diff options
Diffstat (limited to 'src/mongo/db/commands')
| -rw-r--r-- | src/mongo/db/commands/SConscript | 4 | ||||
| -rw-r--r-- | src/mongo/db/commands/kill_all_sessions_by_pattern_command.cpp | 119 | ||||
| -rw-r--r-- | src/mongo/db/commands/kill_all_sessions_command.cpp | 107 | ||||
| -rw-r--r-- | src/mongo/db/commands/kill_sessions_command.cpp | 134 |
4 files changed, 364 insertions, 0 deletions
diff --git a/src/mongo/db/commands/SConscript b/src/mongo/db/commands/SConscript index 3ba7f61d588..9ea7617f4d7 100644 --- a/src/mongo/db/commands/SConscript +++ b/src/mongo/db/commands/SConscript @@ -63,6 +63,9 @@ env.Library( "generic.cpp", "hashcmd.cpp", "isself.cpp", + "kill_all_sessions_by_pattern_command.cpp", + "kill_all_sessions_command.cpp", + "kill_sessions_command.cpp", "mr_common.cpp", "parameters.cpp", "refresh_logical_session_cache_now.cpp", @@ -85,6 +88,7 @@ env.Library( '$BUILD_DIR/mongo/db/exec/working_set', '$BUILD_DIR/mongo/db/index/key_generator', '$BUILD_DIR/mongo/db/index_names', + '$BUILD_DIR/mongo/db/kill_sessions', '$BUILD_DIR/mongo/db/lasterror', '$BUILD_DIR/mongo/db/log_process_details', '$BUILD_DIR/mongo/db/logical_session_cache', diff --git a/src/mongo/db/commands/kill_all_sessions_by_pattern_command.cpp b/src/mongo/db/commands/kill_all_sessions_by_pattern_command.cpp new file mode 100644 index 00000000000..48387e69e88 --- /dev/null +++ b/src/mongo/db/commands/kill_all_sessions_by_pattern_command.cpp @@ -0,0 +1,119 @@ +/** + * Copyright (C) 2017 MongoDB Inc. + * + * This program is free software: you can redistribute it and/or modify + * it under the terms of the GNU Affero General Public License, version 3, + * as published by the Free Software Foundation. + * + * This program is distributed in the hope that it will be useful, + * but WITHOUT ANY WARRANTY; without even the implied warranty of + * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the + * GNU Affero General Public License for more details. + * + * You should have received a copy of the GNU Affero General Public License + * along with this program. If not, see <http://www.gnu.org/licenses/>. + * + * As a special exception, the copyright holders give permission to link the + * code of portions of this program with the OpenSSL library under certain + * conditions as described in each individual source file and distribute + * linked combinations including the program with the OpenSSL library. You + * must comply with the GNU Affero General Public License in all respects + * for all of the code used other than as permitted herein. If you modify + * file(s) with this exception, you may extend this exception to your + * version of the file(s), but you are not obligated to do so. If you do not + * wish to do so, delete this exception statement from your version. If you + * delete this exception statement from all source files in the program, + * then also delete it in the license file. + */ + +#define MONGO_LOG_DEFAULT_COMPONENT ::mongo::logger::LogComponent::kCommand + +#include "mongo/platform/basic.h" + +#include "mongo/base/init.h" +#include "mongo/db/auth/action_set.h" +#include "mongo/db/auth/action_type.h" +#include "mongo/db/auth/authorization_manager.h" +#include "mongo/db/auth/authorization_session.h" +#include "mongo/db/auth/privilege.h" +#include "mongo/db/client.h" +#include "mongo/db/commands.h" +#include "mongo/db/jsobj.h" +#include "mongo/db/kill_sessions.h" +#include "mongo/db/kill_sessions_common.h" +#include "mongo/db/kill_sessions_local.h" +#include "mongo/db/logical_session_cache.h" +#include "mongo/db/logical_session_id.h" +#include "mongo/db/logical_session_id_helpers.h" +#include "mongo/db/operation_context.h" +#include "mongo/db/stats/top.h" +#include "mongo/util/log.h" + +namespace mongo { + +class KillAllSessionsByPatternCommand final : public BasicCommand { + MONGO_DISALLOW_COPYING(KillAllSessionsByPatternCommand); + +public: + KillAllSessionsByPatternCommand() : BasicCommand("killAllSessionsByPattern") {} + + bool slaveOk() const override { + return true; + } + bool adminOnly() const override { + return false; + } + bool supportsWriteConcern(const BSONObj& cmd) const override { + return false; + } + void help(std::stringstream& help) const override { + help << "kill logical sessions by pattern"; + } + Status checkAuthForOperation(OperationContext* opCtx, + const std::string& dbname, + const BSONObj& cmdObj) override { + AuthorizationSession* authSession = AuthorizationSession::get(opCtx->getClient()); + if (!authSession->isAuthorizedForPrivilege( + Privilege{ResourcePattern::forClusterResource(), ActionType::killAnySession})) { + return Status(ErrorCodes::Unauthorized, "Unauthorized"); + } + return Status::OK(); + } + + virtual bool run(OperationContext* opCtx, + const std::string& db, + const BSONObj& cmdObj, + BSONObjBuilder& result) override { + IDLParserErrorContext ctx("KillAllSessionsByPatternCmd"); + auto ksc = KillAllSessionsByPatternCmd::parse(ctx, cmdObj); + + // The empty command kills all + if (ksc.getKillAllSessionsByPattern().empty()) { + ksc.setKillAllSessionsByPattern({makeKillAllSessionsByPattern(opCtx)}); + } else { + // If a pattern is passed, you may only pass impersonate data if you have the + // impersonate privilege. + auto authSession = AuthorizationSession::get(opCtx->getClient()); + + if (!authSession->isAuthorizedForPrivilege( + Privilege(ResourcePattern::forClusterResource(), ActionType::impersonate))) { + + for (const auto& pattern : ksc.getKillAllSessionsByPattern()) { + if (pattern.getUsers() || pattern.getRoles()) { + return appendCommandStatus( + result, + Status(ErrorCodes::Unauthorized, + "Not authorized to impersonate in killAllSessionsByPattern")); + } + } + } + } + + KillAllSessionsByPatternSet patterns{ksc.getKillAllSessionsByPattern().begin(), + ksc.getKillAllSessionsByPattern().end()}; + + return appendCommandStatus(result, killSessionsCmdHelper(opCtx, result, patterns)); + } +} killAllSessionsByPatternCommand; + +} // namespace mongo diff --git a/src/mongo/db/commands/kill_all_sessions_command.cpp b/src/mongo/db/commands/kill_all_sessions_command.cpp new file mode 100644 index 00000000000..ba200c4e443 --- /dev/null +++ b/src/mongo/db/commands/kill_all_sessions_command.cpp @@ -0,0 +1,107 @@ +/** + * Copyright (C) 2017 MongoDB Inc. + * + * This program is free software: you can redistribute it and/or modify + * it under the terms of the GNU Affero General Public License, version 3, + * as published by the Free Software Foundation. + * + * This program is distributed in the hope that it will be useful, + * but WITHOUT ANY WARRANTY; without even the implied warranty of + * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the + * GNU Affero General Public License for more details. + * + * You should have received a copy of the GNU Affero General Public License + * along with this program. If not, see <http://www.gnu.org/licenses/>. + * + * As a special exception, the copyright holders give permission to link the + * code of portions of this program with the OpenSSL library under certain + * conditions as described in each individual source file and distribute + * linked combinations including the program with the OpenSSL library. You + * must comply with the GNU Affero General Public License in all respects + * for all of the code used other than as permitted herein. If you modify + * file(s) with this exception, you may extend this exception to your + * version of the file(s), but you are not obligated to do so. If you do not + * wish to