added --server.local-authentication

CHANGELOG

@@ -1,11 +1,13 @@
 v3.3.milestone1 (2017-10-06)
 ----------------------------
 
+* added option `--server.local-authentication`
+
 * UI: added user roles
 
 * added config option `--log.color` to toggle colorful logging to terminal
 
-* added config option `--log.thread-name` to additionally log thread names 
+* added config option `--log.thread-name` to additionally log thread names
 
 * usernames must not start with `:role:`, added new options:
     --server.authentication-timeout

Documentation/Books/Manual/Administration/Configuration/GeneralArangod.md

@@ -233,6 +233,15 @@ domain sockets.
 Sets the cache timeout to *value* (in seconds). This is only necessary
 if you use an external authentication system like LDAP.
 
+### Enable local authentication
+
+`--server.local-authentication value`
+
+If set to *false* only use the external authentication system. If
+*true* also use the local *_users* collections.
+
+The default value is *true*.
+
 ### Enable/disable replication applier
 
 `--database.replication-applier flag`

arangod/GeneralServer/AuthenticationFeature.cpp

@@ -46,6 +46,7 @@ AuthenticationFeature::AuthenticationFeature(
       _authenticationUnixSockets(true),
       _authenticationSystemOnly(true),
       _authenticationTimeout(0.0),
+      _localAuthentication(true),
       _jwtSecretProgramOption(""),
       _active(true) {
   setOptional(true);
@@ -84,6 +85,10 @@ void AuthenticationFeature::collectOptions(
                      "timeout for the authentication cache (0 = indefinitely)",
                      new DoubleParameter(&_authenticationTimeout));
 
+  options->addOption("--server.local-authentication",
+                     "enable or disable authentication using the local user database",
+                     new BooleanParameter(&_localAuthentication));
+
   options->addOption(
       "--server.authentication-system-only",
       "use HTTP authentication only for requests to /_api and /_admin",

arangod/GeneralServer/AuthenticationFeature.h

@@ -51,6 +51,7 @@ class AuthenticationFeature final
   bool _authenticationUnixSockets;
   bool _authenticationSystemOnly;
   double _authenticationTimeout;
+  bool _localAuthentication;
 
   std::string _jwtSecretProgramOption;
   bool _active;
@@ -65,6 +66,7 @@ class AuthenticationFeature final
     authInfo()->setJwtSecret(jwtSecret);
   }
   double authenticationTimeout() const { return _authenticationTimeout; }
+  bool localAuthentication() const { return _localAuthentication; }
 
   AuthInfo* authInfo();
   AuthLevel canUseDatabase(std::string const& username,

arangod/VocBase/AuthInfo.cpp

@@ -793,6 +793,12 @@ AuthResult AuthInfo::checkPassword(std::string const& username,
   READ_LOCKER(readLocker, _authInfoLock);
 
   auto it = _authInfo.find(username);
+  auto feature = AuthenticationFeature::INSTANCE;
+
+  if (it != _authInfo.end() && (it->second.source() == AuthSource::COLLECTION)
+      && feature != nullptr && ! feature->localAuthentication()) {
+    return result;
+  }
 
   if (it == _authInfo.end() || (it->second.source() == AuthSource::LDAP)) {
     TRI_ASSERT(_authenticationHandler);
@@ -843,10 +849,12 @@ AuthResult AuthInfo::checkPassword(std::string const& username,
 
   if (it != _authInfo.end()) {
     AuthUserEntry const& auth = it->second;
+
     if (auth.isActive()) {
       result._authorized = auth.checkPassword(password);
     }
   }
+
   return result;
 }
 
@@ -958,7 +966,6 @@ AuthResult AuthInfo::checkAuthenticationBasic(std::string const& secret) {
   std::string password = up.substr(n + 1);
 
   AuthResult result = checkPassword(username, password);
-
   double timeout = AuthenticationFeature::INSTANCE->authenticationTimeout();
 
   if (0 < timeout) {