diff options
author | Andreas Nilsson <andreas.nilsson@10gen.com> | 2015-03-29 22:45:06 -0400 |
---|---|---|
committer | Andreas Nilsson <andreas.nilsson@10gen.com> | 2015-03-29 22:45:06 -0400 |
commit | 908ed3ec73a3c30830dbf083a5affc9734771f17 (patch) | |
tree | e881838bb874c31b7457e4b65994b19f4861fbd3 | |
parent | dd81442d6960854e072dbd308246dcad2b9525df (diff) | |
download | mongo-908ed3ec73a3c30830dbf083a5affc9734771f17.tar.gz |
SERVER-17529 Let find on system.namespaces imply listCollections
-rw-r--r-- | jstests/auth/lib/commands_lib.js | 10 | ||||
-rw-r--r-- | src/mongo/SConscript | 1 | ||||
-rw-r--r-- | src/mongo/db/commands/list_collections.cpp | 11 | ||||
-rw-r--r-- | src/mongo/db/commands/list_collections.h | 46 | ||||
-rw-r--r-- | src/mongo/db/commands/list_collections_common.cpp | 68 | ||||
-rw-r--r-- | src/mongo/s/commands_public.cpp | 11 |
6 files changed, 135 insertions, 12 deletions
diff --git a/jstests/auth/lib/commands_lib.js b/jstests/auth/lib/commands_lib.js index c73439d2494..6614d362830 100644 --- a/jstests/auth/lib/commands_lib.js +++ b/jstests/auth/lib/commands_lib.js @@ -1471,6 +1471,16 @@ var authCommandsLib = { actions: ["listCollections"] } ] + }, + // test legacy (pre 3.0) way of authorizing listCollections + { + runOnDb: firstDbName, + privileges: [ + { + resource: {db: firstDbName, collection: "system.namespaces"}, + actions: ["find"] + } + ] } ] }, diff --git a/src/mongo/SConscript b/src/mongo/SConscript index 5022f3d0008..31a178eeda6 100644 --- a/src/mongo/SConscript +++ b/src/mongo/SConscript @@ -474,6 +474,7 @@ coredbEnv.Library("coredb", [ "db/commands/isself.cpp", "db/repl/isself.cpp", "db/commands/mr_common.cpp", + "db/commands/list_collections_common.cpp", "db/commands/rename_collection_common.cpp", "db/commands/server_status.cpp", "db/commands/parameters.cpp", diff --git a/src/mongo/db/commands/list_collections.cpp b/src/mongo/db/commands/list_collections.cpp index ef58e7c4961..32c25f6e712 100644 --- a/src/mongo/db/commands/list_collections.cpp +++ b/src/mongo/db/commands/list_collections.cpp @@ -40,6 +40,7 @@ #include "mongo/db/client.h" #include "mongo/db/clientcursor.h" #include "mongo/db/commands.h" +#include "mongo/db/commands/list_collections.h" #include "mongo/db/exec/queued_data_stage.h" #include "mongo/db/exec/working_set.h" #include "mongo/db/global_environment_experiment.h" @@ -62,12 +63,10 @@ namespace mongo { virtual void help( stringstream& help ) const { help << "list collections for this db"; } - virtual void addRequiredPrivileges(const std::string& dbname, - const BSONObj& cmdObj, - std::vector<Privilege>* out) { - ActionSet actions; - actions.addAction(ActionType::listCollections); - out->push_back(Privilege(ResourcePattern::forDatabaseName(dbname), actions)); + virtual Status checkAuthForCommand(ClientBasic* client, + const std::string& dbname, + const BSONObj& cmdObj) { + return checkAuthForListCollectionsCommand(client, dbname, cmdObj); } CmdListCollections() : Command( "listCollections", true ) {} diff --git a/src/mongo/db/commands/list_collections.h b/src/mongo/db/commands/list_collections.h new file mode 100644 index 00000000000..8773f63200b --- /dev/null +++ b/src/mongo/db/commands/list_collections.h @@ -0,0 +1,46 @@ +/** + * Copyright (C) 2015 MongoDB Inc. + * + * This program is free software: you can redistribute it and/or modify + * it under the terms of the GNU Affero General Public License, version 3, + * as published by the Free Software Foundation. + * + * This program is distributed in the hope that it will be useful, + * but WITHOUT ANY WARRANTY; without even the implied warranty of + * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the + * GNU Affero General Public License for more details. + * + * You should have received a copy of the GNU Affero General Public License + * along with this program. If not, see <http://www.gnu.org/licenses/>. + * + * As a special exception, the copyright holders give permission to link the + * code of portions of this program with the OpenSSL library under certain + * conditions as described in each individual source file and distribute + * linked combinations including the program with the OpenSSL library. You + * must comply with the GNU Affero General Public License in all respects for + * all of the code used other than as permitted herein. If you modify file(s) + * with this exception, you may extend this exception to your version of the + * file(s), but you are not obligated to do so. If you do not wish to do so, + * delete