bool CmdSaslStart::run(OperationContext* txn,
const std::string& db,
BSONObj& cmdObj,
int options,
std::string& ignored,
BSONObjBuilder& result,
bool fromRepl) {
ClientBasic* client = ClientBasic::getCurrent();
client->resetAuthenticationSession(NULL);
SaslAuthenticationSession* session =
SaslAuthenticationSession::create(client->getAuthorizationSession());
boost::scoped_ptr<AuthenticationSession> sessionGuard(session);
session->setOpCtxt(txn);
Status status = doSaslStart(session, db, cmdObj, &result);
addStatus(status, &result);
if (session->isDone()) {
audit::logAuthentication(
client,
session->getMechanism(),
UserName(session->getPrincipalId(), db),
status.code());
}
else {
client->swapAuthenticationSession(sessionGuard);
}
return status.isOK();
}
Status CmdAuthenticate::_authenticateX509(const UserName& user, const BSONObj& cmdObj) {
if (!getSSLManager()) {
return Status(ErrorCodes::ProtocolError,
"SSL support is required for the MONGODB-X509 mechanism.");
}
if(user.getDB() != "$external") {
return Status(ErrorCodes::ProtocolError,
"X.509 authentication must always use the $external database.");
}
ClientBasic *client = ClientBasic::getCurrent();
AuthorizationSession* authorizationSession = client->getAuthorizationSession();
std::string subjectName = client->port()->getX509SubjectName();
if (user.getUser() != subjectName) {
return Status(ErrorCodes::AuthenticationFailed,
"There is no x.509 client certificate matching the user.");
}
else {
std::string srvSubjectName = getSSLManager()->getServerSubjectName();
size_t srvClusterIdPos = srvSubjectName.find(",OU=");
size_t peerClusterIdPos = subjectName.find(",OU=");
std::string srvClusterId = srvClusterIdPos != std::string::npos ?
srvSubjectName.substr(srvClusterIdPos) : "";
std::string peerClusterId = peerClusterIdPos != std::string::npos ?
subjectName.substr(peerClusterIdPos) : "";
// Handle internal cluster member auth, only applies to server-server connections
int clusterAuthMode = serverGlobalParams.clusterAuthMode.load();
if (srvClusterId == peerClusterId && !srvClusterId.empty()) {
if (clusterAuthMode == ServerGlobalParams::ClusterAuthMode_undefined ||
clusterAuthMode == ServerGlobalParams::ClusterAuthMode_keyFile) {
return Status(ErrorCodes::AuthenticationFailed, "The provided certificate "
"can only be used for cluster authentication, not client "
"authentication. The current configuration does not allow "
"x.509 cluster authentication, check the --clusterAuthMode flag");
}
authorizationSession->grantInternalAuthorization();
}
// Handle normal client authentication, only applies to client-server connections
else {
if (_isX509AuthDisabled) {
return Status(ErrorCodes::BadValue,
_x509AuthenticationDisabledMessage);
}
Status status = authorizationSession->addAndAuthorizeUser(user);
if (!status.isOK()) {
return status;
}
}
return Status::OK();
}
}
bool CmdAuthenticate::authenticateX509(const string& dbname,
BSONObj& cmdObj,
string& errmsg,
BSONObjBuilder& result) {
if(dbname != "$external") {
errmsg = "X.509 authentication must always use the $external database.";
result.append(saslCommandCodeFieldName, ErrorCodes::AuthenticationFailed);
return false;
}
std::string user = cmdObj.getStringField("user");
ClientBasic *client = ClientBasic::getCurrent();
AuthorizationSession* authorizationSession = client->getAuthorizationSession();
StringData subjectName = client->port()->getX509SubjectName();
if (user != subjectName) {
errmsg = "There is no x.509 client certificate matching the user.";
result.append(saslCommandCodeFieldName, ErrorCodes::AuthenticationFailed);
return false;
}
else {
StringData srvSubjectName = getSSLManager()->getSubjectName();
