From dc1d28fe5d559142890d83f66e7483ade00464f0 Mon Sep 17 00:00:00 2001 From: Jan Steemann Date: Sun, 2 Feb 2014 00:22:07 +0100 Subject: [PATCH] added option `--server.disable-authentication-unix-sockets` with this option, authentication can be disabled for all requests coming in via UNIX domain sockets, enabling clients located on the same host as the ArangoDB server to connect without authentication. Other connections (e.g. TCP/IP) are not affected by this option. The default value for this option is `false`. Note: this option is only supported on platforms that support Unix domain sockets. Conflicts: CHANGELOG arangod/RestServer/ArangoServer.cpp arangod/VocBase/vocbase-defaults.c --- CHANGELOG | 162 +++++++++++++++++++++ Documentation/UserManual/CommandLine.md | 4 + Documentation/UserManual/CommandLineTOC.md | 1 + arangod/RestServer/ArangoServer.cpp | 21 ++- arangod/RestServer/ArangoServer.h | 20 +++ arangod/RestServer/VocbaseContext.cpp | 13 ++ arangod/V8Server/v8-vocbase.cpp | 5 + arangod/VocBase/vocbase-defaults.c | 24 ++- arangod/VocBase/vocbase-defaults.h | 1 + lib/Rest/ConnectionInfo.h | 5 + lib/Scheduler/ListenTask.cpp | 1 + 11 files changed, 241 insertions(+), 16 deletions(-) diff --git a/CHANGELOG b/CHANGELOG index 47987f7f81..3fbcd9e32c 100755 --- a/CHANGELOG +++ b/CHANGELOG @@ -1,6 +1,168 @@ +v1.5.0 (XXXX-XX-XX) +------------------- + +* added SHORTEST_PATH AQL function + + this calculates the shortest paths between two vertices, using the Dijkstra + algorithm, employing a min-heap + + By default, ArangoDB does not know the distance between any two vertices and + will use a default distance of 1. A custom distance function can be registered + as an AQL user function to make the distance calculation use any document + attributes or custom logic: + + RETURN SHORTEST_PATH(cities, motorways, "cities/CGN", "cities/MUC", "outbound", { + paths: true, + distance: "myfunctions::citydistance" + }) + + // using the following custom distance function + var aqlfunctions = require("org/arangodb/aql/functions"); + aqlfunctions.register("myfunctions::distance", function (config, vertex1, vertex2, edge) { + return Math.sqrt(Math.pow(vertex1.x - vertex2.x) + Math.pow(vertex1.y - vertex2.y)); + }, false); + +* issue #751: Create database through API should return HTTP status code 201 + + By default, the server now returns HTTP 201 (created) when creating a new + database successfully. To keep compatibility with older ArangoDB versions, the + startup parameter `--server.default-api-compatibility` can be set to a value + of `10400` to indicate API compatibility with ArangoDB 1.4. The compatibility + can also be enforced by setting the `X-Arango-Version` HTTP header in a + client request to this API on a per-request basis. + +* allow direct access from the `db` object to collections whose names start + with an underscore (e.g. db._users). + + Previously, access to such collections via the `db` object was possible from + arangosh, but not from arangod (and thus Foxx and actions). The only way + to access such collections from these places was via the `db._collection()` + workaround. + +* allow `\n` (as well as `\r\n`) as line terminator in batch requests sent to + `/_api/batch` HTTP API. + +* use `--data-binary` instead of `--data` parameter in generated cURL examples + +* issue #703: Also show path of logfile for fm.config() + +* issue #675: Dropping a collection used in "graph" module breaks the graph + +* added "static" Graph.drop() method for graphs API + +* fixed issue #695: arangosh server.password error + +* use pretty-printing in `--console` mode by defaul + +* added `check-server` binary for testing + +* simplified ArangoDB startup options + + Some startup options are now superfluous or their usage is simplified. The + following options have been changed: + + * `--javascript.modules-path`: this option has been removed. The modules paths + are determined by arangod and arangosh automatically based on the value of + `--javascript.startup-directory`. + + If the option is set on