fix read only user support with sharding for basic queries SERVER-4156

guanqun · Oct 26, 2011 · 5a03de8 · 5a03de8
1 parent c0773ef
commit 5a03de8
Show file tree

Hide file tree

Showing 6 changed files with 13 additions and 6 deletions.
diff --git a/s/commands_admin.cpp b/s/commands_admin.cpp
@@ -1002,6 +1002,8 @@ namespace mongo {
         class CmdShardingGetPrevError : public Command {
         public:
             virtual LockType locktype() const { return NONE; }
+            virtual bool requiresAuth() { return false; }
+
             virtual bool slaveOk() const {
                 return true;
             }
@@ -1018,6 +1020,7 @@ namespace mongo {
         class CmdShardingGetLastError : public Command {
         public:
             virtual LockType locktype() const { return NONE; }
+            virtual bool requiresAuth() { return false; }
             virtual bool slaveOk() const {
                 return true;
             }

diff --git a/s/commands_public.cpp b/s/commands_public.cpp
@@ -1346,6 +1346,7 @@ namespace mongo {
             if( c->requiresAuth() && !ai->isAuthorized(cl)) {
                 ok = false;
                 errmsg = "unauthorized";
+                anObjBuilder.append( "note" , str::stream() << "need to authorized on db: " << cl << " for command: " << e.fieldName() );
             }
             else if( c->adminOnly() && c->localHostOnlyIfNoAuth( jsobj ) && noauth && !ai->isLocalHost ) {
                 ok = false;

diff --git a/s/request.cpp b/s/request.cpp
@@ -45,10 +45,12 @@ namespace mongo {
         _clientInfo->newRequest( p );
     }
 
-    void Request::checkAuth() const {
+    void Request::checkAuth( Auth::Level levelNeeded ) const {
         char cl[256];
         nsToDatabase(getns(), cl);
-        uassert(15845, "unauthorized", _clientInfo->getAuthenticationInfo()->isAuthorized(cl));
+        uassert( 15845 , 
+                 str::stream() << "unauthorized for db:" << cl << " level: " << levelNeeded ,
+                 _clientInfo->getAuthenticationInfo()->isAuthorizedForLevel(cl,levelNeeded) );
     }
 
     void Request::init() {
@@ -144,10 +146,11 @@ namespace mongo {
             }
         }
         else if ( op == dbGetMore ) {
+            checkAuth( Auth::READ ); // this is important so someone can't steal a cursor
             s->getMore( *this );
         }
         else {
-            checkAuth();
+            checkAuth( Auth::WRITE );
             s->writeOp( op, *this );
         }
 

diff --git a/s/request.h b/s/request.h
@@ -70,7 +70,7 @@ namespace mongo {
             return _clientInfo;
         }
 
-        void checkAuth() const;
+        void checkAuth( Auth::Level levelNeeded ) const;
 
         // ---- remote location info -----
 

diff --git a/s/strategy.cpp b/s/strategy.cpp
@@ -46,7 +46,7 @@ namespace mongo {
 
     void Strategy::doQuery( Request& r , const Shard& shard ) {
 
-        r.checkAuth();
+        r.checkAuth( Auth::READ );
 
         ShardConnection dbcon( shard , r.getns() );
         DBClientBase &c = dbcon.conn();

diff --git a/s/strategy_shard.cpp b/s/strategy_shard.cpp
@@ -35,7 +35,7 @@ namespace mongo {
         virtual void queryOp( Request& r ) {
             QueryMessage q( r.d() );
 
-            r.checkAuth();
+            r.checkAuth( Auth::READ );
 
             LOG(3) << "shard query: " << q.ns << "  " << q.query << endl;