diff options
| -rw-r--r-- | jstests/auth/copyauth.js | 48 | ||||
| -rw-r--r-- | jstests/auth/upgrade_noauth_to_keyfile.js | 12 | ||||
| -rw-r--r-- | jstests/auth/upgrade_noauth_to_keyfile_with_sharding.js | 20 | ||||
| -rw-r--r-- | jstests/ssl/upgrade_allowssl_noauth_to_x509_ssl.js | 6 | ||||
| -rw-r--r-- | src/mongo/client/authenticate.cpp | 6 | ||||
| -rw-r--r-- | src/mongo/db/auth/internal_user_auth.h | 2 | ||||
| -rw-r--r-- | src/mongo/db/initialize_server_global_state.cpp | 2 | ||||
| -rw-r--r-- | src/mongo/db/server_options.h | 4 | ||||
| -rw-r--r-- | src/mongo/db/server_options_helpers.cpp | 16 |
9 files changed, 59 insertions, 57 deletions
diff --git a/jstests/auth/copyauth.js b/jstests/auth/copyauth.js index 2ba4466dac6..f9baf5dee79 100644 --- a/jstests/auth/copyauth.js +++ b/jstests/auth/copyauth.js @@ -14,8 +14,8 @@ var baseName = "jstests_clone_copyauth"; * * clusterType - type of cluster to start. Options are "sharded", "repl", or "single". * startWithAuth - whether to start the cluster with authentication. - * startWithTryClusterAuth - whether to start the cluster with --tryClusterAuth (startWithAuth must - *also be true). + * startWithTransitionToAuth - whether to start the cluster with --transitionToAuth (startWithAuth + * must also be true). * * Member variables: * @@ -28,12 +28,12 @@ var baseName = "jstests_clone_copyauth"; * * stop() - stop and cleanup whatever nodes the helper spawned when it was created. */ -function ClusterSpawnHelper(clusterType, startWithAuth, startWithTryClusterAuth) { +function ClusterSpawnHelper(clusterType, startWithAuth, startWithTransitionToAuth) { var singleNodeConfig = {}; if (startWithAuth) { singleNodeConfig.keyFile = "jstests/libs/key1"; - if (startWithTryClusterAuth) { - singleNodeConfig.tryClusterAuth = ""; + if (startWithTransitionToAuth) { + singleNodeConfig.transitionToAuth = ""; } } if (clusterType === "sharded") { @@ -105,8 +105,8 @@ function copydbBetweenClustersTest(configObj) { 'isSourceUsingAuth', 'targetClusterType', 'isTargetUsingAuth', - 'isSourceUsingTryClusterAuth', - 'isTargetUsingTryClusterAuth' + 'isSourceUsingTransitionToAuth', + 'isTargetUsingTransitionToAuth' ]; var i; @@ -118,7 +118,7 @@ function copydbBetweenClustersTest(configObj) { // 1. Get a connection to the source database, insert data and setup auth if applicable source = new ClusterSpawnHelper(configObj.sourceClusterType, configObj.isSourceUsingAuth, - configObj.isSourceUsingTryClusterAuth); + configObj.isSourceUsingTransitionToAuth); if (configObj.isSourceUsingAuth) { // Create a super user so we can create a regular user and not be locked out afterwards @@ -139,8 +139,8 @@ function copydbBetweenClustersTest(configObj) { var readWhenLoggedOut = function() { source.conn.getDB(baseName)[baseName].findOne(); }; - if (configObj.isSourceUsingTryClusterAuth) { - // tryClusterAuth does not turn on access control + if (configObj.isSourceUsingTransitionToAuth) { + // transitionToAuth does not turn on access control assert.doesNotThrow(readWhenLoggedOut); } else { assert.throws(readWhenLoggedOut); @@ -154,7 +154,7 @@ function copydbBetweenClustersTest(configObj) { // 2. Get a connection to the target database, and set up auth if necessary