summaryrefslogtreecommitdiff
diff options
context:
space:
mode:
authorSara Golemon <sara.golemon@mongodb.com>2022-09-26 12:16:57 -0500
committerEvergreen Agent <no-reply@evergreen.mongodb.com>2022-10-04 16:51:46 +0000
commit5ff2f41b0dbad9ef4d96b1407b06a044c0b41c48 (patch)
tree707d5150c1616ab7c41412697c4b19b950731c44
parent810d5c1f2b0f8d3767df55812c3324d6171aa107 (diff)
downloadmongo-5ff2f41b0dbad9ef4d96b1407b06a044c0b41c48.tar.gz
SERVER-70146 Migrate checkAuthForCommand to checkAuthForOperation
Diffstat
-rw-r--r--src/mongo/db/commands.cpp18
-rw-r--r--src/mongo/db/commands.h14
-rw-r--r--src/mongo/db/commands/apply_ops_cmd.cpp4
-rw-r--r--src/mongo/db/commands/current_op.cpp8
-rw-r--r--src/mongo/db/commands/dbcheck.cpp12
-rw-r--r--src/mongo/db/commands/dbcommands.cpp13
-rw-r--r--src/mongo/db/commands/fsync.cpp11
-rw-r--r--src/mongo/db/commands/index_filter_commands.cpp10
-rw-r--r--src/mongo/db/commands/index_filter_commands.h6
-rw-r--r--src/mongo/db/commands/kill_op_cmd_base.cpp9
-rw-r--r--src/mongo/db/commands/kill_op_cmd_base.h6
-rw-r--r--src/mongo/db/commands/lock_info.cpp12
-rw-r--r--src/mongo/db/commands/oplog_application_checks.cpp12
-rw-r--r--src/mongo/db/commands/oplog_application_checks.h11
-rw-r--r--src/mongo/db/commands/oplog_note.cpp11
-rw-r--r--src/mongo/db/commands/plan_cache_clear_command.cpp16
-rw-r--r--src/mongo/db/commands/profile_common.cpp12
-rw-r--r--src/mongo/db/commands/profile_common.h6
-rw-r--r--src/mongo/db/commands/resize_oplog.cpp8
-rw-r--r--src/mongo/db/commands/set_feature_compatibility_version_command.cpp13
-rw-r--r--src/mongo/db/commands/snapshot_management.cpp12
-rw-r--r--src/mongo/db/free_mon/free_mon_commands.cpp22
-rw-r--r--src/mongo/db/free_mon/free_mon_commands_stub.cpp11
-rw-r--r--src/mongo/db/ftdc/ftdc_commands.cpp7
-rw-r--r--src/mongo/db/repl/repl_set_command.cpp12
-rw-r--r--src/mongo/db/repl/repl_set_command.h6
-rw-r--r--src/mongo/db/repl/repl_set_commands.cpp16
-rw-r--r--src/mongo/db/s/cleanup_orphaned_cmd.cpp11
-rw-r--r--src/mongo/db/s/clone_catalog_data_command.cpp11
-rw-r--r--src/mongo/db/s/config/configsvr_add_shard_command.cpp11
-rw-r--r--src/mongo/db/s/config/configsvr_add_shard_to_zone_command.cpp11
-rw-r--r--src/mongo/db/s/config/configsvr_control_balancer_command.cpp11
-rw-r--r--src/mongo/db/s/config/configsvr_move_chunk_command.cpp11
-rw-r--r--src/mongo/db/s/config/configsvr_remove_shard_command.cpp11
-rw-r--r--src/mongo/db/s/config/configsvr_remove_shard_from_zone_command.cpp11
-rw-r--r--src/mongo/db/s/config/configsvr_repair_sharded_collection_chunks_history_command.cpp11
-rw-r--r--src/mongo/db/s/config/configsvr_run_restore_command.cpp11
-rw-r--r--src/mongo/db/s/config/configsvr_split_chunk_command.cpp11
-rw-r--r--src/mongo/db/s/config/configsvr_update_zone_key_range_command.cpp11
-rw-r--r--src/mongo/db/s/get_shard_version_command.cpp13
-rw-r--r--src/mongo/db/s/shardsvr_collmod_command.cpp9
-rw-r--r--src/mongo/db/s/shardsvr_merge_chunks_command.cpp11
-rw-r--r--src/mongo/db/s/shardsvr_move_primary_command.cpp11
-rw-r--r--src/mongo/db/s/shardsvr_split_chunk_command.cpp11
-rw-r--r--src/mongo/db/s/split_vector_command.cpp13
-rw-r--r--src/mongo/s/commands/cluster_add_shard_to_zone_cmd.cpp8
-rw-r--r--src/mongo/s/commands/cluster_collection_mod_cmd.cpp10
-rw-r--r--src/mongo/s/commands/cluster_control_balancer_cmd.cpp13
-rw-r--r--src/mongo/s/commands/cluster_current_op.cpp11
-rw-r--r--src/mongo/s/commands/cluster_ftdc_commands.cpp21
-rw-r--r--src/mongo/s/commands/cluster_get_shard_version_cmd.cpp13
-rw-r--r--src/mongo/s/commands/cluster_index_filter_cmd.cpp10
-rw-r--r--src/mongo/s/commands/cluster_list_collections_cmd.cpp10
-rw-r--r--src/mongo/s/commands/cluster_merge_chunks_cmd.cpp13
-rw-r--r--src/mongo/s/commands/cluster_move_primary_cmd.cpp13
-rw-r--r--src/mongo/s/commands/cluster_oplog_note_cmd.cpp11
-rw-r--r--src/mongo/s/commands/cluster_plan_cache_clear_cmd.cpp10
-rw-r--r--src/mongo/s/commands/cluster_remove_shard_from_zone_cmd.cpp8
-rw-r--r--src/mongo/s/commands/cluster_repair_sharded_collection_chunks_history_cmd.cpp13
-rw-r--r--src/mongo/s/commands/cluster_repl_set_get_status_cmd.cpp6
-rw-r--r--src/mongo/s/commands/cluster_set_free_monitoring_cmd.cpp11
-rw-r--r--src/mongo/s/commands/cluster_shard_collection_cmd.cpp13
-rw-r--r--src/mongo/s/commands/cluster_split_cmd.cpp13
-rw-r--r--src/mongo/s/commands/cluster_split_vector_cmd.cpp13
-rw-r--r--src/mongo/s/commands/cluster_update_zone_key_range_cmd.cpp8
65 files changed, 379 insertions, 347 deletions
diff --git a/src/mongo/db/commands.cpp b/src/mongo/db/commands.cpp
index 52a0a7121ed..24ef5e32b36 100644
--- a/src/mongo/db/commands.cpp
+++ b/src/mongo/db/commands.cpp
@@ -995,19 +995,15 @@ Status BasicCommandWithReplyBuilderInterface::explain(OperationContext* opCtx,
}
Status BasicCommandWithReplyBuilderInterface::checkAuthForOperation(OperationContext* opCtx,
- const DatabaseName& dbname,
+ const DatabaseName& dbName,
const BSONObj& cmdObj) const {
- return checkAuthForCommand(opCtx->getClient(), dbname.db(), cmdObj);
-}
-
-Status BasicCommandWithReplyBuilderInterface::checkAuthForCommand(Client* client,
- const std::string& dbname,
- const BSONObj& cmdObj) const {
std::vector<Privilege> privileges;
- this->addRequiredPrivileges(dbname, cmdObj, &privileges);
- if (AuthorizationSession::get(client)->isAuthorizedForPrivileges(privileges))
- return Status::OK();
- return Status(ErrorCodes::Unauthorized, "unauthorized");
+ this->addRequiredPrivileges(dbName.db(), cmdObj, &privileges);
+ if (!AuthorizationSession::get(opCtx->getClient())->isAuthorizedForPrivileges(privileges)) {
+ return {ErrorCodes::Unauthorized, "unauthorized"};
+ }
+
+ return Status::OK();
}
void Command::generateHelpResponse(OperationContext* opCtx,
diff --git a/src/mongo/db/commands.h b/src/mongo/db/commands.h
index 83e1d7f2de0..3e5b9d7d4e4 100644
--- a/src/mongo/db/commands.h
+++ b/src/mongo/db/commands.h
@@ -902,10 +902,10 @@ public:
/**
* Checks if the client associated with the given OperationContext is authorized to run this
- * command. Default implementation defers to checkAuthForCommand.
