diff options
Diffstat (limited to 'src/mongo/db/security.cpp')
-rw-r--r-- | src/mongo/db/security.cpp | 106 |
1 files changed, 106 insertions, 0 deletions
diff --git a/src/mongo/db/security.cpp b/src/mongo/db/security.cpp new file mode 100644 index 00000000000..c9b9bb40326 --- /dev/null +++ b/src/mongo/db/security.cpp @@ -0,0 +1,106 @@ +// security.cpp + +/** + * Copyright (C) 2009 10gen Inc. + * + * This program is free software: you can redistribute it and/or modify + * it under the terms of the GNU Affero General Public License, version 3, + * as published by the Free Software Foundation. + * + * This program is distributed in the hope that it will be useful, + * but WITHOUT ANY WARRANTY; without even the implied warranty of + * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the + * GNU Affero General Public License for more details. + * + * You should have received a copy of the GNU Affero General Public License + * along with this program. If not, see <http://www.gnu.org/licenses/>. + */ + +#include "pch.h" +#include "security.h" +#include "security_common.h" +#include "instance.h" +#include "client.h" +#include "curop-inl.h" +#include "db.h" +#include "dbhelpers.h" + +// this is the _mongod only_ implementation of security.h + +namespace mongo { + + bool AuthenticationInfo::_warned = false; + /* + void AuthenticationInfo::print() const { + cout << "AuthenticationInfo: " << this << '\n'; + for ( MA::const_iterator i=_dbs.begin(); i!=_dbs.end(); i++ ) { + cout << "\t" << i->first << "\t" << i->second.level << '\n'; + } + cout << "END" << endl; + } + */ + + string AuthenticationInfo::getUser( const string& dbname ) const { + scoped_spinlock lk(_lock); + + MA::const_iterator i = _dbs.find(dbname); + if ( i == _dbs.end() ) + return ""; + + return i->second.user; + } + + + bool AuthenticationInfo::_isAuthorizedSpecialChecks( const string& dbname ) const { + if ( cc().isGod() ) + return true; + + if ( isLocalHost ) { + Client::GodScope gs; + Client::ReadContext ctx("admin.system.users"); + BSONObj result; + if( ! Helpers::getSingleton("admin.system.users", result) ) { + if( ! _warned ) { + // you could get a few of these in a race, but that's ok + _warned = true; + log() << "note: no users configured in admin.system.users, allowing localhost access" << endl; + } + return true; + } + } + + return false; + } + + bool CmdAuthenticate::getUserObj(const string& dbname, const string& user, BSONObj& userObj, string& pwd) { + if (user == internalSecurity.user) { + uassert(15889, "key file must be used to log in with internal user", cmdLine.keyFile); + pwd = internalSecurity.pwd; + } + else { + // static BSONObj userPattern = fromjson("{\"user\":1}"); + string systemUsers = dbname + ".system.users"; + // OCCASIONALLY Helpers::ensureIndex(systemUsers.c_str(), userPattern, false, "user_1"); + { + BSONObjBuilder b; + b << "user" << user; + BSONObj query = b.done(); + if( !Helpers::findOne(systemUsers.c_str(), query, userObj) ) { + log() << "auth: couldn't find user " << user << ", " << systemUsers << endl; + return false; + } + } + + pwd = userObj.getStringField("pwd"); + } + return true; + } + + bool CmdLogout::run(const string& dbname , BSONObj& cmdObj, int, string& errmsg, BSONObjBuilder& result, bool fromRepl) { + AuthenticationInfo *ai = cc().getAuthenticationInfo(); + ai->logout(dbname); + return true; + } + +} // namespace mongo + |