diff options
Diffstat (limited to 'src/mongo')
-rw-r--r-- | src/mongo/db/auth/sasl_scramsha1_server_conversation.cpp | 11 | ||||
-rw-r--r-- | src/mongo/db/auth/user.h | 11 |
2 files changed, 22 insertions, 0 deletions
diff --git a/src/mongo/db/auth/sasl_scramsha1_server_conversation.cpp b/src/mongo/db/auth/sasl_scramsha1_server_conversation.cpp index 7d6690447b6..e117665d1b3 100644 --- a/src/mongo/db/auth/sasl_scramsha1_server_conversation.cpp +++ b/src/mongo/db/auth/sasl_scramsha1_server_conversation.cpp @@ -155,9 +155,20 @@ namespace mongo { } _creds = userObj->getCredentials(); + UserName userName = userObj->getName(); + _saslAuthSession->getAuthorizationSession()->getAuthorizationManager(). releaseUser(userObj); + // Check for authentication attempts of the __system user on + // systems started without a keyfile. + if (userName == internalSecurity.user->getName() && + _creds.scram.salt.empty()) { + return StatusWith<bool>(ErrorCodes::AuthenticationFailed, + "It is not possible to authenticate as the __system user " + "on servers started without --keyFile parameter"); + } + // Generate SCRAM credentials on the fly for mixed MONGODB-CR/SCRAM mode. if (_creds.scram.salt.empty() && !_creds.password.empty()) { // Use a default value of 5000 for the scramIterationCount when in mixed mode, diff --git a/src/mongo/db/auth/user.h b/src/mongo/db/auth/user.h index 3950e42090a..d920abdda9d 100644 --- a/src/mongo/db/auth/user.h +++ b/src/mongo/db/auth/user.h @@ -59,12 +59,23 @@ namespace mongo { MONGO_DISALLOW_COPYING(User); public: struct SCRAMCredentials { + SCRAMCredentials() : + iterationCount(0), + salt(""), + serverKey(""), + storedKey("") {} + int iterationCount; std::string salt; std::string serverKey; std::string storedKey; }; struct CredentialData { + CredentialData() : + password(""), + scram(), + isExternal(false) {} + std::string password; SCRAMCredentials scram; bool isExternal; |