StringData srvClusterId = srvSubjectName.substr(0, srvSubjectName.find("/CN")+1);
StringData peerClusterId = subjectName.substr(0, subjectName.find("/CN")+1);
// Handle internal cluster member
if (srvClusterId == peerClusterId) {
authorizationSession->grantInternalAuthorization(UserName(user, "$external"));
}
// Handle normal client authentication
else {
Principal* principal = new Principal(UserName(user, "$external"));
principal->setImplicitPrivilegeAcquisition(true);
authorizationSession->addAuthorizedPrincipal(principal);
}
result.append( "dbname" , dbname );
result.append( "user" , user );
return true;
}
}
Status CmdAuthenticate::_authenticateX509(const UserName& user, const BSONObj& cmdObj) {
if(user.getDB() != "$external") {
return Status(ErrorCodes::ProtocolError,
"X.509 authentication must always use the $external database.");
}
ClientBasic *client = ClientBasic::getCurrent();
AuthorizationSession* authorizationSession = client->getAuthorizationSession();
StringData subjectName = client->port()->getX509SubjectName();
if (user.getUser() != subjectName) {
return Status(ErrorCodes::AuthenticationFailed,
"There is no x.509 client certificate matching the user.");
}
else {
StringData srvSubjectName = getSSLManager()->getServerSubjectName();
StringData srvClusterId = srvSubjectName.substr(srvSubjectName.find(",OU="));
StringData peerClusterId = subjectName.substr(subjectName.find(",OU="));
fassert(17002, !srvClusterId.empty() && srvClusterId != srvSubjectName);
// Handle internal cluster member auth, only applies to server-server connections
if (srvClusterId == peerClusterId) {
if (cmdLine.clusterAuthMode.empty() || cmdLine.clusterAuthMode == "keyfile") {
return Status(ErrorCodes::AuthenticationFailed,
"X509 authentication is not allowed for cluster authentication");
}
authorizationSession->grantInternalAuthorization(user);
}
// Handle normal client authentication, only applies to client-server connections
else {
Principal* principal = new Principal(user);
authorizationSession->addAndAuthorizePrincipal(principal);
}
return Status::OK();
}
}
void CursorCache::gotKillCursors(Message& m ) {
int *x = (int *) m.singleData()->_data;
x++; // reserved
int n = *x++;
if ( n > 2000 ) {
( n < 30000 ? warning() : error() ) << "receivedKillCursors, n=" << n << endl;
}
uassert( 13286 , "sent 0 cursors to kill" , n >= 1 );
uassert( 13287 , "too many cursors to kill" , n < 30000 );
long long * cursors = (long long *)x;
ClientBasic* client = ClientBasic::getCurrent();
AuthorizationSession* authSession = client->getAuthorizationSession();
for ( int i=0; i<n; i++ ) {
long long id = cursors[i];
LOG(_myLogLevel) << "CursorCache::gotKillCursors id: " << id << endl;
if ( ! id ) {
warning() << " got cursor id of 0 to kill" << endl;
continue;
}
string server;
{
scoped_lock lk( _mutex );
MapSharded::iterator i = _cursors.find( id );
if ( i != _cursors.end() ) {
const bool isAuthorized = authSession->isAuthorizedForActionsOnNamespace(
NamespaceString(i->second->getNS()), ActionType::killCursors);
audit::logKillCursorsAuthzCheck(
client,
NamespaceString(i->second->getNS()),
id,
isAuthorized ? ErrorCodes::OK : ErrorCodes::Unauthorized);
if (isAuthorized) {
_cursorsMaxTimeMS.erase( i->second->getId() );
_cursors.erase( i );
}
continue;
}
MapNormal::iterator refsIt = _refs.find(id);
MapNormal::iterator refsNSIt = _refsNS.find(id);
if (refsIt == _refs.end()) {
warning() << "can't find cursor: " << id << endl;
continue;
}
verify(refsNSIt != _refsNS.end());
const bool isAuthorized = authSession->isAuthorizedForActionsOnNamespace(
NamespaceString(refsNSIt->second), ActionType::killCursors);
audit::logKillCursorsAuthzCheck(
