13 files changed, 68 insertions, 48 deletions

diff --git a/src/mongo/db/auth/authorization_manager.h b/src/mongo/db/auth/authorization_manager.h
index 46f0ab7da5e..0cf864ae3dc 100644
--- a/src/mongo/db/auth/authorization_manager.h
+++ b/src/mongo/db/auth/authorization_manager.h
@@ -54,6 +54,7 @@ namespace mongo {
     class AuthorizationSession;
     class AuthzManagerExternalState;
     class OperationContext;
+    class ServiceContext;
     class UserDocumentParser;
 
     /**
@@ -70,6 +71,10 @@ namespace mongo {
     class AuthorizationManager {
         MONGO_DISALLOW_COPYING(AuthorizationManager);
     public:
+        static AuthorizationManager* get(ServiceContext* service);
+        static AuthorizationManager* get(ServiceContext& service);
+        static void set(ServiceContext* service,
+                        std::unique_ptr<AuthorizationManager> authzManager);
 
         // The newly constructed AuthorizationManager takes ownership of "externalState"
         explicit AuthorizationManager(AuthzManagerExternalState* externalState);
diff --git a/src/mongo/db/auth/authorization_manager_global.cpp b/src/mongo/db/auth/authorization_manager_global.cpp
index 91ccec7ba0d..cc5ee6513f5 100644
--- a/src/mongo/db/auth/authorization_manager_global.cpp
+++ b/src/mongo/db/auth/authorization_manager_global.cpp
@@ -33,12 +33,11 @@
 #include "mongo/db/auth/authorization_manager.h"
 #include "mongo/db/auth/authorization_manager_global.h"
 #include "mongo/db/server_parameters.h"
+#include "mongo/db/service_context.h"
 #include "mongo/util/assert_util.h"
 
 namespace mongo {
 namespace {
-    AuthorizationManager* globalAuthManager = NULL;
-
     class AuthzVersionParameter : public ServerParameter {
         MONGO_DISALLOW_COPYING(AuthzVersionParameter);
     public:
@@ -79,19 +78,10 @@ namespace {
 
     const std::string authSchemaVersionServerParameter = "authSchemaVersion";
 
-    void setGlobalAuthorizationManager(AuthorizationManager* authManager) {
-        fassert(16841, globalAuthManager == NULL);
-        globalAuthManager = authManager;
-    }
-
-    void clearGlobalAuthorizationManager() {
-        fassert(16843, globalAuthManager != NULL);
-        delete globalAuthManager;
-        globalAuthManager = NULL;
-    }
-
     AuthorizationManager* getGlobalAuthorizationManager() {
-        fassert(16842, globalAuthManager != NULL);
+        AuthorizationManager* globalAuthManager = AuthorizationManager::get(
+                getGlobalServiceContext());
+        fassert(16842, globalAuthManager != nullptr);
         return globalAuthManager;
     }
 
diff --git a/src/mongo/db/auth/authorization_manager_global.h b/src/mongo/db/auth/authorization_manager_global.h
index 08ce75d1da6..b0ef39f0069 100644
--- a/src/mongo/db/auth/authorization_manager_global.h
+++ b/src/mongo/db/auth/authorization_manager_global.h
@@ -40,13 +40,4 @@ namespace mongo {
     // Gets the singleton AuthorizationManager object for this server process.
     AuthorizationManager* getGlobalAuthorizationManager();
 
-    // Sets the singleton AuthorizationManager object for this server process.
-    // Must be called once at startup and then never again (unless clearGlobalAuthorizationManager
-    // is called, at which point this can be called again, but should only happen in tests).
-    void setGlobalAuthorizationManager(AuthorizationManager* authManager);
-
-    // Sets the singleton AuthorizationManager object for this server process to NULL.
-    // Should only be used in tests.
-    void clearGlobalAuthorizationManager();
-
 } // namespace mongo
diff --git a/src/mongo/db/auth/client_auth_session.cpp b/src/mongo/db/auth/client_auth_session.cpp
index e2cb57522cb..46a38c64ac1 100644
--- a/src/mongo/db/auth/client_auth_session.cpp
+++ b/src/mongo/db/auth/client_auth_session.cpp
@@ -32,8 +32,11 @@
 #include <utility>
 
 #include "mongo/db/auth/authentication_session.h"
+#include "mongo/db/auth/authorization_manager.h"
 #include "mongo/db/auth/authorization_session.h"
 #include "mongo/db/client_basic.h"
+#include "mongo/db/service_context.h"
+#include "mongo/util/assert_util.h"
 
 namespace mongo {
 namespace {
@@ -41,6 +44,9 @@ namespace {
     const auto getAuthenticationSession =
         ClientBasic::declareDecoration<std::unique_ptr<AuthenticationSession>>();
 
+    const auto getAuthorizationManager =
+        ServiceContext::declareDecoration<std::unique_ptr<AuthorizationManager>>();
+
     const auto getAuthorizationSession =
         ClientBasic::declareDecoration<std::unique_ptr<AuthorizationSession>>();
 
@@ -59,6 +65,22 @@ namespace {
         swap(getAuthenticationSession(client), other);
     }
 
