Skip to content

Commit

Permalink
SERVER-32245 Update and clarify authSchema version checks
Browse files Browse the repository at this point in the history
  • Loading branch information
@sgolemon-corp
sgolemon-corp committed Dec 19, 2017
1 parent a0c66e6 commit a5463ee
Showing 1 changed file with 31 additions and 24 deletions.
55 changes: 31 additions & 24 deletions src/mongo/db/commands/user_management_commands.cpp
View file
Original file line number Diff line number Diff line change
Expand Up @@ -544,23 +544,23 @@ Status writeAuthSchemaVersionIfNeeded(OperationContext* opCtx,

/**
* Returns Status::OK() if the current Auth schema version is at least the auth schema version
* for the MongoDB 2.6 and 3.0 MongoDB-CR/SCRAM mixed auth mode.
* for the MongoDB 3.0 SCRAM auth mode.
* Returns an error otherwise.
*/
Status requireAuthSchemaVersion26Final(OperationContext* opCtx,
AuthorizationManager* authzManager) {
Status requireWritableAuthSchema28SCRAM(OperationContext* opCtx,
AuthorizationManager* authzManager) {
int foundSchemaVersion;
Status status = authzManager->getAuthorizationVersion(opCtx, &foundSchemaVersion);
if (!status.isOK()) {
return status;
}

if (foundSchemaVersion < AuthorizationManager::schemaVersion26Final) {
if (foundSchemaVersion < AuthorizationManager::schemaVersion28SCRAM) {
return Status(ErrorCodes::AuthSchemaIncompatible,
str::stream()
<< "User and role management commands require auth data to have "
<< "at least schema version "
<< AuthorizationManager::schemaVersion26Final
<< AuthorizationManager::schemaVersion28SCRAM
<< " but found "
<< foundSchemaVersion);
}
Expand All @@ -571,9 +571,16 @@ Status requireAuthSchemaVersion26Final(OperationContext* opCtx,
* Returns Status::OK() if the current Auth schema version is at least the auth schema version
* for MongoDB 2.6 during the upgrade process.
* Returns an error otherwise.
*
* This method should only be called by READ-ONLY commands (usersInfo & rolesInfo)
* because getAuthorizationVersion() will return the current max version without
* reifying the authSchema setting in the admin database.
*
* If records are added thinking we're at one schema level, then the default is changed,
* then the auth database would wind up in an inconsistent state.
*/
Status requireAuthSchemaVersion26UpgradeOrFinal(OperationContext* opCtx,
AuthorizationManager* authzManager) {
Status requireReadableAuthSchema26Upgrade(OperationContext* opCtx,
AuthorizationManager* authzManager) {
int foundSchemaVersion;
Status status = authzManager->getAuthorizationVersion(opCtx, &foundSchemaVersion);
if (!status.isOK()) {
Expand Down Expand Up @@ -714,7 +721,7 @@ class CmdCreateUser : public BasicCommand {

stdx::lock_guard<stdx::mutex> lk(getAuthzDataMutex(serviceContext));

status = requireAuthSchemaVersion26Final(opCtx, authzManager);
status = requireWritableAuthSchema28SCRAM(opCtx, authzManager);
if (!status.isOK()) {
return appendCommandStatus(result, status);
}
Expand Down Expand Up @@ -852,7 +859,7 @@ class CmdUpdateUser : public BasicCommand {
stdx::lock_guard<stdx::mutex> lk(getAuthzDataMutex(serviceContext));

