diff options
| author | Sara Golemon <sara.golemon@mongodb.com> | 2019-11-13 22:08:01 +0000 |
|---|---|---|
| committer | evergreen <evergreen@mongodb.com> | 2019-11-13 22:08:01 +0000 |
| commit | 77ee1adf0405b5b3e95030dd8f57a4562121ace7 (patch) | |
| tree | 1c7078812df76a50e7282a9fb665eaae5aa6975d | |
| parent | 830e5f07bc357e430221f58837bec137f856a00f (diff) | |
| download | mongo-77ee1adf0405b5b3e95030dd8f57a4562121ace7.tar.gz | |
SERVER-44320 Allow users with enableSharding cluster AT to manipulate sharding zones
(cherry picked from commit b08f7a6989c3e6b3af944201f618c8c928cc4077)
| -rw-r--r-- | jstests/auth/lib/commands_lib.js | 29 | ||||
| -rw-r--r-- | src/mongo/s/commands/cluster_add_shard_to_zone_cmd.cpp | 15 | ||||
| -rw-r--r-- | src/mongo/s/commands/cluster_remove_shard_from_zone_cmd.cpp | 18 | ||||
| -rw-r--r-- | src/mongo/s/commands/cluster_update_zone_key_range_cmd.cpp | 26 |
4 files changed, 68 insertions, 20 deletions
diff --git a/jstests/auth/lib/commands_lib.js b/jstests/auth/lib/commands_lib.js index 27b63641f90..d96da999561 100644 --- a/jstests/auth/lib/commands_lib.js +++ b/jstests/auth/lib/commands_lib.js @@ -5230,9 +5230,16 @@ var authCommandsLib = { testcases: [ { runOnDb: adminDbName, - roles: roles_clusterManager, privileges: [{resource: {db: 'config', collection: 'shards'}, actions: ['update']}], }, + { + runOnDb: adminDbName, + roles: roles_clusterManager, + }, + { + runOnDb: adminDbName, + privileges: [{resource: {cluster: true}, actions: ["enableSharding"]}], + }, ] }, { @@ -5250,12 +5257,19 @@ var authCommandsLib = { testcases: [ { runOnDb: adminDbName, - roles: roles_clusterManager, privileges: [ {resource: {db: 'config', collection: 'shards'}, actions: ['update']}, {resource: {db: 'config', collection: 'tags'}, actions: ['find']} ], }, + { + runOnDb: adminDbName, + roles: roles_clusterManager, + }, + { + runOnDb: adminDbName, + privileges: [{resource: {cluster: true}, actions: ["enableSharding"]}], + }, ] }, { @@ -5273,7 +5287,6 @@ var authCommandsLib = { testcases: [ { runOnDb: adminDbName, - roles: roles_clusterManager, privileges: [ {resource: {db: 'config', collection: 'shards'}, actions: ['find']}, { @@ -5283,6 +5296,16 @@ var authCommandsLib = { ], expectFail: true }, + { + runOnDb: adminDbName, + roles: roles_clusterManager, + expectFail: true, + }, + { + runOnDb: adminDbName, + privileges: [{resource: {cluster: true}, actions: ["enableSharding"]}], + expectFail: true, + }, ] }, { diff --git a/src/mongo/s/commands/cluster_add_shard_to_zone_cmd.cpp b/src/mongo/s/commands/cluster_add_shard_to_zone_cmd.cpp index b6c8e242aa3..f8de58244f8 100644 --- a/src/mongo/s/commands/cluster_add_shard_to_zone_cmd.cpp +++ b/src/mongo/s/commands/cluster_add_shard_to_zone_cmd.cpp @@ -89,12 +89,21 @@ public: Status checkAuthForCommand(Client* client, const std::string& dbname, - const BSONObj& cmdObj) override { - if (!AuthorizationSession::get(client)->isAuthorizedForActionsOnResource( + const BSONObj& cmdObj) final { + auto* as = AuthorizationSession::get(client); + + if (as->isAuthorizedForActionsOnResource(ResourcePattern::forClusterResource(), + ActionType::enableSharding)) { + return Status::OK(); + } + + // Fallback on permissions to directly modify the shard config. + if (!as->isAuthorizedForActionsOnResource( ResourcePattern::forExactNamespace(NamespaceString(ShardType::ConfigNS)), ActionType::update)) { - return Status(ErrorCodes::Unauthorized, "Unauthorized"); + return {ErrorCodes::Unauthorized, "Unauthorized"}; } + return