do so, delete this exception statement from your version. If you + * delete this exception statement from all source files in the program, + * then also delete it in the license file. + */ + +#define MONGO_LOG_DEFAULT_COMPONENT ::mongo::logger::LogComponent::kCommand + +#include "mongo/platform/basic.h" + +#include "mongo/base/init.h" +#include "mongo/db/auth/action_set.h" +#include "mongo/db/auth/action_type.h" +#include "mongo/db/auth/authorization_manager.h" +#include "mongo/db/auth/authorization_session.h" +#include "mongo/db/auth/privilege.h" +#include "mongo/db/client.h" +#include "mongo/db/commands.h" +#include "mongo/db/jsobj.h" +#include "mongo/db/kill_sessions.h" +#include "mongo/db/kill_sessions_common.h" +#include "mongo/db/kill_sessions_local.h" +#include "mongo/db/logical_session_cache.h" +#include "mongo/db/logical_session_id.h" +#include "mongo/db/logical_session_id_helpers.h" +#include "mongo/db/operation_context.h" +#include "mongo/db/stats/top.h" +#include "mongo/util/log.h" + +namespace mongo { + +class KillAllSessionsCommand final : public BasicCommand { + MONGO_DISALLOW_COPYING(KillAllSessionsCommand); + +public: + KillAllSessionsCommand() : BasicCommand("killAllSessions") {} + + bool slaveOk() const override { + return true; + } + bool adminOnly() const override { + return false; + } + bool supportsWriteConcern(const BSONObj& cmd) const override { + return false; + } + void help(std::stringstream& help) const override { + help << "kill all logical sessions, for a user, and their operations"; + } + Status checkAuthForOperation(OperationContext* opCtx, + const std::string& dbname, + const BSONObj& cmdObj) override { + AuthorizationSession* authSession = AuthorizationSession::get(opCtx->getClient()); + if (!authSession->isAuthorizedForPrivilege( + Privilege{ResourcePattern::forClusterResource(), ActionType::killAnySession})) { + return Status(ErrorCodes::Unauthorized, "Unauthorized"); + } + return Status::OK(); + } + + virtual bool run(OperationContext* opCtx, + const std::string& db, + const BSONObj& cmdObj, + BSONObjBuilder& result) override { + IDLParserErrorContext ctx("KillAllSessionsCmd"); + auto ksc = KillAllSessionsCmd::parse(ctx, cmdObj); + + KillAllSessionsByPatternSet patterns; + + // The empty command kills all + if (ksc.getKillAllSessions().empty()) { + patterns.emplace(makeKillAllSessionsByPattern(opCtx)); + } else { + patterns.reserve(ksc.getKillAllSessions().size()); + + for (const auto& user : ksc.getKillAllSessions()) { + patterns.emplace(makeKillAllSessionsByPattern(opCtx, user)); + } + } + + return appendCommandStatus(result, killSessionsCmdHelper(opCtx, result, patterns)); + } +} killAllSessionsCommand; + +} // namespace mongo diff --git a/src/mongo/db/commands/kill_sessions_command.cpp b/src/mongo/db/commands/kill_sessions_command.cpp new file mode 100644 index 00000000000..6460863d599 --- /dev/null +++ b/src/mongo/db/commands/kill_sessions_command.cpp @@ -0,0 +1,134 @@ +/** + * Copyright (C) 2017 MongoDB Inc. + * + * This program is free software: you can redistribute it and/or modify + * it under the terms of the GNU Affero General Public License, version 3, + * as published by the Free Software Foundation. + * + * This program is distributed in the hope that it will be useful, + * but WITHOUT ANY WARRANTY; without even the implied warranty of + * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the + * GNU Affero General Public License for more details. + * + * You should have received a copy of the GNU Affero General Public License + * along with this program. If not, see <http://www.gnu.org/licenses/>. + * + * As a special exception, the copyright holders give permission to link the + * code of portions of this program with the OpenSSL library under