diff options
| author | Sara Golemon <sara.golemon@mongodb.com> | 2019-11-13 21:11:42 +0000 |
|---|---|---|
| committer | evergreen <evergreen@mongodb.com> | 2019-11-13 21:11:42 +0000 |
| commit | 3ffd21eb0555cf729daf6f5ee9281137058ac9b8 (patch) | |
| tree | 9ced4745bb8d714cab26784aecc9e538e403b6ae | |
| parent | ffe79da4681589eb10dfe2d5ed922f7046b81e07 (diff) | |
| download | mongo-3ffd21eb0555cf729daf6f5ee9281137058ac9b8.tar.gz | |
SERVER-44320 Allow users with enableSharding cluster AT to manipulate sharding zones
(cherry picked from commit b08f7a6989c3e6b3af944201f618c8c928cc4077)
| -rw-r--r-- | jstests/auth/lib/commands_lib.js | 29 | ||||
| -rw-r--r-- | src/mongo/s/commands/cluster_add_shard_to_zone_cmd.cpp | 15 | ||||
| -rw-r--r-- | src/mongo/s/commands/cluster_remove_shard_from_zone_cmd.cpp | 18 | ||||
| -rw-r--r-- | src/mongo/s/commands/cluster_update_zone_key_range_cmd.cpp | 26 |
4 files changed, 68 insertions, 20 deletions
diff --git a/jstests/auth/lib/commands_lib.js b/jstests/auth/lib/commands_lib.js index 9a850b78fd2..910c9ea6837 100644 --- a/jstests/auth/lib/commands_lib.js +++ b/jstests/auth/lib/commands_lib.js @@ -5792,9 +5792,16 @@ var authCommandsLib = { testcases: [ { runOnDb: adminDbName, - roles: roles_clusterManager, privileges: [{resource: {db: 'config', collection: 'shards'}, actions: ['update']}], }, + { + runOnDb: adminDbName, + roles: roles_clusterManager, + }, + { + runOnDb: adminDbName, + privileges: [{resource: {cluster: true}, actions: ["enableSharding"]}], + }, ] }, { @@ -5812,12 +5819,19 @@ var authCommandsLib = { testcases: [ { runOnDb: adminDbName, - roles: roles_clusterManager, privileges: [ {resource: {db: 'config', collection: 'shards'}, actions: ['update']}, {resource: {db: 'config', collection: 'tags'}, actions: ['find']} ], }, + { + runOnDb: adminDbName, + roles: roles_clusterManager, + }, + { + runOnDb: adminDbName, + privileges: [{resource: {cluster: true}, actions: ["enableSharding"]}], + }, ] }, { @@ -5835,7 +5849,6 @@ var authCommandsLib = { testcases: [ { runOnDb: adminDbName, - roles: roles_clusterManager, privileges: [ {resource: {db: 'config', collection: 'shards'}, actions: ['find']}, { @@ -5845,6 +5858,16 @@ var authCommandsLib = { ], expectFail: true }, + { + runOnDb: adminDbName, + roles: roles_clusterManager, + expectFail: true, + }, + { + runOnDb: adminDbName, + privileges: [{resource: {cluster: true}, actions: ["enableSharding"]}], + expectFail: true, + }, ] }, { diff --git a/src/mongo/s/commands/cluster_add_shard_to_zone_cmd.cpp b/src/mongo/s/commands/cluster_add_shard_to_zone_cmd.cpp index a345a516ea9..d3349e66694 100644 --- a/src/mongo/s/commands/cluster_add_shard_to_zone_cmd.cpp +++ b/src/mongo/s/commands/cluster_add_shard_to_zone_cmd.cpp @@ -82,11 +82,20 @@ public: Status checkAuthForCommand(Client* client, const std::string& dbname, - const BSONObj& cmdObj) const override { - if (!AuthorizationSession::get(client)->isAuthorizedForActionsOnResource( + const BSONObj& cmdObj) const final { + auto* as = AuthorizationSession::get(client); + + if (as->isAuthorizedForActionsOnResource(ResourcePattern::forClusterResource(), + ActionType::enableSharding)) { + return Status::OK(); + } + + // Fallback on permissions to directly modify the shard config. + if (!as->isAuthorizedForActionsOnResource( ResourcePattern::forExactNamespace(ShardType::ConfigNS), ActionType::update)) { - return Status(ErrorCodes::Unauthorized, "Unauthorized"); + return {ErrorCodes::Unauthorized, "Unauthorized"}; } + return Status::OK(); } diff --git a/src/mongo/s/commands/cluster_remove_shard_from_zone_cmd.cpp b/src/mongo/s/commands/cluster_remove_shard_from_zone_cmd.cpp index 2cdf88df280..0d82807b1ab 100644 --- a/src/mongo/s/commands/cluster_remove_shard_from_zone_cmd.cpp +++ b/src/mongo/s/commands/cluster_remove_shard_from_zone_cmd.cpp @@ -89,15 +89,23 @@ public: Status checkAuthForCommand(Client* client, const std::string& dbname, - const BSONObj& cmdObj) const override { - if (!AuthorizationSession::get(client)->isAuthorizedForActionsOnResource( + const BSONObj& cmdObj) const final { + auto* as = AuthorizationSession::get(client); + + if (as->isAuthorizedForActionsOnResource(ResourcePattern::forClusterResource(), + ActionType::enableSharding)) { + return Status::OK(); + } + + // Fallback on permissions to directly modify the shard config. + if (!as->isAuthorizedForActionsOnResource( ResourcePattern::forExactNamespace(ShardType::ConfigNS), ActionType::update)) { - return Status(ErrorCodes::Unauthorized, "Unauthorized"); + return {ErrorCodes::Unauthorized, "Unauthorized"}; } - if (!AuthorizationSession::get(client)->isAuthorizedForActionsOnResource( + if (!as->isAuthorizedForActionsOnResource( ResourcePattern::forExactNamespace(TagsType::ConfigNS), ActionType::find)) { - return Status(ErrorCodes::Unauthorized, "Unauthorized"); + return {ErrorCodes::Unauthorized, "Unauthorized"}; } return Status::OK(); diff --git a/src/mongo/s/commands/cluster_update_zone_key_range_cmd.cpp b/src/mongo/s/commands/cluster_update_zone_key_range_cmd.cpp index 7a1feae9b7b..ba2bd52bf98 100644 --- a/src/mongo/s/commands/cluster_update_zone_key_range_cmd.cpp +++ b/src/mongo/s/commands/cluster_update_zone_key_range_cmd.cpp @@ -92,25 +92,33 @@ public: Status checkAuthForCommand(Client* client, const std::string& dbname, - const BSONObj& cmdObj) const override { - if (!AuthorizationSession::get(client)->isAuthorizedForActionsOnResource( + const BSONObj& cmdObj) const final { + auto* as = AuthorizationSession::get(client); + + if (as->isAuthorizedForActionsOnResource(ResourcePattern::forClusterResource(), + ActionType::enableSharding)) { + return Status::OK(); + } + + // Fallback on permissions to directly modify the shard config. + if (!as->isAuthorizedForActionsOnResource( ResourcePattern::forExactNamespace(ShardType::ConfigNS), ActionType::find)) { - return Status(ErrorCodes::Unauthorized, "Unauthorized"); + return {ErrorCodes::Unauthorized, "Unauthorized"}; } - if (!AuthorizationSession::get(client)->isAuthorizedForActionsOnResource( + if (!as->isAuthorizedForActionsOnResource( ResourcePattern::forExactNamespace(TagsType::ConfigNS), ActionType::find)) { - return Status(ErrorCodes::Unauthorized, "Unauthorized"); + return {ErrorCodes::Unauthorized, "Unauthorized"}; } - if (!AuthorizationSession::get(client)->isAuthorizedForActionsOnResource( + if (!as->isAuthorizedForActionsOnResource( ResourcePattern::forExactNamespace(TagsType::ConfigNS), ActionType::update)) { - return Status(ErrorCodes::Unauthorized, "Unauthorized"); + return {ErrorCodes::Unauthorized, "Unauthorized"}; } - if (!AuthorizationSession::get(client)->isAuthorizedForActionsOnResource( + if (!as->isAuthorizedForActionsOnResource( ResourcePattern::forExactNamespace(TagsType::ConfigNS), ActionType::remove)) { - return Status(ErrorCodes::Unauthorized, "Unauthorized"); + return {ErrorCodes::Unauthorized, "Unauthorized"}; } return Status::OK(); |