client,
NamespaceString(refsNSIt->second),
id,
isAuthorized ? ErrorCodes::OK : ErrorCodes::Unauthorized);
if (!isAuthorized) {
continue;
}
server = refsIt->second;
_refs.erase(refsIt);
_refsNS.erase(refsNSIt);
}
LOG(_myLogLevel) << "CursorCache::found gotKillCursors id: " << id << " server: " << server << endl;
verify( server.size() );
ScopedDbConnection conn(server);
conn->killCursor( id );
conn.done();
}
}
bool handleSpecialNamespaces( Request& r , QueryMessage& q ) {
const char * ns = strstr( r.getns() , ".$cmd.sys." );
if ( ! ns )
return false;
ns += 10;
BSONObjBuilder b;
vector<Shard> shards;
ClientBasic* client = ClientBasic::getCurrent();
AuthorizationSession* authSession = client->getAuthorizationSession();
if ( strcmp( ns , "inprog" ) == 0 ) {
const bool isAuthorized = authSession->isAuthorizedForActionsOnResource(
ResourcePattern::forClusterResource(), ActionType::inprog);
audit::logInProgAuthzCheck(
client, q.query, isAuthorized ? ErrorCodes::OK : ErrorCodes::Unauthorized);
uassert(ErrorCodes::Unauthorized, "not authorized to run inprog", isAuthorized);
Shard::getAllShards( shards );
BSONArrayBuilder arr( b.subarrayStart( "inprog" ) );
for ( unsigned i=0; i<shards.size(); i++ ) {
Shard shard = shards[i];
ScopedDbConnection conn(shard.getConnString());
BSONObj temp = conn->findOne( r.getns() , q.query );
if ( temp["inprog"].isABSONObj() ) {
BSONObjIterator i( temp["inprog"].Obj() );
while ( i.more() ) {
BSONObjBuilder x;
BSONObjIterator j( i.next().Obj() );
while( j.more() ) {
BSONElement e = j.next();
if ( str::equals( e.fieldName() , "opid" ) ) {
stringstream ss;
ss << shard.getName() << ':' << e.numberInt();
x.append( "opid" , ss.str() );
}
else if ( str::equals( e.fieldName() , "client" ) ) {
x.appendAs( e , "client_s" );
}
else {
x.append( e );
}
}
arr.append( x.obj() );
}
}
conn.done();
}
arr.done();
}
else if ( strcmp( ns , "killop" ) == 0 ) {
const bool isAuthorized = authSession->isAuthorizedForActionsOnResource(
ResourcePattern::forClusterResource(), ActionType::killop);
audit::logKillOpAuthzCheck(
client,
q.query,
isAuthorized ? ErrorCodes::OK : ErrorCodes::Unauthorized);
uassert(ErrorCodes::Unauthorized, "not authorized to run killop", isAuthorized);
BSONElement e = q.query["op"];
if ( e.type() != String ) {
b.append( "err" , "bad op" );
b.append( e );
}
else {
b.append( e );
string s = e.String();
string::size_type i = s.find( ':' );
if ( i == string::npos ) {
b.append( "err" , "bad opid" );
}
else {
string shard = s.substr( 0 , i );
int opid = atoi( s.substr( i + 1 ).c_str() );
b.append( "shard" , shard );
b.append( "shardid" , opid );
log() << "want to kill op: " << e << endl;
Shard s(shard);
ScopedDbConnection conn(s.getConnString());
conn->findOne( r.getns() , BSON( "op" << opid ) );
conn.done();
}
}
}
else if ( strcmp( ns , "unlock" ) == 0 ) {
b.append( "err" , "can't do unlock through mongos" );
}
else {
warning() << "unknown sys command [" << ns << "]" << endl;
return false;
}
BSONObj x = b.done();
replyToQuery(0, r.p(), r.m(), x);
return true;
}
void Strategy::getMore( Request& r ) {
Timer getMoreTimer;
const char* ns = r.getns();
const int ntoreturn = r.d().pullInt();
const long long id = r.d().pullInt64();
// TODO: Handle stale config exceptions here from coll being dropped or sharded during op
// for now has same semantics as legacy request
const NamespaceString nss(ns);
auto statusGetDb = grid.catalogCache()->getDatabase(nss.db().toString());
if (statusGetDb == ErrorCodes::DatabaseNotFound) {
cursorCache.remove(id);
replyToQuery(ResultFlag_CursorNotFound, r.p(), r.m(), 0, 0, 0);
return;
}
uassertStatusOK(statusGetDb);
shared_ptr<DBConfig> config = statusGetDb.getValue();