+    AuthorizationManager* AuthorizationManager::get(ServiceContext* service) {
+        return getAuthorizationManager(service).get();
+    }
+
+    AuthorizationManager* AuthorizationManager::get(ServiceContext& service) {
+        return getAuthorizationManager(service).get();
+    }
+
+    void AuthorizationManager::set(ServiceContext* service,
+                                   std::unique_ptr<AuthorizationManager> authzManager) {
+        auto& manager = getAuthorizationManager(service);
+        invariant(authzManager);
+        invariant(!manager);
+        manager = std::move(authzManager);
+    }
+
     AuthorizationSession* AuthorizationSession::get(ClientBasic* client) {
         return get(*client);
     }
@@ -78,7 +100,10 @@ namespace {
     void AuthorizationSession::set(
             ClientBasic* client,
             std::unique_ptr<AuthorizationSession> authorizationSession) {
-        getAuthorizationSession(client) = std::move(authorizationSession);
+        auto& authzSession = getAuthorizationSession(client);
+        invariant(authorizationSession);
+        invariant(!authzSession);
+        authzSession = std::move(authorizationSession);
     }
 
 }  // namespace mongo
diff --git a/src/mongo/db/curop_test.cpp b/src/mongo/db/curop_test.cpp
index 85ad5d98973..26a4472078c 100644
--- a/src/mongo/db/curop_test.cpp
+++ b/src/mongo/db/curop_test.cpp
@@ -74,9 +74,11 @@ namespace mongo {
                 sleepmillis(10);
             }
 
-            setGlobalServiceContext(stdx::make_unique<ServiceContextNoop>());
-            setGlobalAuthorizationManager(
-                    new AuthorizationManager(new AuthzManagerExternalStateMock()));
+            auto service = stdx::make_unique<ServiceContextNoop>();
+            AuthorizationManager::set(
+                    service.get(),
+                    stdx::make_unique<AuthorizationManager>(new AuthzManagerExternalStateMock()));
+            setGlobalServiceContext(std::move(service));
             Client::initThread("CurOpTestMain");
             return Status::OK();
         }
diff --git a/src/mongo/db/db.cpp b/src/mongo/db/db.cpp
index 1abffa3aebf..734e71ae4b1 100644
--- a/src/mongo/db/db.cpp
+++ b/src/mongo/db/db.cpp
@@ -757,12 +757,16 @@ static void startupConfigActions(const std::vector<std::string>& args) {
 }
 
 MONGO_INITIALIZER_GENERAL(CreateAuthorizationManager,
-                          ("SetupInternalSecurityUser", "OIDGeneration"),
+                          ("SetupInternalSecurityUser",
+                           "OIDGeneration",
+                           "SetGlobalEnvironment",
+                           "EndStartupOptionStorage"),
                           MONGO_NO_DEPENDENTS)
         (InitializerContext* context) {
-    AuthorizationManager* authzManager =
-            new AuthorizationManager(new AuthzManagerExternalStateMongod());
-    setGlobalAuthorizationManager(authzManager);
+    auto authzManager = stdx::make_unique<AuthorizationManager>(
+            new AuthzManagerExternalStateMongod());
+    authzManager->setAuthEnabled(serverGlobalParams.isAuthEnabled);
+    AuthorizationManager::set(getGlobalServiceContext(), std::move(authzManager));
     return Status::OK();
 }
 
diff --git a/src/mongo/db/mongod_options.cpp b/src/mongo/db/mongod_options.cpp
index 075d422416d..289ad83ffe2 100644
--- a/src/mongo/db/mongod_options.cpp
+++ b/src/mongo/db/mongod_options.cpp
@@ -38,8 +38,6 @@
 #include "mongo/base/status.h"
 #include "mongo/bson/util/builder.h"
 #include "mongo/config.h"
-#include "mongo/db/auth/authorization_manager.h"
-#include "mongo/db/auth/authorization_manager_global.h"
 #include "mongo/db/db.h"
 #include "mongo/db/instance.h"
 #include "mongo/db/repl/repl_settings.h"
@@ -955,11 +953,11 @@ namespace mongo {
         }
         if (params.count("security.authorization") &&
             params["security.authorization"].as<std::string>() == "disabled") {
-            getGlobalAuthorizationManager()->setAuthEnabled(false);
+            serverGlobalParams.isAuthEnabled = false;
         }
         if (params.count("security.authorization") &&
             params["security.authorization"].as<std::string>() == "enabled") {
-            getGlobalAuthorizationManager()->setAuthEnabled(true);
+            serverGlobalParams.isAuthEnabled = true;
         }
         if (params.count("storage.mmapv1.quota.enforced")) {
             mmapv1GlobalOptions.quota = params["storage.mmapv1.quota.enforced"].as<bool>();
diff --git a/src/mongo/db/mongod_options_init.cpp b/src/mongo/db/mongod_options_init.cpp
index e8cfa3ef1a0..a8c8ebb74cd 100644
--- a/src/mongo/db/mongod_options_init.cpp
+++ b/src/mongo/db/mongod_options_init.cpp
@@ -65,9 +65,7 @@ namespace mongo {
     }
 
