diff options
| author | Shane Harvey <shane.harvey@mongodb.com> | 2016-03-30 13:37:17 -0400 |
|---|---|---|
| committer | Ramon Fernandez <ramon@mongodb.com> | 2016-04-14 13:42:40 +0100 |
| commit | e266e7e354ae4f2a34c7a3c5dc754ec236d82334 (patch) | |
| tree | aa5ed99667fd567523e5beef2502588fee013c13 | |
| parent | 2a4ab604a15ffe0a80b5bbae505c5521efcf58ad (diff) | |
| download | mongo-e266e7e354ae4f2a34c7a3c5dc754ec236d82334.tar.gz | |
SERVER-23184 Reduce listCollections privileges
(cherry picked from commit 0b490582031c2be63239ac0885801739946a2a78)
| -rw-r--r-- | jstests/auth/lib/commands_lib.js | 3 | ||||
| -rw-r--r-- | jstests/core/connection_status.js | 123 | ||||
| -rw-r--r-- | src/mongo/db/auth/role_graph_builtin_roles.cpp | 3 |
3 files changed, 70 insertions, 59 deletions
diff --git a/jstests/auth/lib/commands_lib.js b/jstests/auth/lib/commands_lib.js index bab46779cb6..2cc54f30eff 100644 --- a/jstests/auth/lib/commands_lib.js +++ b/jstests/auth/lib/commands_lib.js @@ -1505,9 +1505,6 @@ var authCommandsLib = { readAnyDatabase: 1, readWrite: 1, readWriteAnyDatabase: 1, - clusterAdmin: 1, - clusterMonitor: 1, - clusterManager: 1, dbAdmin: 1, dbAdminAnyDatabase: 1, dbOwner: 1, diff --git a/jstests/core/connection_status.js b/jstests/core/connection_status.js index 29b8999ccc8..2ecfb211b6d 100644 --- a/jstests/core/connection_status.js +++ b/jstests/core/connection_status.js @@ -1,67 +1,84 @@ // Tests the connectionStatus command +(function() { + var dbName = 'connection_status'; + var myDB = db.getSiblingDB(dbName); + myDB.dropAllUsers(); -var dbName = 'connection_status'; -var myDB = db.getSiblingDB(dbName); -myDB.dropAllUsers(); - -function test(userName) { - myDB.createUser({user: userName, pwd: "weak password", roles: [{db: "admin", role: "root"}]}); - myDB.auth(userName, "weak password"); - - var output = myDB.runCommand("connectionStatus"); - assert.commandWorked(output); - - // Test that authenticated users are properly returned. - var users = output.authInfo.authenticatedUsers; - - var matches = 0; - for (var i = 0; i < users.length; i++) { - if (users[i].db != dbName) - continue; - - assert.eq(users[i].user, userName); - matches++; - } - assert.eq(matches, 1); + function test(userName) { + myDB.createUser( + {user: userName, pwd: "weak password", roles: [{db: "admin", role: "root"}]}); + myDB.auth(userName, "weak password"); - // Test that authenticated roles are properly returned. - var roles = output.authInfo.authenticatedUserRoles; + var output = myDB.runCommand("connectionStatus"); + assert.commandWorked(output); - matches = 0; - for (var i = 0; i < roles.length; i++) { - if (roles[i].db != "admin") - continue; + // Test that authenticated users are properly returned. + var users = output.authInfo.authenticatedUsers; - assert.eq(roles[i].role, "root"); - matches++; - } - assert(matches >= 1); + var matches = 0; + for (var i = 0; i < users.length; i++) { + if (users[i].db != dbName) + continue; - // Test roles/ privileges for a non-root user. - myDB.createUser({user: "foo", pwd: "weak password", roles: [{db: "foo", role: "read"}]}); - myDB.logout(); - myDB.auth("foo", "weak password"); + assert.eq(users[i].user, userName); + matches++; + } + assert.eq(matches, 1); - output = myDB.runCommand({"connectionStatus": 1, "showPrivileges": 1}); - assert.commandWorked(output); + // Test that authenticated roles are properly returned. + var roles = output.authInfo.authenticatedUserRoles; - var privileges = output.authInfo.authenticatedUserPrivileges; + matches = 0; + for (var i = 0; i < roles.length; i++) { + if (roles[i].db != "admin") + continue; - matches = 0; - for (var i = 0; i < privileges.length; i++) { - if (privileges[i].resource.anyResource) { + assert.eq(roles[i].role, "root"); matches++; } - } - assert(matches >= 1); + assert(matches >= 1); + + // Test roles/ privileges for a non-root user. + myDB.createUser({user: "foo", pwd: "weak password", roles: [{db: "foo", role: "read"}]}); + myDB.logout(); + myDB.auth("foo", "weak password"); + + output = myDB.runCommand({"connectionStatus": 1, "showPrivileges": 1}); + assert.commandWorked(output); + + var users = output.authInfo.authenticatedUsers; + var authedAsSystem = false; + for (var i = 0; i < users.length; i++) { + var authed = users[i]; + if (authed.user === "__system" && authed.db === "local") { + authedAsSystem = true; + } + } - myDB.logout(); + var privileges = output.authInfo.authenticatedUserPrivileges; + + for (var i = 0; i < privileges.length; i++) { + if (privileges[i].resource.anyResource) { + if (authedAsSystem) { + assert.eq(["anyAction"], + privileges[i].actions, + "__system user should only have anyResource/anyAction privilege:" + + tojson(output)); + } else { + assert(false, + "read role should not have anyResource privileges:" + tojson(output)); + } + } + } - // Clean up. - myDB.auth(userName, "weak password"); - myDB.dropAllUsers(); - myDB.logout(); -} + myDB.logout(); + + // Clean up. + myDB.auth(userName, "weak password"); + myDB.dropAllUsers(); + myDB.logout(); + } -test("someone"); -test("someone else"); + test("someone"); + test("someone else"); +})(); diff --git a/src/mongo/db/auth/role_graph_builtin_roles.cpp b/src/mongo/db/auth/role_graph_builtin_roles.cpp index 923aa1c40e3..4121bbb9476 100644 --- a/src/mongo/db/auth/role_graph_builtin_roles.cpp +++ b/src/mongo/db/auth/role_graph_builtin_roles.cpp @@ -201,9 +201,6 @@ void addReadOnlyDbPrivileges(PrivilegeVector* privileges, StringData dbName) { Privilege::addPrivilegeToPrivilegeVector( privileges, Privilege(ResourcePattern::forDatabaseName(dbName), readRoleActions)); Privilege::addPrivilegeToPrivilegeVector( - privileges, Privilege(ResourcePattern::forAnyResource(), ActionType::listCollections)); - - Privilege::addPrivilegeToPrivilegeVector( privileges, Privilege(ResourcePattern::forExactNamespace(NamespaceString(dbName, "system.indexes")), readRoleActions)); |