AuthorizationManager* authzManager = AuthorizationManager::get(serviceContext);
status = requireAuthSchemaVersion26Final(opCtx, authzManager);
status = requireWritableAuthSchema28SCRAM(opCtx, authzManager);
if (!status.isOK()) {
return appendCommandStatus(result, status);
}
Expand Down Expand Up @@ -922,7 +929,7 @@ class CmdDropUser : public BasicCommand {
ServiceContext* serviceContext = opCtx->getClient()->getServiceContext();
stdx::lock_guard<stdx::mutex> lk(getAuthzDataMutex(serviceContext));
AuthorizationManager* authzManager = AuthorizationManager::get(serviceContext);
status = requireAuthSchemaVersion26Final(opCtx, authzManager);
status = requireWritableAuthSchema28SCRAM(opCtx, authzManager);
if (!status.isOK()) {
return appendCommandStatus(result, status);
}
Expand Down Expand Up @@ -988,7 +995,7 @@ class CmdDropAllUsersFromDatabase : public BasicCommand {
stdx::lock_guard<stdx::mutex> lk(getAuthzDataMutex(serviceContext));

AuthorizationManager* authzManager = AuthorizationManager::get(serviceContext);
status = requireAuthSchemaVersion26Final(opCtx, authzManager);
status = requireWritableAuthSchema28SCRAM(opCtx, authzManager);
if (!status.isOK()) {
return appendCommandStatus(result, status);
}
Expand Down Expand Up @@ -1048,7 +1055,7 @@ class CmdGrantRolesToUser : public BasicCommand {
stdx::lock_guard<stdx::mutex> lk(getAuthzDataMutex(serviceContext));

AuthorizationManager* authzManager = AuthorizationManager::get(serviceContext);
status = requireAuthSchemaVersion26Final(opCtx, authzManager);
status = requireWritableAuthSchema28SCRAM(opCtx, authzManager);
if (!status.isOK()) {
return appendCommandStatus(result, status);
}
Expand Down Expand Up @@ -1120,7 +1127,7 @@ class CmdRevokeRolesFromUser : public BasicCommand {
stdx::lock_guard<stdx::mutex> lk(getAuthzDataMutex(serviceContext));

AuthorizationManager* authzManager = AuthorizationManager::get(serviceContext);
status = requireAuthSchemaVersion26Final(opCtx, authzManager);
status = requireWritableAuthSchema28SCRAM(opCtx, authzManager);
if (!status.isOK()) {
return appendCommandStatus(result, status);
}
Expand Down Expand Up @@ -1190,7 +1197,7 @@ class CmdUsersInfo : public BasicCommand {
return appendCommandStatus(result, status);
}

status = requireAuthSchemaVersion26UpgradeOrFinal(opCtx, getGlobalAuthorizationManager());
status = requireReadableAuthSchema26Upgrade(opCtx, getGlobalAuthorizationManager());
if (!status.isOK()) {
return appendCommandStatus(result, status);
}
Expand Down Expand Up @@ -1373,7 +1380,7 @@ class CmdCreateRole : public BasicCommand {
stdx::lock_guard<stdx::mutex> lk(getAuthzDataMutex(serviceContext));

AuthorizationManager* authzManager = AuthorizationManager::get(serviceContext);
status = requireAuthSchemaVersion26Final(opCtx, authzManager);
status = requireWritableAuthSchema28SCRAM(opCtx, authzManager);
if (!status.isOK()) {
return appendCommandStatus(result, status);
}
Expand Down Expand Up @@ -1469,7 +1476,7 @@ class CmdUpdateRole : public BasicCommand {
stdx::lock_guard<stdx::mutex> lk(getAuthzDataMutex(serviceContext));

AuthorizationManager* authzManager = AuthorizationManager::get(serviceContext);
status = requireAuthSchemaVersion26Final(opCtx, authzManager);
status = requireWritableAuthSchema28SCRAM(opCtx, authzManager);
if (!status.isOK()) {
return appendCommandStatus(result, status);
}
Expand Down Expand Up @@ -1557,7 +1564,7 @@ class CmdGrantPrivilegesToRole : public BasicCommand {
stdx::lock_guard<stdx::mutex> lk(getAuthzDataMutex(serviceContext));