+ * command. Default implementation checks via addRequiredPrivileges().
*/
virtual Status checkAuthForOperation(OperationContext* opCtx,
- const DatabaseName& dbname,
+ const DatabaseName& dbName,
const BSONObj& cmdObj) const;
/**
@@ -975,16 +975,6 @@ private:
//
/**
- * Checks if the given client is authorized to run this command on database "dbname"
- * with the invocation described by "cmdObj".
- *
- * NOTE: Implement checkAuthForOperation that takes an OperationContext* instead.
- */
- virtual Status checkAuthForCommand(Client* client,
- const std::string& dbname,
- const BSONObj& cmdObj) const;
-
- /**
* Appends to "*out" the privileges required to run this command on database "dbname" with
* the invocation described by "cmdObj". New commands shouldn't implement this, they should
* implement checkAuthForOperation (which takes an OperationContext*), instead.
diff --git a/src/mongo/db/commands/apply_ops_cmd.cpp b/src/mongo/db/commands/apply_ops_cmd.cpp
index d114e8396d9..1c69babdd12 100644
--- a/src/mongo/db/commands/apply_ops_cmd.cpp
+++ b/src/mongo/db/commands/apply_ops_cmd.cpp
@@ -203,10 +203,10 @@ public:
}
Status checkAuthForOperation(OperationContext* opCtx,
- const DatabaseName& dbname,
+ const DatabaseName& dbName,
const BSONObj& cmdObj) const override {
OplogApplicationValidity validity = validateApplyOpsCommand(cmdObj);
- return OplogApplicationChecks::checkAuthForCommand(opCtx, dbname.db(), cmdObj, validity);
+ return OplogApplicationChecks::checkAuthForOperation(opCtx, dbName, cmdObj, validity);
}
bool run(OperationContext* opCtx,
diff --git a/src/mongo/db/commands/current_op.cpp b/src/mongo/db/commands/current_op.cpp
index 78fec805202..a6e546cf506 100644
--- a/src/mongo/db/commands/current_op.cpp
+++ b/src/mongo/db/commands/current_op.cpp
@@ -50,10 +50,10 @@ class CurrentOpCommand final : public CurrentOpCommandBase {
public:
CurrentOpCommand() = default;
- Status checkAuthForCommand(Client* client,
- const std::string& dbName,
- const BSONObj& cmdObj) const final {
- AuthorizationSession* authzSession = AuthorizationSession::get(client);
+ Status checkAuthForOperation(OperationContext* opCtx,
+ const DatabaseName&,
+ const BSONObj& cmdObj) const final {
+ AuthorizationSession* authzSession = AuthorizationSession::get(opCtx->getClient());
if (authzSession->isAuthorizedForActionsOnResource(ResourcePattern::forClusterResource(),
ActionType::inprog)) {
return Status::OK();
diff --git a/src/mongo/db/commands/dbcheck.cpp b/src/mongo/db/commands/dbcheck.cpp
index 9eaa51fe1b6..1b1110abb29 100644
--- a/src/mongo/db/commands/dbcheck.cpp
+++ b/src/mongo/db/commands/dbcheck.cpp
@@ -668,12 +668,12 @@ public:
"Invoke with {dbCheck: 1} to check all collections in the database.";
}
- virtual Status checkAuthForCommand(Client* client,
- const std::string& dbname,
- const BSONObj& cmdObj) const {
- const bool isAuthorized =
- AuthorizationSession::get(client)->isAuthorizedForActionsOnResource(
- ResourcePattern::forAnyResource(), ActionType::dbCheck);
+ Status checkAuthForOperation(OperationContext* opCtx,
+ const DatabaseName&,
+ const BSONObj&) const override {
+ const bool isAuthorized = AuthorizationSession::get(opCtx->getClient())
+ ->isAuthorizedForActionsOnResource(
+ ResourcePattern::forAnyResource(), ActionType::dbCheck);
return isAuthorized ? Status::OK() : Status(ErrorCodes::Unauthorized, "Unauthorized");
}
diff --git a/src/mongo/db/commands/dbcommands.cpp b/src/mongo/db/commands/dbcommands.cpp
index c6f8a329fd1..19fd21c513e 100644
--- a/src/mongo/db/commands/dbcommands.cpp
+++ b/src/mongo/db/commands/dbcommands.cpp
@@ -432,9 +432,9 @@ public:
using Request = CollStatsCommand;
Status checkAuthForOperation(OperationContext* opCtx,
- const DatabaseName& dbname,
+ const DatabaseName& dbName,
const BSONObj& cmdObj) const final {
- const auto nss = CommandHelpers::parseNsCollectionRequired(dbname, cmdObj);
+ const auto nss = CommandHelpers::parseNsCollectionRequired(dbName, cmdObj);
auto as = AuthorizationSession::get(opCtx->getClient());
if (!as->isAuthorizedForActionsOnResource(ResourcePattern::forExactNamespace(nss),
ActionType::collStats)) {
@@ -513,10 +513,11 @@ public:
"Example: { collMod: 'foo', index: {name: 'bar', expireAfterSeconds: 600} }\n";
}
- virtual Status checkAuthForCommand(Client* client,
- const std::string& dbname,
- const BSONObj& cmdObj) const {
- const NamespaceString nss(parseNs({boost::none, dbname}, cmdObj));
+ Status checkAuthForOperation(OperationContext* opCtx,
+ const DatabaseName& dbName,
+ const BSONObj& cmdObj) const override {
+ auto client = opCtx->getClient();
+ auto nss = parseNs(dbName, cmdObj);
return auth::checkAuthForCollMod(
client->getOperationContext(), AuthorizationSession::get(client), nss, cmdObj, false);
}
diff --git a/src/mongo/db/commands/fsync.cpp b/src/mongo/db/commands/fsync.cpp
index c968bb51882..f84b77bff5c 100644
--- a/src/mongo/db/commands/fsync.cpp
+++ b/src/mongo/db/commands/fsync.cpp
@@ -290,11 +290,12 @@ public:
return true;
}
- Status checkAuthForCommand(Client* client,
- const std::string& dbname,
- const BSONObj& cmdObj) const override {
- bool isAuthorized = AuthorizationSession::get(client)->isAuthorizedForActionsOnResource(
- ResourcePattern::forClusterResource(), ActionType::unlock);
+ Status checkAuthForOperation(OperationContext* opCtx,
+ const DatabaseName&,
+ const BSONObj&) const override {
+ bool isAuthorized = AuthorizationSession::get(opCtx->getClient())
+ ->isAuthorizedForActionsOnResource(
+ ResourcePattern::forClusterResource(), ActionType::unlock);
return isAuthorized ? Status::OK() : Status(ErrorCodes::Unauthorized, "Unauthorized");
}
diff --git a/src/mongo/db/commands/index_filter_commands.cpp b/src/mongo/db/commands/index_filter_commands.cpp
index 1497e7ae763..423014c0c04 100644
--- a/src/mongo/db/commands/index_filter_commands.cpp
+++ b/src/mongo/db/commands/index_filter_commands.cpp
@@ -109,11 +109,11 @@ std::string IndexFilterCommand::help() const {
return helpText;
}
-Status IndexFilterCommand::checkAuthForCommand(Client* client,
- const std::string& dbname,
- const BSONObj& cmdObj) const {
- AuthorizationSession* authzSession = AuthorizationSession::get(client);
- ResourcePattern pattern = parseResourcePattern(dbname, cmdObj);
+Status IndexFilterCommand::checkAuthForOperation(OperationContext* opCtx,
+ const DatabaseName& dbName,
+ const BSONObj& cmdObj) const {
+ AuthorizationSession* authzSession = AuthorizationSession::get(opCtx->getClient());
+ ResourcePattern pattern = parseResourcePattern(dbName.db(), cmdObj);
if (authzSession->isAuthorizedForActionsOnResource(pattern, ActionType::planCacheIndexFilter)) {
return Status::OK();
diff --git a/src/mongo/db/commands/index_filter_commands.h b/src/mongo/db/commands/index_filter_commands.h
index 462fc9c8df2..5f7561af73c 100644
--- a/src/mongo/db/commands/index_filter_commands.h
+++ b/src/mongo/db/commands/index_filter_commands.h
@@ -80,9 +80,9 @@ public:
* One action type defined for index filter commands:
* - planCacheIndexFilter
*/
- Status checkAuthForCommand(Client* client,
- const std::string& dbname,
- const BSONObj& cmdObj) const override;
+ Status checkAuthForOperation(OperationContext* opCtx,
+ const DatabaseName& dbName,
+ const BSONObj& cmdObj) const override;
virtual Status runIndexFilterCommand(OperationContext* opCtx,
const CollectionPtr& collection,
diff --git a/src/mongo/db/commands/kill_op_cmd_base.cpp b/src/mongo/db/commands/kill_op_cmd_base.cpp
index c8595618488..49e277ae925 100644
--- a/src/mongo/db/commands/kill_op_cmd_base.cpp
+++ b/src/mongo/db/commands/kill_op_cmd_base.cpp
@@ -76,9 +76,10 @@ void KillOpCmdBase::reportSuccessfulCompletion(OperationContext* opCtx,
}
-Status KillOpCmdBase::checkAuthForCommand(Client* worker,
- const std::string& dbname,
- const BSONObj& cmdObj) const {
+Status KillOpCmdBase::checkAuthForOperation(OperationContext* workerOpCtx,
+ const DatabaseName&,
+ const BSONObj& cmdObj) const {
+ auto* worker = workerOpCtx->getClient();
auto opKiller = OperationKiller(worker);
if (opKiller.isGenerallyAuthorizedToKill()) {
@@ -87,7 +88,7 @@ Status KillOpCmdBase::checkAuthForCommand(Client* worker,
if (isKillingLocalOp(cmdObj.getField("op"))) {
// Look up the OperationContext and see if we have permission to kill it. This is done once
- // here and again in the command body. The check here in the checkAuthForCommand() function
+ // here and again in the command body. The check here in the checkAuthForOperation function
// is necessary because if the check fails, it will be picked up by the auditing system.