target = new ClusterSpawnHelper(configObj.targetClusterType, configObj.isTargetUsingAuth, - configObj.isTargetUsingTryClusterAuth); + configObj.isTargetUsingTransitionToAuth); if (configObj.isTargetUsingAuth) { target.conn.getDB("admin") @@ -163,8 +163,8 @@ function copydbBetweenClustersTest(configObj) { var readWhenLoggedOut = function() { target.conn.getDB(baseName)[baseName].findOne(); }; - if (configObj.isTargetUsingTryClusterAuth) { - // tryClusterAuth does not turn on access control + if (configObj.isTargetUsingTransitionToAuth) { + // transitionToAuth does not turn on access control assert.doesNotThrow(readWhenLoggedOut); } else { assert.throws(readWhenLoggedOut); @@ -199,10 +199,10 @@ function copydbBetweenClustersTest(configObj) { var sourceClusterTypeValues = ["single", "repl", "sharded"]; var isSourceUsingAuthValues = [true, false]; - var isSourceUsingTryClusterAuthValues = [true, false]; + var isSourceUsingTransitionToAuthValues = [true, false]; var targetClusterTypeValues = ["single", "repl", "sharded"]; var isTargetUsingAuthValues = [true, false]; - var isTargetUsingTryClusterAuthValues = [true, false]; + var isTargetUsingTransitionToAuthValues = [true, false]; for (var i = 0; i < sourceClusterTypeValues.length; i++) { for (var j = 0; j < isSourceUsingAuthValues.length; j++) { for (var k = 0; k < targetClusterTypeValues.length; k++) { @@ -230,16 +230,16 @@ function copydbBetweenClustersTest(configObj) { continue; } - for (var m = 0; m < isSourceUsingTryClusterAuthValues.length; m++) { - if (isSourceUsingTryClusterAuthValues[m] === true && + for (var m = 0; m < isSourceUsingTransitionToAuthValues.length; m++) { + if (isSourceUsingTransitionToAuthValues[m] === true && isSourceUsingAuthValues[j] === false) { - // tryClusterAuth requires auth parameters + // transitionToAuth requires auth parameters continue; } - for (var n = 0; n < isTargetUsingTryClusterAuthValues.length; n++) { - if (isTargetUsingTryClusterAuthValues[n] === true && + for (var n = 0; n < isTargetUsingTransitionToAuthValues.length; n++) { + if (isTargetUsingTransitionToAuthValues[n] === true && isTargetUsingAuthValues[l] === false) { - // tryClusterAuth requires auth parameters + // transitionToAuth requires auth parameters continue; } var testCase = { @@ -247,8 +247,10 @@ function copydbBetweenClustersTest(configObj) { 'isSourceUsingAuth': isSourceUsingAuthValues[j], 'targetClusterType': targetClusterTypeValues[k], 'isTargetUsingAuth': isTargetUsingAuthValues[l], - 'isSourceUsingTryClusterAuth': isSourceUsingTryClusterAuthValues[m], - 'isTargetUsingTryClusterAuth': isTargetUsingTryClusterAuthValues[n] + 'isSourceUsingTransitionToAuth': + isSourceUsingTransitionToAuthValues[m], + 'isTargetUsingTransitionToAuth': + isTargetUsingTransitionToAuthValues[n] }; print("Running copydb with auth test:"); printjson(testCase); diff --git a/jstests/auth/upgrade_noauth_to_keyfile.js b/jstests/auth/upgrade_noauth_to_keyfile.js index 780acc9e6a6..372ae61af2b 100644 --- a/jstests/auth/upgrade_noauth_to_keyfile.js +++ b/jstests/auth/upgrade_noauth_to_keyfile.js @@ -17,16 +17,16 @@ load('jstests/multiVersion/libs/multi_rs.js'); }; // Undefine the flags we're replacing, otherwise upgradeSet will keep old