Skip to content

HTTPS clone URL

Subversion checkout URL

You can clone with
or
.
Download ZIP
Browse files

SERVER-7626 Provide a facility for disabling the mongo challenge-resp…

…onse commands in server source.

This patch provides a mechanism for disabling the "nonce" and "authenticate" commands at runtime.  A
separate patch, in the subscription codebase, provides a startup parameter for choosing authentication
mechanisms to support.

Related to SERVER-7119.
  • Loading branch information...
commit 55bb0f445ee535fd3091b6f0436f4e0ed5c9a19b 1 parent 0753b2b
@andy10gen andy10gen authored
View
16 src/mongo/db/security_commands.cpp
@@ -41,6 +41,12 @@
namespace mongo {
+ static bool _areNonceAuthenticateCommandsEnabled = true;
+ static const char _nonceAuthenticateCommandsDisabledMessage[] =
+ "Challenge-response authentication using getnonce and authenticate commands is disabled.";
+
+ void CmdAuthenticate::disableCommand() { _areNonceAuthenticateCommandsEnabled = false; }
+
/* authentication
system.users contains
@@ -70,6 +76,11 @@ namespace mongo {
const BSONObj& cmdObj,
std::vector<Privilege>* out) {} // No auth required
bool run(const string&, BSONObj& cmdObj, int, string& errmsg, BSONObjBuilder& result, bool fromRepl) {
+ if (!_areNonceAuthenticateCommandsEnabled) {
+ errmsg = _nonceAuthenticateCommandsDisabledMessage;
+ return false;
+ }
+
nonce64 n = _random->nextInt64();
stringstream ss;
ss << hex << n;
@@ -97,6 +108,11 @@ namespace mongo {
}
bool CmdAuthenticate::run(const string& dbname , BSONObj& cmdObj, int, string& errmsg, BSONObjBuilder& result, bool fromRepl) {
+ if (!_areNonceAuthenticateCommandsEnabled) {
+ errmsg = _nonceAuthenticateCommandsDisabledMessage;
+ return false;
+ }
+
log() << " authenticate db: " << dbname << " " << cmdObj << endl;
string user = cmdObj.getStringField("user");
View
2  src/mongo/db/security_common.h
@@ -36,6 +36,8 @@ namespace mongo {
class CmdAuthenticate : public Command {
public:
+ static void disableCommand();
+
virtual bool requiresAuth() { return false; }
virtual bool logTheOp() {
return false;
Please sign in to comment.
Something went wrong with that request. Please try again.