long long opId = parseOpId(cmdObj);
auto target = worker->getServiceContext()->getLockedClient(opId);
diff --git a/src/mongo/db/commands/kill_op_cmd_base.h b/src/mongo/db/commands/kill_op_cmd_base.h
index 7439daddeeb..8a48d623ff6 100644
--- a/src/mongo/db/commands/kill_op_cmd_base.h
+++ b/src/mongo/db/commands/kill_op_cmd_base.h
@@ -54,9 +54,9 @@ public:
return true;
}
- Status checkAuthForCommand(Client* client,
- const std::string& dbname,
- const BSONObj& cmdObj) const final;
+ Status checkAuthForOperation(OperationContext* opCtx,
+ const DatabaseName& dbName,
+ const BSONObj& cmdObj) const final;
protected:
/**
diff --git a/src/mongo/db/commands/lock_info.cpp b/src/mongo/db/commands/lock_info.cpp
index 525c0a31671..d7e77df6453 100644
--- a/src/mongo/db/commands/lock_info.cpp
+++ b/src/mongo/db/commands/lock_info.cpp
@@ -64,11 +64,13 @@ public:
return "show all lock info on the server";
}
- Status checkAuthForCommand(Client* client,
- const std::string& dbname,
- const BSONObj& cmdObj) const final {
- bool isAuthorized = AuthorizationSession::get(client)->isAuthorizedForActionsOnResource(
- ResourcePattern::forClusterResource(), ActionType::serverStatus);
+ Status checkAuthForOperation(OperationContext* opCtx,
+ const DatabaseName&,
+ const BSONObj&) const final {
+ bool isAuthorized =
+ AuthorizationSession::get(opCtx->getClient())
+ ->isAuthorizedForActionsOnResource(ResourcePattern::forClusterResource(),
+ ActionType::serverStatus);
return isAuthorized ? Status::OK() : Status(ErrorCodes::Unauthorized, "Unauthorized");
}
diff --git a/src/mongo/db/commands/oplog_application_checks.cpp b/src/mongo/db/commands/oplog_application_checks.cpp
index 02cc6e51366..c4f65bb478b 100644
--- a/src/mongo/db/commands/oplog_application_checks.cpp
+++ b/src/mongo/db/commands/oplog_application_checks.cpp
@@ -43,7 +43,7 @@ UUID OplogApplicationChecks::getUUIDFromOplogEntry(const BSONObj& oplogEntry) {
};
Status OplogApplicationChecks::checkOperationAuthorization(OperationContext* opCtx,
- const std::string& dbname,
+ const DatabaseName&,
const BSONObj& oplogEntry,
AuthorizationSession* authSession,
bool alwaysUpsert) {
@@ -206,10 +206,10 @@ Status OplogApplicationChecks::checkOperation(const BSONElement& e) {
return Status::OK();
}
-Status OplogApplicationChecks::checkAuthForCommand(OperationContext* opCtx,
- const std::string& dbname,
- const BSONObj& cmdObj,
- OplogApplicationValidity validity) {
+Status OplogApplicationChecks::checkAuthForOperation(OperationContext* opCtx,
+ const DatabaseName& dbName,
+ const BSONObj& cmdObj,
+ OplogApplicationValidity validity) {
AuthorizationSession* authSession = AuthorizationSession::get(opCtx->getClient());
if (!authSession->isAuthorizedForActionsOnResource(ResourcePattern::forClusterResource(),
ActionType::applyOps)) {
@@ -252,7 +252,7 @@ Status OplogApplicationChecks::checkAuthForCommand(OperationContext* opCtx,
for (const BSONElement& e : cmdObj.firstElement().Array()) {
checkBSONType(BSONType::Object, e);
Status status = OplogApplicationChecks::checkOperationAuthorization(
- opCtx, dbname, e.Obj(), authSession, alwaysUpsert);
+ opCtx, dbName, e.Obj(), authSession, alwaysUpsert);
if (!status.isOK()) {
return status;
}
diff --git a/src/mongo/db/commands/oplog_application_checks.h b/src/mongo/db/commands/oplog_application_checks.h
index 3537dc716ab..3152510a66b 100644
--- a/src/mongo/db/commands/oplog_application_checks.h
+++ b/src/mongo/db/commands/oplog_application_checks.h
@@ -35,6 +35,7 @@
namespace mongo {
class BSONElement;
class BSONObj;
+class DatabaseName;
class OperationContext;
// OplogApplicationValidity represents special conditions relevant to authorization for
@@ -58,10 +59,10 @@ public:
/**
* Checks the authorization for an entire oplog application command.
*/
- static Status checkAuthForCommand(OperationContext* opCtx,
- const std::string& dbname,
- const BSONObj& cmdObj,
- OplogApplicationValidity validity);
+ static Status checkAuthForOperation(OperationContext* opCtx,
+ const DatabaseName& dbName,
+ const BSONObj& cmdObj,
+ OplogApplicationValidity validity);
/**
* Checks that 'opsElement' is an array and all elements of the array are valid operations.
@@ -76,7 +77,7 @@ private:
* command.