ShardPtr primary;
ChunkManagerPtr info;
config->getChunkManagerOrPrimary( ns, info, primary );
//
// TODO: Cleanup cursor cache, consolidate into single codepath
//
const string host = cursorCache.getRef(id);
ShardedClientCursorPtr cursor = cursorCache.get( id );
int cursorMaxTimeMS = cursorCache.getMaxTimeMS( id );
// Cursor ids should not overlap between sharded and unsharded cursors
massert( 17012, str::stream() << "duplicate sharded and unsharded cursor id "
<< id << " detected for " << ns
<< ", duplicated on host " << host,
NULL == cursorCache.get( id ).get() || host.empty() );
ClientBasic* client = ClientBasic::getCurrent();
NamespaceString nsString(ns);
AuthorizationSession* authSession = client->getAuthorizationSession();
Status status = authSession->checkAuthForGetMore( nsString, id );
audit::logGetMoreAuthzCheck( client, nsString, id, status.code() );
uassertStatusOK(status);
if( !host.empty() ){
LOG(3) << "single getmore: " << ns << endl;
// we used ScopedDbConnection because we don't get about config versions
// not deleting data is handled elsewhere
// and we don't want to call setShardVersion
ScopedDbConnection conn(host);
Message response;
bool ok = conn->callRead( r.m() , response);
uassert( 10204 , "dbgrid: getmore: error calling db", ok);
bool hasMore = (response.singleData().getCursor() != 0);
if ( !hasMore ) {
cursorCache.removeRef( id );
}
r.reply( response , "" /*conn->getServerAddress() */ );
conn.done();
return;
}
else if ( cursor ) {
if ( cursorMaxTimeMS == kMaxTimeCursorTimeLimitExpired ) {
cursorCache.remove( id );
uasserted( ErrorCodes::ExceededTimeLimit, "operation exceeded time limit" );
}
// TODO: Try to match logic of mongod, where on subsequent getMore() we pull lots more data?
BufBuilder buffer( ShardedClientCursor::INIT_REPLY_BUFFER_SIZE );
int docCount = 0;
const int startFrom = cursor->getTotalSent();
bool hasMore = cursor->sendNextBatch(ntoreturn, buffer, docCount);
if ( hasMore ) {
// still more data
cursor->accessed();
if ( cursorMaxTimeMS != kMaxTimeCursorNoTimeLimit ) {
// Update remaining amount of time in cursor cache.
int cursorLeftoverMillis = cursorMaxTimeMS - getMoreTimer.millis();
if ( cursorLeftoverMillis <= 0 ) {
cursorLeftoverMillis = kMaxTimeCursorTimeLimitExpired;
}
cursorCache.updateMaxTimeMS( id, cursorLeftoverMillis );
}
}
else {
// we've exhausted the cursor
cursorCache.remove( id );
}
replyToQuery( 0, r.p(), r.m(), buffer.buf(), buffer.len(), docCount,
startFrom, hasMore ? cursor->getId() : 0 );
return;
}
else {
LOG( 3 ) << "could not find cursor " << id << " in cache for " << ns << endl;
replyToQuery( ResultFlag_CursorNotFound , r.p() , r.m() , 0 , 0 , 0 );
return;
}
}
void Strategy::queryOp( Request& r ) {
verify( !NamespaceString( r.getns() ).isCommand() );
Timer queryTimer;
QueryMessage q( r.d() );
NamespaceString ns(q.ns);
ClientBasic* client = ClientBasic::getCurrent();
AuthorizationSession* authSession = client->getAuthorizationSession();
Status status = authSession->checkAuthForQuery(ns, q.query);
audit::logQueryAuthzCheck(client, ns, q.query, status.code());
uassertStatusOK(status);
LOG(3) << "query: " << q.ns << " " << q.query << " ntoreturn: " << q.ntoreturn
<< " options: " << q.queryOptions << endl;
if ( q.ntoreturn == 1 && strstr(q.ns, ".$cmd") )
throw UserException( 8010 , "something is wrong, shouldn't see a command here" );
if (q.queryOptions & QueryOption_Exhaust) {
uasserted(18526,
string("the 'exhaust' query option is invalid for mongos queries: ") + q.ns
+ " " + q.query.toString());
}
QuerySpec qSpec( (string)q.ns, q.query, q.fields, q.ntoskip, q.ntoreturn, q.queryOptions );
// Parse "$maxTimeMS".