this exception statement from your version. If you delete this + * exception statement from all source files in the program, then also delete + * it in the license file. + */ + +#pragma once + +#include <string> + +#include "mongo/db/auth/privilege.h" +#include "mongo/db/jsobj.h" + +namespace mongo { + + class ClientBasic; + + Status checkAuthForListCollectionsCommand(ClientBasic* client, + const std::string& dbname, + const BSONObj& cmdObj); + +} // namespace mongo + + diff --git a/src/mongo/db/commands/list_collections_common.cpp b/src/mongo/db/commands/list_collections_common.cpp new file mode 100644 index 00000000000..9f5c2621a9f --- /dev/null +++ b/src/mongo/db/commands/list_collections_common.cpp @@ -0,0 +1,68 @@ +/** +* Copyright (C) 2015 MongoDB Inc. +* +* This program is free software: you can redistribute it and/or modify +* it under the terms of the GNU Affero General Public License, version 3, +* as published by the Free Software Foundation. +* +* This program is distributed in the hope that it will be useful, +* but WITHOUT ANY WARRANTY; without even the implied warranty of +* MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the +* GNU Affero General Public License for more details. +* +* You should have received a copy of the GNU Affero General Public License +* along with this program. If not, see <http://www.gnu.org/licenses/>. +* +* As a special exception, the copyright holders give permission to link the +* code of portions of this program with the OpenSSL library under certain +* conditions as described in each individual source file and distribute +* linked combinations including the program with the OpenSSL library. You +* must comply with the GNU Affero General Public License in all respects for +* all of the code used other than as permitted herein. If you modify file(s) +* with this exception, you may extend this exception to your version of the +* file(s), but you are not obligated to do so. If you do not wish to do so, +* delete this exception statement from your version. If you delete this +* exception statement from all source files in the program, then also delete +* it in the license file. +*/ + +#include "mongo/db/commands/rename_collection.h" + +#include <string> + +#include "mongo/db/auth/action_set.h" +#include "mongo/db/auth/action_type.h" +#include "mongo/db/auth/authorization_session.h" +#include "mongo/db/auth/privilege.h" +#include "mongo/db/client_basic.h" +#include "mongo/db/jsobj.h" +#include "mongo/db/namespace_string.h" + +namespace mongo { + + Status checkAuthForListCollectionsCommand(ClientBasic* client, + const std::string& dbname, + const BSONObj& cmdObj) { + AuthorizationSession* authzSession = client->getAuthorizationSession(); + + // Check for the listCollections ActionType on the database + // or find on system.namespaces for pre 3.0 systems. + if (authzSession->isAuthorizedForActionsOnResource( + ResourcePattern::forDatabaseName(dbname), + ActionType::listCollections)) { + return Status::OK(); + } + + if (authzSession->isAuthorizedForActionsOnResource( + ResourcePattern::forExactNamespace( + NamespaceString(dbname, "system.namespaces")), + ActionType::find)) { + return Status::OK(); + } + + return Status(ErrorCodes::Unauthorized, + str::stream() << "Not authorized to list collections on db: " << + dbname); + } + +} // namespace mongo diff --git a/src/mongo/s/commands_public.cpp b/src/mongo/s/commands_public.cpp index 0f3ced2ec5b..3d8cf5dc8ad 100644 --- a/src/mongo/s/commands_public.cpp +++ b/src/mongo/s/commands_public.cpp @@ -46,6 +46,7 @@ #include "mongo/db/auth/privilege.h" #include "mongo/db/commands/copydb.h" #include "mongo/db/commands/find_and_modify.h" +#include "mongo/db/commands/list_collections.h" #include "mongo/db/commands/mr.h" #include "mongo/db/commands/rename_collection.h" #include "mongo/db/commands.h" @@ -2804,12 +2805,10 @@ namespace mongo { class CmdListCollections : public ListPassthroughWithAggFallbackCommand { public: CmdListCollections() : ListPassthroughWithAggFallbackCommand( "listCollections" ) {} - virtual void addRequiredPrivileges(const std::string& dbname, - const BSONObj& cmdObj, - std::vector<Privilege>* out) { - ActionSet actions; - actions.addAction(ActionType::listCollections); - out->push_back(Privilege(ResourcePattern::forDatabaseName(dbname), actions)); + virtual Status checkAuthForCommand(ClientBasic* client, + const std::string& dbname, + const BSONObj& cmdObj) { + return checkAuthForListCollectionsCommand(client, dbname, cmdObj); } private: |