*/
static Status checkOperationAuthorization(OperationContext* opCtx,
- const std::string& dbname,
+ const DatabaseName& dbName,
const BSONObj& oplogEntry,
AuthorizationSession* authSession,
bool alwaysUpsert);
diff --git a/src/mongo/db/commands/oplog_note.cpp b/src/mongo/db/commands/oplog_note.cpp
index c7017f99b2d..74c7a73accd 100644
--- a/src/mongo/db/commands/oplog_note.cpp
+++ b/src/mongo/db/commands/oplog_note.cpp
@@ -107,11 +107,12 @@ public:
return "Adds a no-op entry to the oplog";
}
- virtual Status checkAuthForCommand(Client* client,
- const std::string& dbname,
- const BSONObj& cmdObj) const {
- if (!AuthorizationSession::get(client)->isAuthorizedForActionsOnResource(
- ResourcePattern::forClusterResource(), ActionType::appendOplogNote)) {
+ Status checkAuthForOperation(OperationContext* opCtx,
+ const DatabaseName&,
+ const BSONObj&) const override {
+ if (!AuthorizationSession::get(opCtx->getClient())
+ ->isAuthorizedForActionsOnResource(ResourcePattern::forClusterResource(),
+ ActionType::appendOplogNote)) {
return Status(ErrorCodes::Unauthorized, "Unauthorized");
}
return Status::OK();
diff --git a/src/mongo/db/commands/plan_cache_clear_command.cpp b/src/mongo/db/commands/plan_cache_clear_command.cpp
index 05107ba795f..09115ee17bd 100644
--- a/src/mongo/db/commands/plan_cache_clear_command.cpp
+++ b/src/mongo/db/commands/plan_cache_clear_command.cpp
@@ -154,20 +154,20 @@ public:
return AllowedOnSecondary::kOptIn;
}
- Status checkAuthForCommand(Client* client,
- const std::string& dbname,
- const BSONObj& cmdObj) const override;
+ Status checkAuthForOperation(OperationContext* opCtx,
+ const DatabaseName& dbName,
+ const BSONObj& cmdObj) const override;
std::string help() const override {
return "Drops one or all plan cache entries in a collection.";
}
} planCacheClearCommand;
-Status PlanCacheClearCommand::checkAuthForCommand(Client* client,
- const std::string& dbname,
- const BSONObj& cmdObj) const {
- AuthorizationSession* authzSession = AuthorizationSession::get(client);
- ResourcePattern pattern = parseResourcePattern(dbname, cmdObj);
+Status PlanCacheClearCommand::checkAuthForOperation(OperationContext* opCtx,
+ const DatabaseName& dbName,
+ const BSONObj& cmdObj) const {
+ AuthorizationSession* authzSession = AuthorizationSession::get(opCtx->getClient());
+ ResourcePattern pattern = parseResourcePattern(dbName.db(), cmdObj);
if (authzSession->isAuthorizedForActionsOnResource(pattern, ActionType::planCacheWrite)) {
return Status::OK();
diff --git a/src/mongo/db/commands/profile_common.cpp b/src/mongo/db/commands/profile_common.cpp
index a35e9e7bf3e..a2d42f3480c 100644
--- a/src/mongo/db/commands/profile_common.cpp
+++ b/src/mongo/db/commands/profile_common.cpp
@@ -44,10 +44,10 @@
namespace mongo {
-Status ProfileCmdBase::checkAuthForCommand(Client* client,
- const std::string& dbName,
- const BSONObj& cmdObj) const {
- AuthorizationSession* authzSession = AuthorizationSession::get(client);
+Status ProfileCmdBase::checkAuthForOperation(OperationContext* opCtx,
+ const DatabaseName& dbName,
+ const BSONObj& cmdObj) const {
+ AuthorizationSession* authzSession = AuthorizationSession::get(opCtx->getClient());
auto request = ProfileCmdRequest::parse(IDLParserContext("profile"), cmdObj);
const auto profilingLevel = request.getCommandParameter();
@@ -61,8 +61,8 @@ Status ProfileCmdBase::checkAuthForCommand(Client* client,
}
}
- return authzSession->isAuthorizedForActionsOnResource(ResourcePattern::forDatabaseName(dbName),
- ActionType::enableProfiler)
+ return authzSession->isAuthorizedForActionsOnResource(
+ ResourcePattern::forDatabaseName(dbName.db()), ActionType::enableProfiler)
? Status::OK()
: Status(ErrorCodes::Unauthorized, "unauthorized");
}
diff --git a/src/mongo/db/commands/profile_common.h b/src/mongo/db/commands/profile_common.h
index e691636bf8b..f09bce4e993 100644
--- a/src/mongo/db/commands/profile_common.h
+++ b/src/mongo/db/commands/profile_common.h
@@ -64,9 +64,9 @@ public:
return false;
}
- Status checkAuthForCommand(Client* client,
- const std::string& dbname,
- const BSONObj& cmdObj) const final;
+ Status checkAuthForOperation(OperationContext*,
+ const DatabaseName&,
+ const BSONObj&) const final;
bool run(OperationContext* opCtx,
const DatabaseName& dbName,
diff --git a/src/mongo/db/commands/resize_oplog.cpp b/src/mongo/db/commands/resize_oplog.cpp
index 5aa3c693dab..0c96a36e5d4 100644
--- a/src/mongo/db/commands/resize_oplog.cpp
+++ b/src/mongo/db/commands/resize_oplog.cpp
@@ -67,10 +67,10 @@ public:
return "Resize oplog using size (in MBs) and optionally, retention (in terms of hours)";
}
- Status checkAuthForCommand(Client* client,
- const std::string& dbname,
- const BSONObj& cmdObj) const final {
- AuthorizationSession* authzSession = AuthorizationSession::get(client);
+ Status checkAuthForOperation(OperationContext* opCtx,
+ const DatabaseName&,
+ const BSONObj&) const final {
+ AuthorizationSession* authzSession = AuthorizationSession::get(opCtx->getClient());
if (authzSession->isAuthorizedForActionsOnResource(ResourcePattern::forClusterResource(),
ActionType::replSetResizeOplog)) {
return Status::OK();
diff --git a/src/mongo/db/commands/set_feature_compatibility_version_command.cpp b/src/mongo/db/commands/set_feature_compatibility_version_command.cpp
index f598459ac0d..d73102619d2 100644
--- a/src/mongo/db/commands/set_feature_compatibility_version_command.cpp
+++ b/src/mongo/db/commands/set_feature_compatibility_version_command.cpp
@@ -251,14 +251,15 @@ public:
return h.str();
}
- Status checkAuthForCommand(Client* client,
- const std::string& dbname,
- const BSONObj& cmdObj) const override {
- if (!AuthorizationSession::get(client)->isAuthorizedForActionsOnResource(
- ResourcePattern::forClusterResource(),
- ActionType::setFeatureCompatibilityVersion)) {
+ Status checkAuthForOperation(OperationContext* opCtx,
+ const DatabaseName&,
+ const BSONObj&) const override {
+ if (!AuthorizationSession::get(opCtx->getClient())
+ ->isAuthorizedForActionsOnResource(ResourcePattern::forClusterResource(),
+ ActionType::setFeatureCompatibilityVersion)) {
return Status(ErrorCodes::Unauthorized, "Unauthorized");
}
+
return Status::OK();
}
diff --git a/src/mongo/db/commands/snapshot_management.cpp b/src/mongo/db/commands/snapshot_management.cpp
index 5dfcab27983..d84e94c3254 100644
--- a/src/mongo/db/commands/snapshot_management.cpp
+++ b/src/mongo/db/commands/snapshot_management.cpp
@@ -56,9 +56,9 @@ public:
}
// No auth needed because it only works when enabled via command line.
- virtual Status checkAuthForCommand(Client* client,
- const std::string& dbname,
- const BSONObj& cmdObj) const {
+ Status checkAuthForOperation(OperationContext*,
+ const DatabaseName&,
+ const BSONObj&) const override {
return Status::OK();
}
@@ -101,9 +101,9 @@ public:
}
// No auth needed because it only works when enabled via command line.
