make security work for repl pairs

2024-12-01 01:21:03 +01:00 · 2009-01-24 16:05:12 -05:00 · 2009-01-24 16:05:12 -05:00 · ec434bd7c1
commit ec434bd7c1
parent 8ba2174076
1 changed files with 21 additions and 8 deletions
--- a/db/repl.cpp
+++ b/db/repl.cpp
@ -194,26 +194,39 @@ namespace mongo {

    class CmdIsMaster : public Command {
    public:
+        virtual bool requiresAuth() { return false; }
        virtual bool slaveOk() {
            return true;
        }
        CmdIsMaster() : Command("ismaster") { }
        virtual bool run(const char *ns, BSONObj& cmdObj, string& errmsg, BSONObjBuilder& result, bool /*fromRepl*/) {
+			/* currently request to arbiter is (somewhat arbitrarily) an ismaster request that is not 
+			   authenticated.
+			   we allow unauthenticated ismaster but we aren't as verbose informationally if 
+			   one is not authenticated for admin db to be safe.
+			*/
+			AuthenticationInfo *ai = authInfo.get();
+			bool authed = ai == 0 || ai->isAuthorized("admin");
+
            if ( allDead ) {
                result.append("ismaster", 0.0);
-                if ( replPair )
-                    result.append("remote", replPair->remote);
-                result.append("info", allDead);
+				if( authed ) { 
+					if ( replPair )
+						result.append("remote", replPair->remote);
+					result.append("info", allDead);
+				}
            }
            else if ( replPair ) {
                result.append("ismaster", replPair->state);
-                result.append("remote", replPair->remote);
-                if ( replPair->info.empty() )
-                    result.append("info", replPair->info);
-            }
+				if( authed ) {
+					result.append("remote", replPair->remote);
+					if ( !replPair->info.empty() )
+						result.append("info", replPair->info);
+				}
+			}
            else {
                result.append("ismaster", 1);
-                result.append("msg", "not paired");
+				result.append("msg", "not paired");
            }

            return true;