diff options
| author | Sergi Mateo Bellido <sergi.mateo-bellido@mongodb.com> | 2023-04-03 14:44:19 +0000 |
|---|---|---|
| committer | Evergreen Agent <no-reply@evergreen.mongodb.com> | 2023-04-03 17:28:41 +0000 |
| commit | b29c35ee63c1eb1fead39db7293e751e9ae173d8 (patch) | |
| tree | 3c590322f6dcf311a89c2552ec5aaaed2226e85a | |
| parent | 1cace66e813b95207985fb612bfcbb99dd733878 (diff) | |
| download | mongo-b29c35ee63c1eb1fead39db7293e751e9ae173d8.tar.gz | |
SERVER-74527 Adding security infrastructure for directShardOperations
| -rw-r--r-- | src/mongo/db/auth/action_type.idl | 1 | ||||
| -rw-r--r-- | src/mongo/db/auth/authorization_session_impl.cpp | 4 | ||||
| -rw-r--r-- | src/mongo/db/auth/builtin_roles.yml | 6 |
3 files changed, 10 insertions, 1 deletions
diff --git a/src/mongo/db/auth/action_type.idl b/src/mongo/db/auth/action_type.idl index 6d102ae5d5a..5ae0b8466fa 100644 --- a/src/mongo/db/auth/action_type.idl +++ b/src/mongo/db/auth/action_type.idl @@ -121,6 +121,7 @@ enums: insert : "insert" internal : "internal" # Special action type that represents internal actions invalidateUserCache : "invalidateUserCache" + issueDirectShardOperations: "issueDirectShardOperations" killAnyCursor : "killAnyCursor" killAnySession : "killAnySession" killCursors : "killCursors" # Deprecated in favor of killAnyCursor diff --git a/src/mongo/db/auth/authorization_session_impl.cpp b/src/mongo/db/auth/authorization_session_impl.cpp index 0582c058ac7..30fd4871510 100644 --- a/src/mongo/db/auth/authorization_session_impl.cpp +++ b/src/mongo/db/auth/authorization_session_impl.cpp @@ -1108,6 +1108,10 @@ void AuthorizationSessionImpl::verifyContract(const AuthorizationContract* contr // Implicitly checked often to keep mayBypassWriteBlockingMode() fast tempContract.addPrivilege(kBypassWriteBlockingModeOnClusterPrivilege); + // Needed for internal sessions started by the server. + tempContract.addPrivilege( + Privilege(ResourcePattern::forClusterResource(), ActionType::issueDirectShardOperations)); + uassert(5452401, "Authorization Session contains more authorization checks then permitted by contract.", tempContract.contains(_contract)); diff --git a/src/mongo/db/auth/builtin_roles.yml b/src/mongo/db/auth/builtin_roles.yml index 422ee9b76fe..7b9745e69b8 100644 --- a/src/mongo/db/auth/builtin_roles.yml +++ b/src/mongo/db/auth/builtin_roles.yml @@ -583,6 +583,7 @@ roles: - readWriteAnyDatabase - backup - restore + - directShardOperations privileges: - matchType: any actions: @@ -610,7 +611,10 @@ roles: # privileges to write directly to shards. directShardOperations: adminOnly: true - privileges: [] + privileges: + - matchType: cluster + actions: + - issueDirectShardOperations # Builtin role 'admin.__system' has its privileges special cased in builtin_roles.tpl.cpp __system: |