/db/mongod_options_legacy_gen.h" #include "mongo/db/mongod_options_replication_gen.h" @@ -84,6 +86,8 @@ Status addMongodOptions(moe::OptionSection* options) try { uassertStatusOK(addMongodShardingOptions(options)); uassertStatusOK(addMongodStorageOptions(options)); uassertStatusOK(addMongodLegacyOptions(options)); + uassertStatusOK(addKeyfileServerOption(options)); + uassertStatusOK(addClusterAuthModeServerOption(options)); return Status::OK(); } catch (const AssertionException& ex) { diff --git a/src/mongo/db/server_options_general.idl b/src/mongo/db/server_options_general.idl index e6183be0c5d..2761bb62a94 100644 --- a/src/mongo/db/server_options_general.idl +++ b/src/mongo/db/server_options_general.idl @@ -169,4 +169,3 @@ configs: arg_vartype: Switch source: [ cli, ini ] hidden: true - diff --git a/src/mongo/db/server_options_nongeneral.idl b/src/mongo/db/server_options_nongeneral.idl index b561fb5ce1a..72d4108aa89 100644 --- a/src/mongo/db/server_options_nongeneral.idl +++ b/src/mongo/db/server_options_nongeneral.idl @@ -49,11 +49,6 @@ configs: arg_vartype: Switch canonicalize: canonicalizeNetBindIpAll - 'security.keyFile': - description: 'Private key for cluster authentication' - short_name: keyFile - arg_vartype: String - conflicts: noauth noauth: description: 'Run without security' arg_vartype: Switch @@ -71,14 +66,6 @@ configs: short_name: transitionToAuth arg_vartype: Switch conflicts: noauth - 'security.clusterAuthMode': - description: >- - Authentication mode used for cluster authentication. Alternatives are - (keyFile|sendKeyFile|sendX509|x509) - short_name: clusterAuthMode - arg_vartype: String - validator: - callback: validateSecurityClusterAuthModeSetting 'operationProfiling.slowOpThresholdMs': description: 'Value of slow for profile and console log' diff --git a/src/mongo/s/mongos_options_init.cpp b/src/mongo/s/mongos_options_init.cpp index 3b10a7a2ce0..cf139b81b92 100644 --- a/src/mongo/s/mongos_options_init.cpp +++ b/src/mongo/s/mongos_options_init.cpp @@ -33,6 +33,8 @@ #include <iostream> +#include "mongo/db/cluster_auth_mode_option_gen.h" +#include "mongo/db/keyfile_option_gen.h" #include "mongo/db/server_options_base.h" #include "mongo/db/server_options_nongeneral_gen.h" #include "mongo/util/exit_code.h" @@ -47,6 +49,16 @@ MONGO_GENERAL_STARTUP_OPTIONS_REGISTER(MongosOptions)(InitializerContext* contex return status; } + status = addKeyfileServerOption(&moe::startupOptions); + if (!status.isOK()) { + return status; + } + + status = addClusterAuthModeServerOption(&moe::startupOptions); + if (!status.isOK()) { + return status; + } + return addNonGeneralServerOptions(&moe::startupOptions); } |