- virtual Status checkAuthForCommand(Client* client,
- const std::string& dbname,
- const BSONObj& cmdObj) const {
+ Status checkAuthForOperation(OperationContext*,
+ const DatabaseName&,
+ const BSONObj&) const override {
return Status::OK();
}
diff --git a/src/mongo/db/free_mon/free_mon_commands.cpp b/src/mongo/db/free_mon/free_mon_commands.cpp
index d1fa55285f1..5d639d03558 100644
--- a/src/mongo/db/free_mon/free_mon_commands.cpp
+++ b/src/mongo/db/free_mon/free_mon_commands.cpp
@@ -65,11 +65,12 @@ public:
return "Indicates free monitoring status";
}
- Status checkAuthForCommand(Client* client,
- const std::string& dbname,
- const BSONObj& cmdObj) const final {
- if (!AuthorizationSession::get(client)->isAuthorizedForActionsOnResource(
- ResourcePattern::forClusterResource(), ActionType::checkFreeMonitoringStatus)) {
+ Status checkAuthForOperation(OperationContext* opCtx,
+ const DatabaseName&,
+ const BSONObj&) const final {
+ if (!AuthorizationSession::get(opCtx->getClient())
+ ->isAuthorizedForActionsOnResource(ResourcePattern::forClusterResource(),
+ ActionType::checkFreeMonitoringStatus)) {
return Status(ErrorCodes::Unauthorized, "Unauthorized");
}
return Status::OK();
@@ -121,11 +122,12 @@ public:
return "enable or disable Free Monitoring";
}
- Status checkAuthForCommand(Client* client,
- const std::string& dbname,
- const BSONObj& cmdObj) const final {
- if (!AuthorizationSession::get(client)->isAuthorizedForActionsOnResource(
- ResourcePattern::forClusterResource(), ActionType::setFreeMonitoring)) {
+ Status checkAuthForOperation(OperationContext* opCtx,
+ const DatabaseName&,
+ const BSONObj&) const final {
+ if (!AuthorizationSession::get(opCtx->getClient())
+ ->isAuthorizedForActionsOnResource(ResourcePattern::forClusterResource(),
+ ActionType::setFreeMonitoring)) {
return Status(ErrorCodes::Unauthorized, "Unauthorized");
}
return Status::OK();
diff --git a/src/mongo/db/free_mon/free_mon_commands_stub.cpp b/src/mongo/db/free_mon/free_mon_commands_stub.cpp
index 7a9942ccee2..6249c21f679 100644
--- a/src/mongo/db/free_mon/free_mon_commands_stub.cpp
+++ b/src/mongo/db/free_mon/free_mon_commands_stub.cpp
@@ -63,11 +63,12 @@ public:
return "Indicates free monitoring status";
}
- Status checkAuthForCommand(Client* client,
- const std::string& dbname,
- const BSONObj& cmdObj) const final {
- if (!AuthorizationSession::get(client)->isAuthorizedForActionsOnResource(
- ResourcePattern::forClusterResource(), ActionType::checkFreeMonitoringStatus)) {
+ Status checkAuthForOperation(OperationContext* opCtx,
+ const DatabaseName&,
+ const BSONObj&) const final {
+ if (!AuthorizationSession::get(opCtx->getClient())
+ ->isAuthorizedForActionsOnResource(ResourcePattern::forClusterResource(),
+ ActionType::checkFreeMonitoringStatus)) {
return Status(ErrorCodes::Unauthorized, "Unauthorized");
}
return Status::OK();
diff --git a/src/mongo/db/ftdc/ftdc_commands.cpp b/src/mongo/db/ftdc/ftdc_commands.cpp
index 12b604ce9cf..27315a51440 100644
--- a/src/mongo/db/ftdc/ftdc_commands.cpp
+++ b/src/mongo/db/ftdc/ftdc_commands.cpp
@@ -66,9 +66,10 @@ public:
return false;
}
- Status checkAuthForCommand(Client* client,
- const std::string& dbname,
- const BSONObj& cmdObj) const override {
+ Status checkAuthForOperation(OperationContext* opCtx,
+ const DatabaseName& dbName,
+ const BSONObj& cmdObj) const override {
+ auto* client = opCtx->getClient();
if (!AuthorizationSession::get(client)->isAuthorizedForActionsOnResource(
ResourcePattern::forClusterResource(), ActionType::serverStatus)) {
diff --git a/src/mongo/db/repl/repl_set_command.cpp b/src/mongo/db/repl/repl_set_command.cpp
index c157b066fe9..510d75d2c0a 100644
--- a/src/mongo/db/repl/repl_set_command.cpp
+++ b/src/mongo/db/repl/repl_set_command.cpp
@@ -36,13 +36,15 @@
namespace mongo {
namespace repl {
-Status ReplSetCommand::checkAuthForCommand(Client* client,
- const std::string& dbname,
- const BSONObj& cmdObj) const {
- if (!AuthorizationSession::get(client)->isAuthorizedForActionsOnResource(
- ResourcePattern::forClusterResource(), getAuthActionSet())) {
+Status ReplSetCommand::checkAuthForOperation(OperationContext* opCtx,
+ const DatabaseName&,
+ const BSONObj&) const {
+ if (!AuthorizationSession::get(opCtx->getClient())
+ ->isAuthorizedForActionsOnResource(ResourcePattern::forClusterResource(),
+ getAuthActionSet())) {
return {ErrorCodes::Unauthorized, "Unauthorized"};
}
+
return Status::OK();
}
diff --git a/src/mongo/db/repl/repl_set_command.h b/src/mongo/db/repl/repl_set_command.h
index 4946ea86c11..b18a3538c69 100644
--- a/src/mongo/db/repl/repl_set_command.h
+++ b/src/mongo/db/repl/repl_set_command.h
@@ -60,9 +60,9 @@ protected:
return false;
}
- Status checkAuthForCommand(Client* client,
- const std::string& dbname,
- const BSONObj& cmdObj) const override;
+ Status checkAuthForOperation(OperationContext*,
+ const DatabaseName&,
+ const BSONObj&) const override;
virtual ActionSet getAuthActionSet() const {
return ActionSet{ActionType::internal};
diff --git a/src/mongo/db/repl/repl_set_commands.cpp b/src/mongo/db/repl/repl_set_commands.cpp
index cd17527bbf2..31112fa06c7 100644
--- a/src/mongo/db/repl/repl_set_commands.cpp
+++ b/src/mongo/db/repl/repl_set_commands.cpp
@@ -93,17 +93,19 @@ public:
std::string help() const override {
return "Just for tests.\n";
}
+
// No auth needed because it only works when enabled via command line.
- virtual Status checkAuthForCommand(Client* client,
- const std::string& dbname,
- const BSONObj& cmdObj) const {
+ Status checkAuthForOperation(OperationContext*,
+ const DatabaseName&,
+ const BSONObj&) const override {
return Status::OK();
}
+
CmdReplSetTest() : ReplSetCommand("replSetTest") {}
- virtual bool run(OperationContext* opCtx,
- const DatabaseName&,
- const BSONObj& cmdObj,
- BSONObjBuilder& result) {
+ bool run(OperationContext* opCtx,
+ const DatabaseName&,
+ const BSONObj& cmdObj,
+ BSONObjBuilder& result) override {
LOGV2(21573,
"replSetTest command received: {cmdObj}",
"replSetTest command received",
diff --git a/src/mongo/db/s/cleanup_orphaned_cmd.cpp b/src/mongo/db/s/cleanup_orphaned_cmd.cpp
index e3f2e4779e0..2e6ab879782 100644
--- a/src/mongo/db/s/cleanup_orphaned_cmd.cpp
+++ b/src/mongo/db/s/cleanup_orphaned_cmd.cpp
@@ -160,11 +160,12 @@ public:
return true;
}
- Status checkAuthForCommand(Client* client,
- const std::string& dbname,
- const BSONObj& cmdObj) const override {
- if (!AuthorizationSession::get(client)->isAuthorizedForActionsOnResource(
- ResourcePattern::forClusterResource(), ActionType::cleanupOrphaned)) {
+ Status checkAuthForOperation(OperationContext* opCtx,
+ const DatabaseName&,
+ const BSONObj&) const override {
+ if (!AuthorizationSession::get(opCtx->getClient())
+ ->isAuthorizedForActionsOnResource(ResourcePattern::forClusterResource(),
+ ActionType::cleanupOrphaned)) {
return Status(ErrorCodes::Unauthorized, "Not authorized for cleanupOrphaned command.");
}
return Status::OK();
diff --git a/src/mongo/db/s/clone_catalog_data_command.cpp b/src/mongo/db/s/clone_catalog_data_command.cpp