values. - var tryClusterAuthOptions = { + var transitionToAuthOptions = { noauth: undefined, clusterAuthMode: 'keyFile', keyFile: keyFilePath, - tryClusterAuth: '' + transitionToAuth: '' }; var keyFileOptions = { clusterAuthMode: 'keyFile', keyFile: keyFilePath, - tryClusterAuth: undefined + transitionToAuth: undefined }; var rst = new ReplSetTest({name: 'noauthSet', nodes: 3, nodeOptions: noAuthOptions}); @@ -41,13 +41,13 @@ load('jstests/multiVersion/libs/multi_rs.js'); rstConn1.getDB('test').a.insert({a: 1, str: 'TESTTESTTEST'}); assert.eq(1, rstConn1.getDB('test').a.count(), 'Error interacting with replSet'); - print('=== UPGRADE noauth -> tryClusterAuth/keyFile ==='); - rst.upgradeSet(tryClusterAuthOptions); + print('=== UPGRADE noauth -> transitionToAuth/keyFile ==='); + rst.upgradeSet(transitionToAuthOptions); var rstConn2 = rst.getPrimary(); rstConn2.getDB('test').a.insert({a: 1, str: 'TESTTESTTEST'}); assert.eq(2, rstConn2.getDB('test').a.count(), 'Error interacting with replSet'); - print('=== UPGRADE tryClusterAuth/keyFile -> keyFile ==='); + print('=== UPGRADE transitionToAuth/keyFile -> keyFile ==='); rst.upgradeSet(keyFileOptions, 'root', 'root'); // upgradeSet leaves its connections logged in as root diff --git a/jstests/auth/upgrade_noauth_to_keyfile_with_sharding.js b/jstests/auth/upgrade_noauth_to_keyfile_with_sharding.js index f36c545f551..f6ecfec9abb 100644 --- a/jstests/auth/upgrade_noauth_to_keyfile_with_sharding.js +++ b/jstests/auth/upgrade_noauth_to_keyfile_with_sharding.js @@ -10,26 +10,26 @@ load('jstests/ssl/libs/ssl_helpers.js'); var noAuthOptions = { noauth: '' }; - var tryClusterAuthOptions = { + var transitionToAuthOptions = { clusterAuthMode: 'keyFile', keyFile: KEYFILE, - tryClusterAuth: '' + transitionToAuth: '' }; var keyFileOptions = { clusterAuthMode: 'keyFile', keyFile: KEYFILE }; - print('=== Testing no-auth/tryClusterAuth cluster ==='); - mixedShardTest(noAuthOptions, tryClusterAuthOptions, true); - mixedShardTest(tryClusterAuthOptions, noAuthOptions, true); + print('=== Testing no-auth/transitionToAuth cluster ==='); + mixedShardTest(noAuthOptions, transitionToAuthOptions, true); + mixedShardTest(transitionToAuthOptions, noAuthOptions, true); - print('=== Testing tryClusterAuth/tryClusterAuth cluster ==='); - mixedShardTest(tryClusterAuthOptions, tryClusterAuthOptions, true); + print('=== Testing transitionToAuth/transitionToAuth cluster ==='); + mixedShardTest(transitionToAuthOptions, transitionToAuthOptions, true); - print('=== Testing tryClusterAuth/keyFile cluster ==='); - mixedShardTest(keyFileOptions, tryClusterAuthOptions, true); - mixedShardTest(tryClusterAuthOptions, keyFileOptions, true); + print('=== Testing transitionToAuth/keyFile cluster ==='); + mixedShardTest(keyFileOptions, transitionToAuthOptions, true); + mixedShardTest(transitionToAuthOptions, keyFileOptions, true); print('=== Testing no-auth/keyFile cluster fails ==='); mixedShardTest(noAuthOptions, keyFileOptions, false); diff --git a/jstests/ssl/upgrade_allowssl_noauth_to_x509_ssl.js b/jstests/ssl/upgrade_allowssl_noauth_to_x509_ssl.js index 4932014302f..e7ca25b7304 100644 --- a/jstests/ssl/upgrade_allowssl_noauth_to_x509_ssl.js +++ b/jstests/ssl/upgrade_allowssl_noauth_to_x509_ssl.js @@ -14,10 +14,10 @@ load('jstests/ssl/libs/ssl_helpers.js'); var noAuthAllowSSL = Object.merge(allowSSL, {noauth: ''}); // Undefine the flags we're replacing, otherwise upgradeSet will keep old values. - var tryX509preferSSL = - Object.merge(preferSSL, {noauth: undefined, tryClusterAuth: '', clusterAuthMode: 'x509'}); + var tryX509preferSSL = Object.merge( + preferSSL, {noauth: undefined, transitionToAuth: '', clusterAuthMode: 'x509'}); var x509RequireSSL = - Object.merge(requireSSL, {tryClusterAuth: undefined, clusterAuthMode: 'x509'}); + Object.merge(requireSSL, {transitionToAuth: undefined, clusterAuthMode: 'x509'}); var rst = new ReplSetTest({name: 'noauthSet', nodes: 3, nodeOptions: noAuthAllowSSL}); rst.startSet(); diff --git a/src/mongo/client/authenticate.cpp b/src/mongo/client/authenticate.cpp index 477ae40dbb9..498b37480b5 100644 --- a/src/mongo/client/authenticate.cpp +++ b/src/mongo/client/authenticate.cpp @@ -242,7 +242,7 @@ void authX509(RunCommandHook runCommand, // bool isFailedAuthOk(const AuthResponse& response) { - return (response == ErrorCodes::AuthenticationFailed && serverGlobalParams.tryClusterAuth); + return (response == ErrorCodes::AuthenticationFailed && serverGlobalParams.transitionToAuth); } void auth(RunCommandHook runCommand, @@ -253,8 +253,8 @@ void auth(RunCommandHook runCommand, std::string mechanism; auto authCompletionHandler = [handler](AuthResponse response) { if (isFailedAuthOk(response)) { - // If auth failed in tryClusterAuth, just pretend it succeeded. - log() << "Failed to authenticate in tryClusterAuth, falling back to no " + // If auth failed in transitionToAuth, just pretend it succeeded. + log() << "Failed to authenticate in transitionToAuth, falling back to no " "authentication."; // We need to mock a successful AuthResponse. diff --git a/src/mongo/db/auth/internal_user_auth.h b/src/mongo/db/auth/internal_user_auth.h index edb8480232d..1147c22591e 100644 --- a/src/mongo/db/auth/internal_user_auth.h +++ b/src/mongo/db/auth/internal_user_auth.h @@ -33,7 +33,7 @@ class BSONObj; /** * @return true if internal authentication parameters has been set up. Note this does not - * imply that auth is enabled. For instance, with the --tryClusterAuth flag this will + * imply that auth is enabled. For instance, with the --transitionToAuth flag this will * be set and auth will be disabled. */ bool isInternalAuthSet(); diff --git a/src/mongo/db/initialize_server_global_state.cpp b/src/mongo/db/initialize_server_global_state.cpp index 1341f61f3ff..c9a313491f8 100644 --- a/src/mongo/db/initialize_server_global_state.cpp +++ b/src/mongo/db/initialize_server_global_state.cpp @@ -352,7 +352,7 @@ bool initializeServerGlobalState() { // Auto-enable auth unless we are in mixed auth/no-auth or clusterAuthMode was not provided. // clusterAuthMode defaults to "keyFile" if a --keyFile parameter is provided. if (clusterAuthMode != ServerGlobalParams::ClusterAuthMode_undefined && - !serverGlobalParams.tryClusterAuth) { + !serverGlobalParams.transitionToAuth) { getGlobalAuthorizationManager()->setAuthEnabled(true); } diff --git a/src/mongo/db/server_options.h b/src/mongo/db/server_options.h index 2e0e4acc180..0cbfba5e53a 