StatusWith<int> maxTimeMS = LiteParsedQuery::parseMaxTimeMSQuery( q.query );
uassert( 17233,
maxTimeMS.getStatus().reason(),
maxTimeMS.isOK() );
if ( _isSystemIndexes( q.ns ) && doShardedIndexQuery( r, qSpec )) {
return;
}
ParallelSortClusteredCursor * cursor = new ParallelSortClusteredCursor( qSpec, CommandInfo() );
verify( cursor );
// TODO: Move out to Request itself, not strategy based
try {
cursor->init();
if ( qSpec.isExplain() ) {
BSONObjBuilder explain_builder;
cursor->explain( explain_builder );
explain_builder.appendNumber( "executionTimeMillis",
static_cast<long long>(queryTimer.millis()) );
BSONObj b = explain_builder.obj();
replyToQuery( 0 , r.p() , r.m() , b );
delete( cursor );
return;
}
}
catch(...) {
delete cursor;
throw;
}
// TODO: Revisit all of this when we revisit the sharded cursor cache
if (cursor->getNumQueryShards() != 1) {
// More than one shard (or zero), manage with a ShardedClientCursor
// NOTE: We may also have *zero* shards here when the returnPartial flag is set.
// Currently the code in ShardedClientCursor handles this.
ShardedClientCursorPtr cc (new ShardedClientCursor( q , cursor ));
BufBuilder buffer( ShardedClientCursor::INIT_REPLY_BUFFER_SIZE );
int docCount = 0;
const int startFrom = cc->getTotalSent();
bool hasMore = cc->sendNextBatch(q.ntoreturn, buffer, docCount);
if ( hasMore ) {
LOG(5) << "storing cursor : " << cc->getId() << endl;
int cursorLeftoverMillis = maxTimeMS.getValue() - queryTimer.millis();
if ( maxTimeMS.getValue() == 0 ) { // 0 represents "no limit".
cursorLeftoverMillis = kMaxTimeCursorNoTimeLimit;
}
else if ( cursorLeftoverMillis <= 0 ) {
cursorLeftoverMillis = kMaxTimeCursorTimeLimitExpired;
}
cursorCache.store( cc, cursorLeftoverMillis );
}
replyToQuery( 0, r.p(), r.m(), buffer.buf(), buffer.len(), docCount,
startFrom, hasMore ? cc->getId() : 0 );
}
else{
// Only one shard is used
// Remote cursors are stored remotely, we shouldn't need this around.