index b996368e454..fe92765e3b2 100644
--- a/src/mongo/db/s/clone_catalog_data_command.cpp
+++ b/src/mongo/db/s/clone_catalog_data_command.cpp
@@ -74,11 +74,12 @@ public:
return true;
}
- Status checkAuthForCommand(Client* client,
- const std::string& dbname,
- const BSONObj& cmdObj) const override {
- if (!AuthorizationSession::get(client)->isAuthorizedForActionsOnResource(
- ResourcePattern::forClusterResource(), ActionType::internal)) {
+ Status checkAuthForOperation(OperationContext* opCtx,
+ const DatabaseName&,
+ const BSONObj&) const override {
+ if (!AuthorizationSession::get(opCtx->getClient())
+ ->isAuthorizedForActionsOnResource(ResourcePattern::forClusterResource(),
+ ActionType::internal)) {
return Status(ErrorCodes::Unauthorized, "Unauthorized");
}
diff --git a/src/mongo/db/s/config/configsvr_add_shard_command.cpp b/src/mongo/db/s/config/configsvr_add_shard_command.cpp
index 9ea14319405..d08669474fc 100644
--- a/src/mongo/db/s/config/configsvr_add_shard_command.cpp
+++ b/src/mongo/db/s/config/configsvr_add_shard_command.cpp
@@ -81,11 +81,12 @@ public:
return true;
}
- Status checkAuthForCommand(Client* client,
- const std::string& dbname,
- const BSONObj& cmdObj) const override {
- if (!AuthorizationSession::get(client)->isAuthorizedForActionsOnResource(
- ResourcePattern::forClusterResource(), ActionType::internal)) {
+ Status checkAuthForOperation(OperationContext* opCtx,
+ const DatabaseName&,
+ const BSONObj&) const override {
+ if (!AuthorizationSession::get(opCtx->getClient())
+ ->isAuthorizedForActionsOnResource(ResourcePattern::forClusterResource(),
+ ActionType::internal)) {
return Status(ErrorCodes::Unauthorized, "Unauthorized");
}
return Status::OK();
diff --git a/src/mongo/db/s/config/configsvr_add_shard_to_zone_command.cpp b/src/mongo/db/s/config/configsvr_add_shard_to_zone_command.cpp
index 141fe3d9ddb..697ba004878 100644
--- a/src/mongo/db/s/config/configsvr_add_shard_to_zone_command.cpp
+++ b/src/mongo/db/s/config/configsvr_add_shard_to_zone_command.cpp
@@ -82,11 +82,12 @@ public:
return true;
}
- Status checkAuthForCommand(Client* client,
- const std::string& dbname,
- const BSONObj& cmdObj) const override {
- if (!AuthorizationSession::get(client)->isAuthorizedForActionsOnResource(
- ResourcePattern::forClusterResource(), ActionType::internal)) {
+ Status checkAuthForOperation(OperationContext* opCtx,
+ const DatabaseName&,
+ const BSONObj&) const override {
+ if (!AuthorizationSession::get(opCtx->getClient())
+ ->isAuthorizedForActionsOnResource(ResourcePattern::forClusterResource(),
+ ActionType::internal)) {
return Status(ErrorCodes::Unauthorized, "Unauthorized");
}
return Status::OK();
diff --git a/src/mongo/db/s/config/configsvr_control_balancer_command.cpp b/src/mongo/db/s/config/configsvr_control_balancer_command.cpp
index b02a6b1a266..522c81ef245 100644
--- a/src/mongo/db/s/config/configsvr_control_balancer_command.cpp
+++ b/src/mongo/db/s/config/configsvr_control_balancer_command.cpp
@@ -70,11 +70,12 @@ public:
return false;
}
- Status checkAuthForCommand(Client* client,
- const std::string& dbname,
- const BSONObj& cmdObj) const override {
- if (!AuthorizationSession::get(client)->isAuthorizedForActionsOnResource(
- ResourcePattern::forClusterResource(), ActionType::internal)) {
+ Status checkAuthForOperation(OperationContext* opCtx,
+ const DatabaseName&,
+ const BSONObj&) const override {
+ if (!AuthorizationSession::get(opCtx->getClient())
+ ->isAuthorizedForActionsOnResource(ResourcePattern::forClusterResource(),
+ ActionType::internal)) {
return Status(ErrorCodes::Unauthorized, "Unauthorized");
}
return Status::OK();
diff --git a/src/mongo/db/s/config/configsvr_move_chunk_command.cpp b/src/mongo/db/s/config/configsvr_move_chunk_command.cpp
index 10c19ab53d8..ccbec5e98b2 100644
--- a/src/mongo/db/s/config/configsvr_move_chunk_command.cpp
+++ b/src/mongo/db/s/config/configsvr_move_chunk_command.cpp
@@ -72,11 +72,12 @@ public:
return true;
}
- Status checkAuthForCommand(Client* client,
- const std::string& dbname,
- const BSONObj& cmdObj) const override {
- if (!AuthorizationSession::get(client)->isAuthorizedForActionsOnResource(
- ResourcePattern::forClusterResource(), ActionType::internal)) {
+ Status checkAuthForOperation(OperationContext* opCtx,
+ const DatabaseName&,
+ const BSONObj&) const override {
+ if (!AuthorizationSession::get(opCtx->getClient())
+ ->isAuthorizedForActionsOnResource(ResourcePattern::forClusterResource(),
+ ActionType::internal)) {
return Status(ErrorCodes::Unauthorized, "Unauthorized");
}
return Status::OK();
diff --git a/src/mongo/db/s/config/configsvr_remove_shard_command.cpp b/src/mongo/db/s/config/configsvr_remove_shard_command.cpp
index a17fb730363..efebf6f1cf9 100644
--- a/src/mongo/db/s/config/configsvr_remove_shard_command.cpp
+++ b/src/mongo/db/s/config/configsvr_remove_shard_command.cpp
@@ -83,11 +83,12 @@ public:
return true;
}
- Status checkAuthForCommand(Client* client,
- const std::string& dbname,
- const BSONObj& cmdObj) const override {
- if (!AuthorizationSession::get(client)->isAuthorizedForActionsOnResource(
- ResourcePattern::forClusterResource(), ActionType::internal)) {
+ Status checkAuthForOperation(OperationContext* opCtx,
+ const DatabaseName&,
+ const BSONObj&) const override {
+ if (!AuthorizationSession::get(opCtx->getClient())
+ ->isAuthorizedForActionsOnResource(ResourcePattern::forClusterResource(),
+ ActionType::internal)) {
return Status(ErrorCodes::Unauthorized, "Unauthorized");
}
return Status::OK();
diff --git a/src/mongo/db/s/config/configsvr_remove_shard_from_zone_command.cpp b/src/mongo/db/s/config/configsvr_remove_shard_from_zone_command.cpp
index 1be2824081e..69a50eae5a0 100644
--- a/src/mongo/db/s/config/configsvr_remove_shard_from_zone_command.cpp
+++ b/src/mongo/db/s/config/configsvr_remove_shard_from_zone_command.cpp
@@ -85,11 +85,12 @@ public:
return true;
}
- Status checkAuthForCommand(Client* client,
- const std::string& dbname,
- const BSONObj& cmdObj) const override {
- if (!AuthorizationSession::get(client)->isAuthorizedForActionsOnResource(
- ResourcePattern::forClusterResource(), ActionType::internal)) {
+ Status checkAuthForOperation(OperationContext* opCtx,
+ const DatabaseName&,
+ const BSONObj&) const override {
+ if (!AuthorizationSession::get(opCtx->getClient())
+ ->isAuthorizedForActionsOnResource(ResourcePattern::forClusterResource(),
+ ActionType::internal)) {
return Status(ErrorCodes::Unauthorized, "Unauthorized");
}
return Status::OK();
diff --git a/src/mongo/db/s/config/configsvr_repair_sharded_collection_chunks_history_command.cpp b/src/mongo/db/s/config/configsvr_repair_sharded_collection_chunks_history_command.cpp
index a91151f12f7..2017fc4e8f9 100644
--- a/src/mongo/db/s/config/configsvr_repair_sharded_collection_chunks_history_command.cpp
+++ b/src/mongo/db/s/config/configsvr_repair_sharded_collection_chunks_history_command.cpp
@@ -72,11 +72,12 @@ public:
