bool CmdAuthenticate::getUserObj(const string& dbname, const string& user, BSONObj& userObj, string& pwd) {
if (user == internalSecurity.user) {
uassert(15890, "key file must be used to log in with internal user",
!cmdLine.keyFile.empty());
pwd = internalSecurity.pwd;
}
else {
string systemUsers = dbname + ".system.users";
DBConfigPtr config = grid.getDBConfig( systemUsers );
Shard s = config->getShard( systemUsers );
static BSONObj userPattern = BSON("user" << 1);
scoped_ptr<ScopedDbConnection> conn(
ScopedDbConnection::getInternalScopedDbConnection( s.getConnString(), 30.0 ) );
OCCASIONALLY conn->get()->ensureIndex(systemUsers, userPattern, false, "user_1");
{
BSONObjBuilder b;
b << "user" << user;
BSONObj query = b.done();
userObj = conn->get()->findOne(systemUsers, query, 0, QueryOption_SlaveOk);
if( userObj.isEmpty() ) {
log() << "auth: couldn't find user " << user << ", " << systemUsers << endl;
conn->done(); // return to pool
return false;
}
}
pwd = userObj.getStringField("pwd");
conn->done(); // return to pool
}
return true;
}
bool AuthenticationInfo::_isAuthorizedSpecialChecks( const string& dbname ) const {
if ( !_isLocalHost ) {
return false;
}
string adminNs = "admin.system.users";
DBConfigPtr config = grid.getDBConfig( adminNs );
Shard s = config->getShard( adminNs );
ShardConnection conn( s, adminNs );
BSONObj result = conn->findOne("admin.system.users", Query());
if( result.isEmpty() ) {
if( ! _warned ) {
// you could get a few of these in a race, but that's ok
_warned = true;
log() << "note: no users configured in admin.system.users, allowing localhost access" << endl;
}
// Must return conn to pool
// TODO: Check for errors during findOne(), or just let the conn die?
conn.done();
return true;
}
// Must return conn to pool
conn.done();
return false;
}
bool CmdAuthenticate::getUserObj(const string& dbname, const string& user, BSONObj& userObj, string& pwd) {
if (user == internalSecurity.user) {
pwd = internalSecurity.pwd;
}
else {
string systemUsers = dbname + ".system.users";
DBConfigPtr config = grid.getDBConfig( systemUsers );
Shard s = config->getShard( systemUsers );
static BSONObj userPattern = BSON("user" << 1);
ShardConnection conn( s, systemUsers );
OCCASIONALLY conn->ensureIndex(systemUsers, userPattern, false, "user_1");
{
BSONObjBuilder b;
b << "user" << user;
BSONObj query = b.done();
userObj = conn->findOne(systemUsers, query);
if( userObj.isEmpty() ) {
log() << "auth: couldn't find user " << user << ", " << systemUsers << endl;
return false;
}
}
pwd = userObj.getStringField("pwd");
}
return true;
}
void ClientInfo::_setupAuth() {
std::string adminNs = "admin";
DBConfigPtr config = grid.getDBConfig(adminNs);
Shard shard = config->getShard(adminNs);
ShardConnection conn(shard, adminNs);
AuthorizationManager* authManager = new AuthorizationManager(new AuthExternalStateImpl());
Status status = authManager->initialize(conn.get());
massert(16479,
mongoutils::str::stream() << "Error initializing AuthorizationManager: "
<< status.reason(),
status == Status::OK());
setAuthorizationManager(authManager);
}
void ClientInfo::_setupAuth() {
std::string adminNs = "admin";
DBConfigPtr config = grid.getDBConfig(adminNs);
Shard shard = config->getShard(adminNs);
scoped_ptr<ScopedDbConnection> connPtr(
ScopedDbConnection::getInternalScopedDbConnection(shard.getConnString(), 30.0));
ScopedDbConnection& conn = *connPtr;
//
// Note: The connection mechanism here is *not* ideal, and should not be used elsewhere.
// It is safe in this particular case because the admin database is always on the config
// server and does not move.
//
AuthorizationManager* authManager = new AuthorizationManager(new AuthExternalStateImpl());
Status status = authManager->initialize(conn.get());
massert(16479,
mongoutils::str::stream() << "Error initializing AuthorizationManager: "
<< status.reason(),
status == Status::OK());
setAuthorizationManager(authManager);
}
void AuthenticationInfo::_checkLocalHostSpecialAdmin() {
if (noauth || !_isLocalHost || !_isLocalHostAndLocalHostIsAuthorizedForAll) {
return;
}
string adminNs = "admin.system.users";
DBConfigPtr config = grid.getDBConfig( adminNs );
Shard s = config->getShard( adminNs );
//
// Note: The connection mechanism here is *not* ideal, and should not be used elsewhere.
// It is safe in this particular case because the admin database is always on the config
// server and does not move.
//
scoped_ptr<ScopedDbConnection> conn(
ScopedDbConnection::getInternalScopedDbConnection(s.getConnString(), 30.0));
BSONObj result = (*conn)->findOne("admin.system.users", Query());
if( result.isEmpty() ) {
if( ! _warned ) {
// you could get a few of these in a race, but that's ok
_warned = true;
log() << "note: no users configured in admin.system.users, allowing localhost access" << endl;
}
// Must return conn to pool
// TODO: Check for errors during findOne(), or just let the conn die?
conn->done();
_isLocalHostAndLocalHostIsAuthorizedForAll = true;
return;
}
// Must return conn to pool
conn->done();
_isLocalHostAndLocalHostIsAuthorizedForAll = false;
}