scoped_ptr<ParallelSortClusteredCursor> cursorDeleter( cursor );
ShardPtr shard = cursor->getQueryShard();
verify( shard.get() );
DBClientCursorPtr shardCursor = cursor->getShardCursor(*shard);
// Implicitly stores the cursor in the cache
r.reply( *(shardCursor->getMessage()) , shardCursor->originalHost() );
// We don't want to kill the cursor remotely if there's still data left
shardCursor->decouple();
}
}
void CursorCache::gotKillCursors(Message& m ) {
DbMessage dbmessage(m);
int n = dbmessage.pullInt();
if ( n > 2000 ) {
( n < 30000 ? warning() : error() ) << "receivedKillCursors, n=" << n << endl;
}
uassert( 13286 , "sent 0 cursors to kill" , n >= 1 );
uassert( 13287 , "too many cursors to kill" , n < 30000 );
massert( 18632 , str::stream() << "bad kill cursors size: " << m.dataSize(),
m.dataSize() == 8 + ( 8 * n ) );
ConstDataCursor cursors(dbmessage.getArray(n));
ClientBasic* client = ClientBasic::getCurrent();
AuthorizationSession* authSession = client->getAuthorizationSession();
for ( int i=0; i<n; i++ ) {
long long id = cursors.readAndAdvance<LittleEndian<int64_t>>();
LOG(_myLogLevel) << "CursorCache::gotKillCursors id: " << id << endl;
if ( ! id ) {
warning() << " got cursor id of 0 to kill" << endl;
continue;
}
string server;
{
boost::lock_guard<boost::mutex> lk( _mutex );
MapSharded::iterator i = _cursors.find( id );
if ( i != _cursors.end() ) {
Status authorizationStatus = authSession->checkAuthForKillCursors(
NamespaceString(i->second->getNS()), id);
audit::logKillCursorsAuthzCheck(
client,
NamespaceString(i->second->getNS()),
id,
authorizationStatus.isOK() ? ErrorCodes::OK : ErrorCodes::Unauthorized);
if (authorizationStatus.isOK()) {
_cursorsMaxTimeMS.erase( i->second->getId() );
_cursors.erase( i );
}
continue;
}
MapNormal::iterator refsIt = _refs.find(id);
MapNormal::iterator refsNSIt = _refsNS.find(id);
if (refsIt == _refs.end()) {
warning() << "can't find cursor: " << id << endl;
continue;
}
verify(refsNSIt != _refsNS.end());
Status authorizationStatus = authSession->checkAuthForKillCursors(
NamespaceString(refsNSIt->second), id);
audit::logKillCursorsAuthzCheck(
client,
NamespaceString(refsNSIt->second),
id,
authorizationStatus.isOK() ? ErrorCodes::OK : ErrorCodes::Unauthorized);
if (!authorizationStatus.isOK()) {
continue;
}
server = refsIt->second;
_refs.erase(refsIt);
_refsNS.erase(refsNSIt);
cursorStatsSingleTarget.decrement();
}
LOG(_myLogLevel) << "CursorCache::found gotKillCursors id: " << id << " server: " << server << endl;
verify( server.size() );
ScopedDbConnection conn(server);
conn->killCursor( id );
conn.done();
}
}
void Command::execCommandClientBasic(Command * c ,
ClientBasic& client,
int queryOptions,
const char *ns,
BSONObj& cmdObj,
BSONObjBuilder& result,
bool fromRepl ) {
verify(c);
std::string dbname = nsToDatabase(ns);
// Access control checks
if (AuthorizationManager::isAuthEnabled()) {
std::vector<Privilege> privileges;
c->addRequiredPrivileges(dbname, cmdObj, &privileges);
AuthorizationSession* authSession = client.getAuthorizationSession();
if (!authSession->checkAuthForPrivileges(privileges).isOK()) {
result.append("note", str::stream() << "not authorized for command: " <<
c->name << " on database " << dbname);
appendCommandStatus(result, false, "unauthorized");
return;
}
}
if (c->adminOnly() &&
c->localHostOnlyIfNoAuth(cmdObj) &&
!AuthorizationManager::isAuthEnabled() &&
!client.getIsLocalHostConnection()) {
log() << "command denied: " << cmdObj.toString() << endl;
appendCommandStatus(result,
false,
"unauthorized: this command must run from localhost when running db "
"without auth");
return;
}
if (c->adminOnly() && !startsWith(ns, "admin.")) {
log() << "command denied: " << cmdObj.toString() << endl;
appendCommandStatus(result, false, "access denied - use admin db");
return;
}
// End of access control checks
if (cmdObj.getBoolField("help")) {
stringstream help;
help << "help for: " << c->name << " ";
c->help( help );
result.append( "help" , help.str() );
result.append( "lockType" , c->locktype() );
appendCommandStatus(result, true, "");
return;
}
std::string errmsg;
bool ok;
try {
ok = c->run( dbname , cmdObj, queryOptions, errmsg, result, false );
}
catch (DBException& e) {
ok = false;
int code = e.getCode();
if (code == RecvStaleConfigCode) { // code for StaleConfigException
throw;
}
stringstream ss;
ss << "exception: " << e.what();
errmsg = ss.str();
result.append( "code" , code );
}
appendCommandStatus(result, ok, errmsg);
}