certain + * conditions as described in each individual source file and distribute + * linked combinations including the program with the OpenSSL library. You + * must comply with the GNU Affero General Public License in all respects + * for all of the code used other than as permitted herein. If you modify + * file(s) with this exception, you may extend this exception to your + * version of the file(s), but you are not obligated to do so. If you do not + * wish to do so, delete this exception statement from your version. If you + * delete this exception statement from all source files in the program, + * then also delete it in the license file. + */ + +#define MONGO_LOG_DEFAULT_COMPONENT ::mongo::logger::LogComponent::kCommand + +#include "mongo/platform/basic.h" + +#include "mongo/base/init.h" +#include "mongo/db/auth/action_set.h" +#include "mongo/db/auth/action_type.h" +#include "mongo/db/auth/authorization_manager.h" +#include "mongo/db/auth/authorization_session.h" +#include "mongo/db/auth/privilege.h" +#include "mongo/db/client.h" +#include "mongo/db/commands.h" +#include "mongo/db/jsobj.h" +#include "mongo/db/kill_sessions.h" +#include "mongo/db/kill_sessions_common.h" +#include "mongo/db/kill_sessions_local.h" +#include "mongo/db/logical_session_cache.h" +#include "mongo/db/logical_session_id.h" +#include "mongo/db/logical_session_id_helpers.h" +#include "mongo/db/operation_context.h" +#include "mongo/db/stats/top.h" +#include "mongo/util/log.h" + +namespace mongo { + +namespace { + +KillAllSessionsByPatternSet patternsForLoggedInUser(OperationContext* opCtx) { + auto client = opCtx->getClient(); + ServiceContext* serviceContext = client->getServiceContext(); + + KillAllSessionsByPatternSet patterns; + + if (AuthorizationManager::get(serviceContext)->isAuthEnabled()) { + auto authzSession = AuthorizationSession::get(client); + for (auto iter = authzSession->getAuthenticatedUserNames(); iter.more(); iter.next()) { + User* user = authzSession->lookupUser(*iter); + invariant(user); + + auto pattern = makeKillAllSessionsByPattern(opCtx); + pattern.setUid(user->getDigest()); + patterns.emplace(std::move(pattern)); + } + } else { + patterns.emplace(makeKillAllSessionsByPattern(opCtx)); + } + + return patterns; +} + +} // namespace + +class KillSessionsCommand final : public BasicCommand { + MONGO_DISALLOW_COPYING(KillSessionsCommand); + +public: + KillSessionsCommand() : BasicCommand("killSessions") {} + + bool slaveOk() const override { + return true; + } + bool adminOnly() const override { + return false; + } + bool supportsWriteConcern(const BSONObj& cmd) const override { + return false; + } + void help(std::stringstream& help) const override { + help << "kill a logical session and its operations"; + } + + // Any user can kill their own sessions + Status checkAuthForOperation(OperationContext* opCtx, + const std::string& dbname, + const BSONObj& cmdObj) override { + return Status::OK(); + } + + virtual bool run(OperationContext* opCtx, + const std::string& db, + const BSONObj& cmdObj, + BSONObjBuilder& result) override { + IDLParserErrorContext ctx("KillSessionsCmd"); + auto ksc = KillSessionsCmdFromClient::parse(ctx, cmdObj); + + KillAllSessionsByPatternSet patterns; + + if (ksc.getKillSessions().empty()) { + patterns = patternsForLoggedInUser(opCtx); + } else { + auto lsids = makeLogicalSessionIds( + ksc.getKillSessions(), + opCtx, + {Privilege{ResourcePattern::forClusterResource(), ActionType::killAnySession}}); + + patterns.reserve(lsids.size()); + for (const auto& lsid : lsids) { + patterns.emplace(makeKillAllSessionsByPattern(opCtx, lsid)); + } + } + + return appendCommandStatus(result, killSessionsCmdHelper(opCtx, result, patterns)); + } +} killSessionsCommand; + +} // namespace mongo |