Status::OK(); } diff --git a/src/mongo/s/commands/cluster_remove_shard_from_zone_cmd.cpp b/src/mongo/s/commands/cluster_remove_shard_from_zone_cmd.cpp index 89241df2eaf..ec7c086ca70 100644 --- a/src/mongo/s/commands/cluster_remove_shard_from_zone_cmd.cpp +++ b/src/mongo/s/commands/cluster_remove_shard_from_zone_cmd.cpp @@ -89,17 +89,25 @@ public: Status checkAuthForCommand(Client* client, const std::string& dbname, - const BSONObj& cmdObj) override { - if (!AuthorizationSession::get(client)->isAuthorizedForActionsOnResource( + const BSONObj& cmdObj) final { + auto* as = AuthorizationSession::get(client); + + if (as->isAuthorizedForActionsOnResource(ResourcePattern::forClusterResource(), + ActionType::enableSharding)) { + return Status::OK(); + } + + // Fallback on permissions to directly modify the shard config. + if (!as->isAuthorizedForActionsOnResource( ResourcePattern::forExactNamespace(NamespaceString(ShardType::ConfigNS)), ActionType::update)) { - return Status(ErrorCodes::Unauthorized, "Unauthorized"); + return {ErrorCodes::Unauthorized, "Unauthorized"}; } - if (!AuthorizationSession::get(client)->isAuthorizedForActionsOnResource( + if (!as->isAuthorizedForActionsOnResource( ResourcePattern::forExactNamespace(NamespaceString(TagsType::ConfigNS)), ActionType::find)) { - return Status(ErrorCodes::Unauthorized, "Unauthorized"); + return {ErrorCodes::Unauthorized, "Unauthorized"}; } return Status::OK(); diff --git a/src/mongo/s/commands/cluster_update_zone_key_range_cmd.cpp b/src/mongo/s/commands/cluster_update_zone_key_range_cmd.cpp index e0d9eefc222..a6361377dfb 100644 --- a/src/mongo/s/commands/cluster_update_zone_key_range_cmd.cpp +++ b/src/mongo/s/commands/cluster_update_zone_key_range_cmd.cpp @@ -92,29 +92,37 @@ public: Status checkAuthForCommand(Client* client, const std::string& dbname, - const BSONObj& cmdObj) override { - if (!AuthorizationSession::get(client)->isAuthorizedForActionsOnResource( + const BSONObj& cmdObj) final { + auto* as = AuthorizationSession::get(client); + + if (as->isAuthorizedForActionsOnResource(ResourcePattern::forClusterResource(), + ActionType::enableSharding)) { + return Status::OK(); + } + + // Fallback on permissions to directly modify the shard config. + if (!as->isAuthorizedForActionsOnResource( ResourcePattern::forExactNamespace(NamespaceString(ShardType::ConfigNS)), ActionType::find)) { - return Status(ErrorCodes::Unauthorized, "Unauthorized"); + return {ErrorCodes::Unauthorized, "Unauthorized"}; } - if (!AuthorizationSession::get(client)->isAuthorizedForActionsOnResource( + if (!as->isAuthorizedForActionsOnResource( ResourcePattern::forExactNamespace(NamespaceString(TagsType::ConfigNS)), ActionType::find)) { - return Status(ErrorCodes::Unauthorized, "Unauthorized"); + return {ErrorCodes::Unauthorized, "Unauthorized"}; } - if (!AuthorizationSession::get(client)->isAuthorizedForActionsOnResource( + if (!as->isAuthorizedForActionsOnResource( ResourcePattern::forExactNamespace(NamespaceString(TagsType::ConfigNS)), ActionType::update)) { - return Status(ErrorCodes::Unauthorized, "Unauthorized"); + return {ErrorCodes::Unauthorized, "Unauthorized"}; } - if (!AuthorizationSession::get(client)->isAuthorizedForActionsOnResource( + if (!as->isAuthorizedForActionsOnResource( ResourcePattern::forExactNamespace(NamespaceString(TagsType::ConfigNS)), ActionType::remove)) { - return Status(ErrorCodes::Unauthorized, "Unauthorized"); + return {ErrorCodes::Unauthorized, "Unauthorized"}; } return Status::OK(); |