AuthorizationManager* authzManager = AuthorizationManager::get(serviceContext);
status = requireAuthSchemaVersion26Final(opCtx, authzManager);
status = requireWritableAuthSchema28SCRAM(opCtx, authzManager);
if (!status.isOK()) {
return appendCommandStatus(result, status);
}
Expand Down Expand Up @@ -1666,7 +1673,7 @@ class CmdRevokePrivilegesFromRole : public BasicCommand {
stdx::lock_guard<stdx::mutex> lk(getAuthzDataMutex(serviceContext));

AuthorizationManager* authzManager = AuthorizationManager::get(serviceContext);
status = requireAuthSchemaVersion26Final(opCtx, authzManager);
status = requireWritableAuthSchema28SCRAM(opCtx, authzManager);
if (!status.isOK()) {
return appendCommandStatus(result, status);
}
Expand Down Expand Up @@ -1787,7 +1794,7 @@ class CmdGrantRolesToRole : public BasicCommand {
stdx::lock_guard<stdx::mutex> lk(getAuthzDataMutex(serviceContext));

AuthorizationManager* authzManager = AuthorizationManager::get(serviceContext);
status = requireAuthSchemaVersion26Final(opCtx, authzManager);
status = requireWritableAuthSchema28SCRAM(opCtx, authzManager);
if (!status.isOK()) {
return appendCommandStatus(result, status);
}
Expand Down Expand Up @@ -1867,7 +1874,7 @@ class CmdRevokeRolesFromRole : public BasicCommand {
stdx::lock_guard<stdx::mutex> lk(getAuthzDataMutex(serviceContext));

AuthorizationManager* authzManager = AuthorizationManager::get(serviceContext);
status = requireAuthSchemaVersion26Final(opCtx, authzManager);
status = requireWritableAuthSchema28SCRAM(opCtx, authzManager);
if (!status.isOK()) {
return appendCommandStatus(result, status);
}
Expand Down Expand Up @@ -1953,7 +1960,7 @@ class CmdDropRole : public BasicCommand {
stdx::lock_guard<stdx::mutex> lk(getAuthzDataMutex(serviceContext));

AuthorizationManager* authzManager = AuthorizationManager::get(serviceContext);
status = requireAuthSchemaVersion26Final(opCtx, authzManager);
status = requireWritableAuthSchema28SCRAM(opCtx, authzManager);
if (!status.isOK()) {
return appendCommandStatus(result, status);
}
Expand Down Expand Up @@ -2104,7 +2111,7 @@ class CmdDropAllRolesFromDatabase : public BasicCommand {
stdx::lock_guard<stdx::mutex> lk(getAuthzDataMutex(serviceContext));

AuthorizationManager* authzManager = AuthorizationManager::get(serviceContext);
status = requireAuthSchemaVersion26Final(opCtx, authzManager);
status = requireWritableAuthSchema28SCRAM(opCtx, authzManager);
if (!status.isOK()) {
return appendCommandStatus(result, status);
}
Expand Down Expand Up @@ -2243,7 +2250,7 @@ class CmdRolesInfo : public BasicCommand {
return appendCommandStatus(result, status);
}

status = requireAuthSchemaVersion26UpgradeOrFinal(opCtx, getGlobalAuthorizationManager());
status = requireReadableAuthSchema26Upgrade(opCtx, getGlobalAuthorizationManager());
if (!status.isOK()) {
return appendCommandStatus(result, status);
}
Expand Down Expand Up @@ -2743,7 +2750,7 @@ class CmdMergeAuthzCollections : public BasicCommand {
stdx::lock_guard<stdx::mutex> lk(getAuthzDataMutex(serviceContext));

AuthorizationManager* authzManager = AuthorizationManager::get(serviceContext);
status = requireAuthSchemaVersion26Final(opCtx, authzManager);
status = requireWritableAuthSchema28SCRAM(opCtx, authzManager);
if (!status.isOK()) {
return appendCommandStatus(result, status);
}
Expand Down

0 comments on commit a5463ee

Please sign in to comment.