return NamespaceString(dbName.tenantId(), CommandHelpers::parseNsFullyQualified(cmdObj));
}
- Status checkAuthForCommand(Client* client,
- const std::string& dbname,
- const BSONObj& cmdObj) const override {
- if (!AuthorizationSession::get(client)->isAuthorizedForActionsOnResource(
- ResourcePattern::forClusterResource(), ActionType::internal)) {
+ Status checkAuthForOperation(OperationContext* opCtx,
+ const DatabaseName&,
+ const BSONObj&) const override {
+ if (!AuthorizationSession::get(opCtx->getClient())
+ ->isAuthorizedForActionsOnResource(ResourcePattern::forClusterResource(),
+ ActionType::internal)) {
return Status(ErrorCodes::Unauthorized, "Unauthorized");
}
return Status::OK();
diff --git a/src/mongo/db/s/config/configsvr_run_restore_command.cpp b/src/mongo/db/s/config/configsvr_run_restore_command.cpp
index ef9de4c5231..f5cbddd0dfc 100644
--- a/src/mongo/db/s/config/configsvr_run_restore_command.cpp
+++ b/src/mongo/db/s/config/configsvr_run_restore_command.cpp
@@ -152,11 +152,12 @@ public:
return false;
}
- Status checkAuthForCommand(Client* client,
- const std::string& dbname,
- const BSONObj& cmdObj) const override {
- if (!AuthorizationSession::get(client)->isAuthorizedForActionsOnResource(
- ResourcePattern::forClusterResource(), ActionType::internal)) {
+ Status checkAuthForOperation(OperationContext* opCtx,
+ const DatabaseName&,
+ const BSONObj&) const override {
+ if (!AuthorizationSession::get(opCtx->getClient())
+ ->isAuthorizedForActionsOnResource(ResourcePattern::forClusterResource(),
+ ActionType::internal)) {
return Status(ErrorCodes::Unauthorized, "Unauthorized");
}
return Status::OK();
diff --git a/src/mongo/db/s/config/configsvr_split_chunk_command.cpp b/src/mongo/db/s/config/configsvr_split_chunk_command.cpp
index 37ac4d023b6..4aa73b27c5c 100644
--- a/src/mongo/db/s/config/configsvr_split_chunk_command.cpp
+++ b/src/mongo/db/s/config/configsvr_split_chunk_command.cpp
@@ -94,11 +94,12 @@ public:
return true;
}
- Status checkAuthForCommand(Client* client,
- const std::string& dbname,
- const BSONObj& cmdObj) const override {
- if (!AuthorizationSession::get(client)->isAuthorizedForActionsOnResource(
- ResourcePattern::forClusterResource(), ActionType::internal)) {
+ Status checkAuthForOperation(OperationContext* opCtx,
+ const DatabaseName&,
+ const BSONObj&) const override {
+ if (!AuthorizationSession::get(opCtx->getClient())
+ ->isAuthorizedForActionsOnResource(ResourcePattern::forClusterResource(),
+ ActionType::internal)) {
return Status(ErrorCodes::Unauthorized, "Unauthorized");
}
return Status::OK();
diff --git a/src/mongo/db/s/config/configsvr_update_zone_key_range_command.cpp b/src/mongo/db/s/config/configsvr_update_zone_key_range_command.cpp
index fa562f8b04c..11e8ebf7ed9 100644
--- a/src/mongo/db/s/config/configsvr_update_zone_key_range_command.cpp
+++ b/src/mongo/db/s/config/configsvr_update_zone_key_range_command.cpp
@@ -87,11 +87,12 @@ public:
return true;
}
- Status checkAuthForCommand(Client* client,
- const std::string& dbname,
- const BSONObj& cmdObj) const override {
- if (!AuthorizationSession::get(client)->isAuthorizedForActionsOnResource(
- ResourcePattern::forClusterResource(), ActionType::internal)) {
+ Status checkAuthForOperation(OperationContext* opCtx,
+ const DatabaseName&,
+ const BSONObj&) const override {
+ if (!AuthorizationSession::get(opCtx->getClient())
+ ->isAuthorizedForActionsOnResource(ResourcePattern::forClusterResource(),
+ ActionType::internal)) {
return Status(ErrorCodes::Unauthorized, "Unauthorized");
}
return Status::OK();
diff --git a/src/mongo/db/s/get_shard_version_command.cpp b/src/mongo/db/s/get_shard_version_command.cpp
index 391d9d2ca71..e5a940af46b 100644
--- a/src/mongo/db/s/get_shard_version_command.cpp
+++ b/src/mongo/db/s/get_shard_version_command.cpp
@@ -65,12 +65,13 @@ public:
return true;
}
- Status checkAuthForCommand(Client* client,
- const std::string& dbname,
- const BSONObj& cmdObj) const override {
- if (!AuthorizationSession::get(client)->isAuthorizedForActionsOnResource(
- ResourcePattern::forExactNamespace(parseNs({boost::none, dbname}, cmdObj)),
- ActionType::getShardVersion)) {
+ Status checkAuthForOperation(OperationContext* opCtx,
+ const DatabaseName& dbName,
+ const BSONObj& cmdObj) const override {
+ if (!AuthorizationSession::get(opCtx->getClient())
+ ->isAuthorizedForActionsOnResource(
+ ResourcePattern::forExactNamespace(parseNs(dbName, cmdObj)),
+ ActionType::getShardVersion)) {
return Status(ErrorCodes::Unauthorized, "Unauthorized");
}
return Status::OK();
diff --git a/src/mongo/db/s/shardsvr_collmod_command.cpp b/src/mongo/db/s/shardsvr_collmod_command.cpp
index 76851922697..b924c43cfdf 100644
--- a/src/mongo/db/s/shardsvr_collmod_command.cpp
+++ b/src/mongo/db/s/shardsvr_collmod_command.cpp
@@ -69,10 +69,11 @@ public:
"directly. Modifies collection.";
}
- Status checkAuthForCommand(Client* client,
- const std::string& dbname,
- const BSONObj& cmdObj) const override {
- const NamespaceString nss(parseNs({boost::none, dbname}, cmdObj));
+ Status checkAuthForOperation(OperationContext* opCtx,
+ const DatabaseName& dbName,
+ const BSONObj& cmdObj) const override {
+ auto* client = opCtx->getClient();
+ const NamespaceString nss(parseNs(dbName, cmdObj));
return auth::checkAuthForCollMod(
client->getOperationContext(), AuthorizationSession::get(client), nss, cmdObj, false);
}
diff --git a/src/mongo/db/s/shardsvr_merge_chunks_command.cpp b/src/mongo/db/s/shardsvr_merge_chunks_command.cpp
index 22f20b9135b..de7bf83bc26 100644
--- a/src/mongo/db/s/shardsvr_merge_chunks_command.cpp
+++ b/src/mongo/db/s/shardsvr_merge_chunks_command.cpp
@@ -135,11 +135,12 @@ public:
"Usage: { mergeChunks: <ns>, epoch: <epoch>, bounds: [<min key>, <max key>] }";
}
- Status checkAuthForCommand(Client* client,
- const std::string& dbname,
- const BSONObj& cmdObj) const override {
- if (!AuthorizationSession::get(client)->isAuthorizedForActionsOnResource(
- ResourcePattern::forClusterResource(), ActionType::internal)) {
+ Status checkAuthForOperation(OperationContext* opCtx,
+ const DatabaseName&,
+ const BSONObj&) const override {
+ if (!AuthorizationSession::get(opCtx->getClient())
+ ->isAuthorizedForActionsOnResource(ResourcePattern::forClusterResource(),
+ ActionType::internal)) {
return Status(ErrorCodes::Unauthorized, "Unauthorized");
}
return Status::OK();
diff --git a/src/mongo/db/s/shardsvr_move_primary_command.cpp b/src/mongo/db/s/shardsvr_move_primary_command.cpp
index 3f08102515d..7ce0578789c 100644
--- a/src/mongo/db/s/shardsvr_move_primary_command.cpp
+++ b/src/mongo/db/s/shardsvr_move_primary_command.cpp
@@ -68,11 +68,12 @@ public:
return true;
}
- Status checkAuthForCommand(Client* client,
- const std::string& dbname,
- const BSONObj& cmdObj) const override {
- if (!AuthorizationSession::get(client)->isAuthorizedForActionsOnResource(
- ResourcePattern::forClusterResource(), ActionType::internal)) {
+ Status checkAuthForOperation(OperationContext* opCtx,
+ const DatabaseName&,
+ const BSONObj&) const override {