100644 --- a/src/mongo/db/server_options.h +++ b/src/mongo/db/server_options.h @@ -110,8 +110,8 @@ struct ServerGlobalParams { AuthState authState = AuthState::kUndefined; - bool tryClusterAuth = false; // --tryClusterAuth, mixed mode for rolling auth upgrade - AtomicInt32 clusterAuthMode; // --clusterAuthMode, the internal cluster auth mode + bool transitionToAuth = false; // --transitionToAuth, mixed mode for rolling auth upgrade + AtomicInt32 clusterAuthMode; // --clusterAuthMode, the internal cluster auth mode enum ClusterAuthModes { ClusterAuthMode_undefined, diff --git a/src/mongo/db/server_options_helpers.cpp b/src/mongo/db/server_options_helpers.cpp index 98fa47f8400..e5fde15b11e 100644 --- a/src/mongo/db/server_options_helpers.cpp +++ b/src/mongo/db/server_options_helpers.cpp @@ -276,7 +276,7 @@ Status addGeneralServerOptions(moe::OptionSection* options) { .setSources(moe::SourceAllLegacy) .incompatibleWith("auth") .incompatibleWith("keyFile") - .incompatibleWith("tryClusterAuth") + .incompatibleWith("transitionToAuth") .incompatibleWith("clusterAuthMode"); options->addOptionChaining( @@ -296,8 +296,8 @@ Status addGeneralServerOptions(moe::OptionSection* options) { .setSources(moe::SourceYAMLConfig); options->addOptionChaining( - "security.tryClusterAuth", - "tryClusterAuth", + "security.transitionToAuth", + "transitionToAuth", moe::Switch, "For rolling access control upgrade. Attempt to authenticate over outgoing " "connections and proceed regardless of success. Accept incoming connections " @@ -798,8 +798,8 @@ Status storeServerOptions(const moe::Environment& params, const std::vector<std: serverGlobalParams.isHttpInterfaceEnabled = params["net.http.enabled"].as<bool>(); } - if (params.count("security.tryClusterAuth")) { - serverGlobalParams.tryClusterAuth = params["security.tryClusterAuth"].as<bool>(); + if (params.count("security.transitionToAuth")) { + serverGlobalParams.transitionToAuth = params["security.transitionToAuth"].as<bool>(); } if (params.count("security.clusterAuthMode")) { @@ -967,7 +967,7 @@ Status storeServerOptions(const moe::Environment& params, const std::vector<std: boost::filesystem::absolute(params["security.keyFile"].as<string>()).generic_string(); } - if (serverGlobalParams.tryClusterAuth || + if (serverGlobalParams.transitionToAuth || (params.count("security.authorization") && params["security.authorization"].as<std::string>() == "disabled")) { serverGlobalParams.authState = ServerGlobalParams::AuthState::kDisabled; @@ -1015,11 +1015,11 @@ Status storeServerOptions(const moe::Environment& params, const std::vector<std: serverGlobalParams.clusterAuthMode.store(ServerGlobalParams::ClusterAuthMode_keyFile); } int clusterAuthMode = serverGlobalParams.clusterAuthMode.load(); - if (serverGlobalParams.tryClusterAuth && + if (serverGlobalParams.transitionToAuth && (clusterAuthMode != ServerGlobalParams::ClusterAuthMode_keyFile && clusterAuthMode != ServerGlobalParams::ClusterAuthMode_x509)) { return Status(ErrorCodes::BadValue, - "--tryClusterAuth must be used with keyFile or x509 authentication"); + "--transitionToAuth must be used with keyFile or x509 authentication"); } #ifdef MONGO_CONFIG_SSL ret = storeSSLServerOptions(params); |