startup, it is ignored so startup will not abort with + an error `unrecognized option`. + + * `--javascript.action-directory`: this option has been removed. The actions + directory is determined by arangod automatically based on the value of + `--javascript.startup-directory`. + + If the option is set on startup, it is ignored so startup will not abort with + an error `unrecognized option`. + + * `--javascript.package-path`: this option is still available but it is not + required anymore to set the standard package paths (e.g. `js/npm`). arangod + will automatically use this standard package path regardless of whether it + was specified via the options. + + It is possible to use this option to add additional package paths to the + standard value. + + Configuration files included with arangod are adjusted accordingly. + +* layout of the graphs tab adapted to better fit with the other tabs + +* database selection is moved to the bottom right corner of the web interface + +* removed priority queues + + this feature was never advertised nor documented nor tested. + +* display internal attributes in document source view of web interface + +* removed separate shape collections + + When upgrading to ArangoDB 1.5, existing collections will be converted to include + shapes and attribute markers in the datafiles instead of using separate files for + shapes. + + When a collection is converted, existing shapes from the SHAPES directory will + be written to a new datafile in the collection directory, and the SHAPES directory + will be removed afterwards. + + This saves up to 2 MB of memory and disk space for each collection + (savings are higher, the less different shapes there are in a collection). + Additionally, one less file descriptor per opened collection will be used. + + When creating a new collection, the amount of sync calls may be reduced. The same + may be true for documents with yet-unknown shapes. This may help performance + in these cases. + +* added AQL functions `NTH` and `POSITION` + +* added signal handler for arangosh to save last command in more cases + +* added extra prompt placeholders for arangosh: + - `%e`: current endpoint + - `%u`: current user + +* added arangosh option `--javascript.gc-interval` to control amount of + garbage collection performed by arangosh + +* fixed issue #651: Allow addEdge() to take vertex ids in the JS library + +* removed command-line option `--log.format` + + In previous versions, this option did not have an effect for most log messages, so + it got removed. + +* removed C++ logger implementation + + Logging inside ArangoDB is now done using the LOG_XXX() macros. The LOGGER_XXX() + macros are gone. + +* added collection status "loading" + +* added the option to return the number of elements indexed to the + result of .getIndexes() for each index. This is + currently only implemented for hash indices and skiplist indices. + + v1.4.9 (XXXX-XX-XX) ------------------- +* added command-line option `--server.disable-authentication-unix-sockets` + + with this option, authentication can be disabled for all requests coming + in via UNIX domain sockets, enabling clients located on the same host as + the ArangoDB server to connect without authentication. + Other connections (e.g. TCP/IP) are not affected by this option. + + The default value for this option is `false`. + Note: this option is only supported on platforms that support Unix domain + sockets. + +* fail if invalid `strategy`, `order` or `itemOrder` attribute values + are passed to the AQL TRAVERSAL function. Omitting these attributes + is not considered an error, but specifying an invalid value for any + of these attributes will make an AQL query fail. + + * call global arangod instance destructor on shutdown * issue #755: TRAVERSAL does not use strategy, order and itemOrder options diff --git a/Documentation/UserManual/CommandLine.md b/Documentation/UserManual/CommandLine.md index 907d353991..3d5b3dd63c 100644 --- a/Documentation/UserManual/CommandLine.md +++ b/Documentation/UserManual/CommandLine.md @@ -107,6 +107,10 @@ Command-Line Options for arangod {#CommandLineArangod} @anchor CommandLineArangoDisableAuthentication @copydetails triagens::arango::ArangoServer::_disableAuthentication +@CLEARPAGE +@anchor CommandLineArangoDisableAuthenticationUnixSockets +@copydetails triagens::arango::ArangoServer::_disableAuthenticationUnixSockets + @CLEARPAGE @anchor CommandLineArangoAuthenticateSystemOnly @copydetails triagens::arango::ArangoServer::_authenticateSystemOnly diff --git a/Documentation/UserManual/CommandLineTOC.md b/Documentation/UserManual/CommandLineTOC.md index 52551281f4..4f52443e91 100644 --- a/Documentation/UserManual/CommandLineTOC.md +++ b/Documentation/UserManual/CommandLineTOC.md @@ -18,6 +18,7 @@ TOC {#CommandLineTOC} - @ref CommandLineConsole "console" - @ref CommandLineArangoEndpoint "server.endpoint" - @ref CommandLineArangoDisableAuthentication "server.disable-authentication" + - @ref CommandLineArangoDisableAuthenticationUnixSockets "server.disable-authentication-unix-sockets" - @ref CommandLineArangoAuthenticateSystemOnly "server.authenticate-system-only" - @ref CommandLineArangoKeepAliveTimeout "server.keep-alive-timeout" - @ref CommandLineArangoDefaultApiCompatibility "server.default-api-compatibility" diff --git a/arangod/RestServer/ArangoServer.cpp b/arangod/RestServer/ArangoServer.cpp index a98579e9ef..d824b3a51f 100644 --- a/arangod/RestServer/ArangoServer.cpp +++ b/arangod/RestServer/ArangoServer.cpp @@ -266,6 +266,7 @@ ArangoServer::ArangoServer (int argc, char** argv) _applicationV8(0), _authenticateSystemOnly(false), _disableAuthentication(false), + _disableAuthenticationUnixSockets(false), _dispatcherThreads(8), _dispatcherQueueSize(8192), _databasePath(), @@ -507,6 +508,9 @@ void ArangoServer::buildApplicationServer () { additional[ApplicationServer::OPTIONS_SERVER + ":help-admin"] ("server.authenticate-system-only", &_authenticateSystemOnly, "use HTTP authentication only for requests to /_api and /_admin") ("server.disable-authentication", &_disableAuthentication, "disable authentication for ALL client requests") +#ifdef TRI_HAVE_LINUX_SOCKETS + ("server.disable-authentication-unix-sockets", &_disableAuthenticationUnixSockets, "disable authentication for requests via UNIX domain sockets") +#endif ("server.disable-replication-logger", &_disableReplicationLogger, "start with replication logger turned off") ("server.disable-replication-applier", &_disableReplicationApplier, "start with replication applier turned off") ; @@ -1240,14 +1244,15 @@ void ArangoServer::openDatabases () { TRI_vocbase_defaults_t defaults; // override with command-line options - defaults.defaultMaximalSize = _defaultMaximalSize; - defaults.removeOnDrop = _removeOnDrop; - defaults.removeOnCompacted = _removeOnCompacted; - defaults.defaultWaitForSync = _defaultWaitForSync; - defaults.forceSyncShapes = _forceSyncShapes; - defaults.forceSyncProperties = _forceSyncProperties; - defaults.requireAuthentication = ! _disableAuthentication; - defaults.authenticateSystemOnly = _authenticateSystemOnly; + defaults.defaultMaximalSize = _defaultMaximalSize; + defaults.removeOnDrop = _removeOnDrop; + defaults.removeOnCompacted = _removeOnCompacted; + defaults.defaultWaitForSync = _defaultWaitForSync; + defaults.forceSyncShapes = _forceSyncShapes; + defaults.forceSyncProperties = _forceSyncProperties; + defaults.requireAuthentication = ! _disableAuthentication; + defaults.requireAuthenticationUnixSockets = ! _disableAuthenticationUnixSockets; + defaults.authenticateSystemOnly = _authenticateSystemOnly; assert(_server != 0); diff --git a/arangod/RestServer/ArangoServer.h b/arangod/RestServer/ArangoServer.h index 0c22cbed21..2a734abb5d 100644 --- a/arangod/RestServer/ArangoServer.h +++ b/arangod/RestServer/ArangoServer.h @@ -262,6 +262,26 @@ namespace triagens { bool _disableAuthentication; +//////////////////////////////////////////////////////////////////////////////// +/// @brief disable authentication for requests via UNIX domain sockets +/// +/// @CMDOPT{\--server.disable-authentication-unix-sockets @CA{value}} +/// +/// Setting @CA{value} to true will turn off authentication on the server side +/// for requests coming in via UNIX domain sockets. With this flag enabled, +/// clients located on the same host as the ArangoDB server can use UNIX domain +/// sockets to connect to the server without authentication. +/// Requests coming in by other means (e.g. TCP/IP) are not affected by this +/// option. +/// +/// The default value is @LIT{false}. +/// +/// Note: this option is only available on platforms that support UNIX domain +/// sockets. +//////////////////////////////////////////////////////////////////////////////// + + bool _disableAuthenticationUnixSockets; + //////////////////////////////////////////////////////////////////////////////// /// @brief number of dispatcher threads for non-database worker /// diff --git a/arangod/RestServer/VocbaseContext.cpp b/arangod/RestServer/VocbaseContext.cpp index 09dccb22a1..a1f7484056 100644 --- a/arangod/RestServer/VocbaseContext.cpp +++ b/arangod/RestServer/VocbaseContext.cpp @@ -30,6 +30,7 @@ #include "BasicsC/common.h" #include "BasicsC/logging.h" #include "BasicsC/tri-strings.h" +#include "Rest/ConnectionInfo.h" #include "VocBase/auth.h" #include "VocBase/server.h" #include "VocBase/vocbase.h" @@ -101,6 +102,18 @@ HttpResponse::HttpResponseCode VocbaseContext::authenticate () { return HttpResponse::OK; } +#ifdef TRI_HAVE_LINUX_SOCKETS + // check if we need to run authentication for this type of + // endpoint + ConnectionInfo const& ci = _request->connectionInfo(); + + if (ci.endpointType == Endpoint::DOMAIN_UNIX && + ! _vocbase->_settings.requireAuthenticationUnixSockets) { + // no authentication required for unix socket domain connections + return HttpResponse::OK; + } +#endif + if (_vocbase->_settings.authenticateSystemOnly) { // authentication required, but only for /_api, /_admin etc. const char* path = _request->requestPath(); diff --git a/arangod/V8Server/v8-vocbase.cpp b/arangod/V8Server/v8-vocbase.cpp index f63d85f6ee..4f481aee17 100644 --- a/arangod/V8Server/v8-vocbase.cpp +++ b/arangod/V8Server/v8-vocbase.cpp @@ -7992,6 +7992,7 @@ static v8::Handle JS_CreateDatabase (v8::Arguments const& argv) { v8::Local keyForceSyncShapes = v8::String::New("forceSyncShapes"); v8::Local keyForceSyncProperties = v8::String::New("forceSyncProperties"); v8::Local keyRequireAuthentication = v8::String::New("requireAuthentication"); + v8::Local keyRequireAuthenticationUnixSockets = v8::String::New("requireAuthenticationUnixSockets"); v8::Local keyAuthenticateSystemOnly = v8::String::New("authenticateSystemOnly"); // overwrite database defaults from argv[2] @@ -8025,6 +8026,10 @@ static v8::Handle JS_CreateDatabase (v8::Arguments const& argv) { if (options->Has(keyRequireAuthentication)) { defaults.requireAuthentication = options->Get(keyRequireAuthentication)->BooleanValue(); } + + if (options->Has(keyRequireAuthenticationUnixSockets)) { + defaults.requireAuthenticationUnixSockets = options->Get(keyRequireAuthenticationUnixSockets)->BooleanValue(); + } if (options->Has(keyAuthenticateSystemOnly)) { defaults.authenticateSystemOnly = options->Get(keyAuthenticateSystemOnly)->BooleanValue(); diff --git a/arangod/VocBase/vocbase-defaults.c b/arangod/VocBase/vocbase-defaults.c index 0f0c631b10..eb67e65526 100644 --- a/arangod/VocBase/vocbase-defaults.c +++ b/arangod/VocBase/vocbase-defaults.c @@ -44,14 +44,15 @@ void TRI_ApplyVocBaseDefaults (TRI_vocbase_t* vocbase, TRI_vocbase_defaults_t const* defaults) { - vocbase->_settings.defaultMaximalSize = defaults->defaultMaximalSize; - vocbase->_settings.removeOnDrop = defaults->removeOnDrop; - vocbase->_settings.removeOnCompacted = defaults->removeOnCompacted; - vocbase->_settings.defaultWaitForSync = defaults->defaultWaitForSync; - vocbase->_settings.forceSyncShapes = defaults->forceSyncShapes; - vocbase->_settings.forceSyncProperties = defaults->forceSyncProperties; - vocbase->_settings.requireAuthentication = defaults->requireAuthentication; - vocbase->_settings.authenticateSystemOnly = defaults->authenticateSystemOnly; + vocbase->_settings.defaultMaximalSize = defaults->defaultMaximalSize; + vocbase->_settings.removeOnDrop = defaults->removeOnDrop; + vocbase->_settings.removeOnCompacted = defaults->removeOnCompacted; + vocbase->_settings.defaultWaitForSync = defaults->defaultWaitForSync; + vocbase->_settings.forceSyncShapes = defaults->forceSyncShapes; + vocbase->_settings.forceSyncProperties = defaults->forceSyncProperties; + vocbase->_settings.requireAuthentication = defaults->requireAuthentication; + vocbase->_settings.requireAuthenticationUnixSockets = defaults->requireAuthenticationUnixSockets; + vocbase->_settings.authenticateSystemOnly = defaults->authenticateSystemOnly; } //////////////////////////////////////////////////////////////////////////////// @@ -74,6 +75,7 @@ TRI_json_t* TRI_JsonVocBaseDefaults (TRI_memory_zone_t* zone, TRI_Insert3ArrayJson(zone, json, "forceSyncShapes", TRI_CreateBooleanJson(zone, defaults->forceSyncShapes)); TRI_Insert3ArrayJson(zone, json, "forceSyncProperties", TRI_CreateBooleanJson(zone, defaults->forceSyncProperties)); TRI_Insert3ArrayJson(zone, json, "requireAuthentication", TRI_CreateBooleanJson(zone, defaults->requireAuthentication)); + TRI_Insert3ArrayJson(zone, json, "requireAuthenticationUnixSockets", TRI_CreateBooleanJson(zone, defaults->requireAuthenticationUnixSockets)); TRI_Insert3ArrayJson(zone, json, "authenticateSystemOnly", TRI_CreateBooleanJson(zone, defaults->authenticateSystemOnly)); TRI_Insert3ArrayJson(zone, json, "defaultMaximalSize", TRI_CreateNumberJson(zone, (double) defaults->defaultMaximalSize)); @@ -128,6 +130,12 @@ void TRI_FromJsonVocBaseDefaults (TRI_vocbase_defaults_t* defaults, defaults->requireAuthentication = optionJson->_value._boolean; } + optionJson = TRI_LookupArrayJson(json, "requireAuthenticationUnixSockets"); + + if (TRI_IsBooleanJson(optionJson)) { + defaults->requireAuthenticationUnixSockets = optionJson->_value._boolean; + } + optionJson = TRI_LookupArrayJson(json, "authenticateSystemOnly"); if (TRI_IsBooleanJson(optionJson)) { diff --git a/arangod/VocBase/vocbase-defaults.h b/arangod/VocBase/vocbase-defaults.h index 013bb44a91..461f656c7c 100644 --- a/arangod/VocBase/vocbase-defaults.h +++ b/arangod/VocBase/vocbase-defaults.h @@ -59,6 +59,7 @@ typedef struct TRI_vocbase_defaults_s { bool forceSyncShapes; bool forceSyncProperties; bool requireAuthentication; + bool requireAuthenticationUnixSockets; bool authenticateSystemOnly; } TRI_vocbase_defaults_t; diff --git a/lib/Rest/ConnectionInfo.h b/lib/Rest/ConnectionInfo.h index 6338b657ef..12e8559d1d 100644 --- a/lib/Rest/ConnectionInfo.h +++ b/lib/Rest/ConnectionInfo.h @@ -32,6 +32,7 @@ #include "Basics/Common.h" #include "Basics/StringUtils.h" +#include "Rest/Endpoint.h" namespace triagens { namespace rest { @@ -48,6 +49,7 @@ namespace triagens { serverAddress(), clientAddress(), endpoint(), + endpointType(Endpoint::DOMAIN_UNKNOWN), sslContext(0) { } @@ -57,6 +59,7 @@ namespace triagens { serverAddress(that.serverAddress), clientAddress(that.clientAddress), endpoint(that.endpoint), + endpointType(that.endpointType), sslContext(that.sslContext) { } @@ -67,6 +70,7 @@ namespace triagens { serverAddress = that.serverAddress; clientAddress = that.clientAddress; endpoint = that.endpoint; + endpointType = that.endpointType; sslContext = that.sslContext; } @@ -81,6 +85,7 @@ namespace triagens { string serverAddress; string clientAddress; string endpoint; + Endpoint::DomainType endpointType; void* sslContext; }; diff --git a/lib/Scheduler/ListenTask.cpp b/lib/Scheduler/ListenTask.cpp index f3cb7bea55..ab3e7184c7 100644 --- a/lib/Scheduler/ListenTask.cpp +++ b/lib/Scheduler/ListenTask.cpp @@ -232,6 +232,7 @@ bool ListenTask::handleEvent (EventToken token, EventType revents) { info.serverAddress = _endpoint->getHost(); info.serverPort = _endpoint->getPort(); info.endpoint = _endpoint->getSpecification(); + info.endpointType = _endpoint->getDomainType(); return handleConnected(connectionSocket, info); }