     MONGO_INITIALIZER_GENERAL(MongodOptions_Store,
-                              ("BeginStartupOptionStorage",
-                               "CreateAuthorizationManager"), // Requried to call
-                                                              // getGlobalAuthorizationManager().
+                              ("BeginStartupOptionStorage"),
                               ("EndStartupOptionStorage"))
                              (InitializerContext* context) {
         Status ret = storeMongodOptions(moe::startupOptionsParsed, context->args());
diff --git a/src/mongo/db/server_options.h b/src/mongo/db/server_options.h
index 9df17b544c2..46579e2484a 100644
--- a/src/mongo/db/server_options.h
+++ b/src/mongo/db/server_options.h
@@ -118,6 +118,7 @@ namespace mongo {
 
         BSONArray argvArray;
         BSONObj parsedOpts;
+        bool isAuthEnabled = false;
         AtomicInt32 clusterAuthMode;    // --clusterAuthMode, the internal cluster auth mode
 
         enum ClusterAuthModes {
diff --git a/src/mongo/dbtests/dbtests.cpp b/src/mongo/dbtests/dbtests.cpp
index 53e5f54b5ec..230277f966c 100644
--- a/src/mongo/dbtests/dbtests.cpp
+++ b/src/mongo/dbtests/dbtests.cpp
@@ -111,7 +111,9 @@ int dbtestsMain( int argc, char** argv, char** envp ) {
     repl::setGlobalReplicationCoordinator(new repl::ReplicationCoordinatorMock(replSettings));
     Command::testCommandsEnabled = 1;
     mongo::runGlobalInitializersOrDie(argc, argv, envp);
-    setGlobalAuthorizationManager(new AuthorizationManager(new AuthzManagerExternalStateMongod()));
+    AuthorizationManager::set(
+            getGlobalServiceContext(),
+            stdx::make_unique<AuthorizationManager>(new AuthzManagerExternalStateMongod()));
     StartupTest::runTests();
     return mongo::dbtests::runDbTests(argc, argv);
 }
diff --git a/src/mongo/s/client/shard_connection_test.cpp b/src/mongo/s/client/shard_connection_test.cpp
index 9468f778afc..72e4e0c862c 100644
--- a/src/mongo/s/client/shard_connection_test.cpp
+++ b/src/mongo/s/client/shard_connection_test.cpp
@@ -60,9 +60,11 @@ namespace {
 
     MONGO_INITIALIZER(SCFTestGlobalServiceContext)(InitializerContext*) {
         invariant(!hasGlobalServiceContext());
-        mongo::setGlobalAuthorizationManager(new mongo::AuthorizationManager(
-                                                     new mongo::AuthzManagerExternalStateMock()));
         setGlobalServiceContext(stdx::make_unique<ServiceContextNoop>());
+        AuthorizationManager::set(
+                getGlobalServiceContext(),
+                stdx::make_unique<AuthorizationManager>(
+                        new mongo::AuthzManagerExternalStateMock()));
         return Status::OK();
     }
 
diff --git a/src/mongo/s/mongos_options_init.cpp b/src/mongo/s/mongos_options_init.cpp
index d11832c6234..0ec9bca0b91 100644
--- a/src/mongo/s/mongos_options_init.cpp
+++ b/src/mongo/s/mongos_options_init.cpp
@@ -63,9 +63,7 @@ namespace mongo {
     }
 
     MONGO_INITIALIZER_GENERAL(MongosOptions_Store,
-                              ("BeginStartupOptionStorage",
-                               "CreateAuthorizationManager"), // Requried to call
-                                                              // getGlobalAuthorizationManager().
+                              ("BeginStartupOptionStorage"),
                               ("EndStartupOptionStorage"))
                              (InitializerContext* context) {
         Status ret = storeMongosOptions(moe::startupOptionsParsed, context->args());
diff --git a/src/mongo/s/server.cpp b/src/mongo/s/server.cpp
index b69ac75720e..df31706bd0e 100644
--- a/src/mongo/s/server.cpp
+++ b/src/mongo/s/server.cpp
@@ -404,12 +404,16 @@ namespace mongo {
 #endif
 
 MONGO_INITIALIZER_GENERAL(CreateAuthorizationManager,
-                          ("SetupInternalSecurityUser", "OIDGeneration"),
+                          ("SetupInternalSecurityUser",
+                           "OIDGeneration",
+                           "SetGlobalEnvironment",
+                           "EndStartupOptionStorage"),
                           MONGO_NO_DEPENDENTS)
         (InitializerContext* context) {
-    AuthorizationManager* authzManager =
-                new AuthorizationManager(new AuthzManagerExternalStateMongos());
-    setGlobalAuthorizationManager(authzManager);
+    auto authzManager = stdx::make_unique<AuthorizationManager>(
+            new AuthzManagerExternalStateMongos());
+    authzManager->setAuthEnabled(serverGlobalParams.isAuthEnabled);
+    AuthorizationManager::set(getGlobalServiceContext(), std::move(authzManager));
     return Status::OK();
 }