+ if (!AuthorizationSession::get(opCtx->getClient())
+ ->isAuthorizedForActionsOnResource(ResourcePattern::forClusterResource(),
+ ActionType::internal)) {
return Status(ErrorCodes::Unauthorized, "Unauthorized");
}
return Status::OK();
diff --git a/src/mongo/db/s/shardsvr_split_chunk_command.cpp b/src/mongo/db/s/shardsvr_split_chunk_command.cpp
index 3d11f8990fc..c62a3d07c27 100644
--- a/src/mongo/db/s/shardsvr_split_chunk_command.cpp
+++ b/src/mongo/db/s/shardsvr_split_chunk_command.cpp
@@ -76,11 +76,12 @@ public:
return true;
}
- Status checkAuthForCommand(Client* client,
- const std::string& dbname,
- const BSONObj& cmdObj) const override {
- if (!AuthorizationSession::get(client)->isAuthorizedForActionsOnResource(
- ResourcePattern::forClusterResource(), ActionType::internal)) {
+ Status checkAuthForOperation(OperationContext* opCtx,
+ const DatabaseName&,
+ const BSONObj&) const override {
+ if (!AuthorizationSession::get(opCtx->getClient())
+ ->isAuthorizedForActionsOnResource(ResourcePattern::forClusterResource(),
+ ActionType::internal)) {
return Status(ErrorCodes::Unauthorized, "Unauthorized");
}
return Status::OK();
diff --git a/src/mongo/db/s/split_vector_command.cpp b/src/mongo/db/s/split_vector_command.cpp
index 9b2812af619..511d9ff52f0 100644
--- a/src/mongo/db/s/split_vector_command.cpp
+++ b/src/mongo/db/s/split_vector_command.cpp
@@ -69,12 +69,13 @@ public:
"NOTE: This command may take a while to run";
}
- Status checkAuthForCommand(Client* client,
- const std::string& dbname,
- const BSONObj& cmdObj) const override {
- if (!AuthorizationSession::get(client)->isAuthorizedForActionsOnResource(
- ResourcePattern::forExactNamespace(parseNs({boost::none, dbname}, cmdObj)),
- ActionType::splitVector)) {
+ Status checkAuthForOperation(OperationContext* opCtx,
+ const DatabaseName& dbName,
+ const BSONObj& cmdObj) const override {
+ if (!AuthorizationSession::get(opCtx->getClient())
+ ->isAuthorizedForActionsOnResource(
+ ResourcePattern::forExactNamespace(parseNs(dbName, cmdObj)),
+ ActionType::splitVector)) {
return Status(ErrorCodes::Unauthorized, "Unauthorized");
}
return Status::OK();
diff --git a/src/mongo/s/commands/cluster_add_shard_to_zone_cmd.cpp b/src/mongo/s/commands/cluster_add_shard_to_zone_cmd.cpp
index 4c6dc7e762b..83628cd10f9 100644
--- a/src/mongo/s/commands/cluster_add_shard_to_zone_cmd.cpp
+++ b/src/mongo/s/commands/cluster_add_shard_to_zone_cmd.cpp
@@ -80,10 +80,10 @@ public:
return "adds a shard to zone";
}
- Status checkAuthForCommand(Client* client,
- const std::string& dbname,
- const BSONObj& cmdObj) const final {
- auto* as = AuthorizationSession::get(client);
+ Status checkAuthForOperation(OperationContext* opCtx,
+ const DatabaseName&,
+ const BSONObj&) const final {
+ auto* as = AuthorizationSession::get(opCtx->getClient());
if (as->isAuthorizedForActionsOnResource(ResourcePattern::forClusterResource(),
ActionType::enableSharding)) {
diff --git a/src/mongo/s/commands/cluster_collection_mod_cmd.cpp b/src/mongo/s/commands/cluster_collection_mod_cmd.cpp
index 146778efdc0..777f30bf5f9 100644
--- a/src/mongo/s/commands/cluster_collection_mod_cmd.cpp
+++ b/src/mongo/s/commands/cluster_collection_mod_cmd.cpp
@@ -71,11 +71,11 @@ public:
return false;
}
- Status checkAuthForCommand(Client* client,
- const std::string& dbname,
- const BSONObj& cmdObj) const override {
- const NamespaceString nss(
- CommandHelpers::parseNsCollectionRequired({boost::none, dbname}, cmdObj));
+ Status checkAuthForOperation(OperationContext* opCtx,
+ const DatabaseName& dbName,
+ const BSONObj& cmdObj) const override {
+ auto* client = opCtx->getClient();
+ const NamespaceString nss(CommandHelpers::parseNsCollectionRequired(dbName, cmdObj));
return auth::checkAuthForCollMod(
client->getOperationContext(), AuthorizationSession::get(client), nss, cmdObj, true);
}
diff --git a/src/mongo/s/commands/cluster_control_balancer_cmd.cpp b/src/mongo/s/commands/cluster_control_balancer_cmd.cpp
index 2cf2bfd5eef..97bc5fbcbb8 100644
--- a/src/mongo/s/commands/cluster_control_balancer_cmd.cpp
+++ b/src/mongo/s/commands/cluster_control_balancer_cmd.cpp
@@ -74,12 +74,13 @@ public:
return "Starts or stops the sharding balancer.";
}
- Status checkAuthForCommand(Client* client,
- const std::string& dbname,
- const BSONObj& cmdObj) const override {
- if (!AuthorizationSession::get(client)->isAuthorizedForActionsOnResource(
- ResourcePattern::forExactNamespace(NamespaceString("config", "settings")),
- _authorizationAction)) {
+ Status checkAuthForOperation(OperationContext* opCtx,
+ const DatabaseName&,
+ const BSONObj&) const override {
+ if (!AuthorizationSession::get(opCtx->getClient())
+ ->isAuthorizedForActionsOnResource(
+ ResourcePattern::forExactNamespace(NamespaceString("config", "settings")),
+ _authorizationAction)) {
return Status(ErrorCodes::Unauthorized, "Unauthorized");
}
return Status::OK();
diff --git a/src/mongo/s/commands/cluster_current_op.cpp b/src/mongo/s/commands/cluster_current_op.cpp
index 5f4f2187b49..040c43bfb5d 100644
--- a/src/mongo/s/commands/cluster_current_op.cpp
+++ b/src/mongo/s/commands/cluster_current_op.cpp
@@ -50,11 +50,12 @@ class ClusterCurrentOpCommand final : public CurrentOpCommandBase {
public:
ClusterCurrentOpCommand() = default;
- Status checkAuthForCommand(Client* client,
- const std::string& dbName,
- const BSONObj& cmdObj) const final {
- bool isAuthorized = AuthorizationSession::get(client)->isAuthorizedForActionsOnResource(
- ResourcePattern::forClusterResource(), ActionType::inprog);
+ Status checkAuthForOperation(OperationContext* opCtx,
+ const DatabaseName&,
+ const BSONObj&) const final {
+ bool isAuthorized = AuthorizationSession::get(opCtx->getClient())
+ ->isAuthorizedForActionsOnResource(
+ ResourcePattern::forClusterResource(), ActionType::inprog);
return isAuthorized ? Status::OK() : Status(ErrorCodes::Unauthorized, "Unauthorized");
}
diff --git a/src/mongo/s/commands/cluster_ftdc_commands.cpp b/src/mongo/s/commands/cluster_ftdc_commands.cpp
index 3b2ac9e0a16..0b41c12fee6 100644
--- a/src/mongo/s/commands/cluster_ftdc_commands.cpp
+++ b/src/mongo/s/commands/cluster_ftdc_commands.cpp
@@ -65,26 +65,27 @@ public:
return false;
}
- Status checkAuthForCommand(Client* client,
- const std::string& dbname,
- const BSONObj& cmdObj) const override {
+ Status checkAuthForOperation(OperationContext* opCtx,
+ const DatabaseName&,
+ const BSONObj&) const override {
+ auto* as = AuthorizationSession::get(opCtx->getClient());
- if (!AuthorizationSession::get(client)->isAuthorizedForActionsOnResource(
- ResourcePattern::forClusterResource(), ActionType::serverStatus)) {
+ if (!as->isAuthorizedForActionsOnResource(ResourcePattern::forClusterResource(),
+ ActionType::serverStatus)) {
return Status(ErrorCodes::Unauthorized, "Unauthorized");
}
- if (!AuthorizationSession::get(client)->isAuthorizedForActionsOnResource(
- ResourcePattern::forClusterResource(), ActionType::replSetGetStatus)) {
+ if (!as->isAuthorizedForActionsOnResource(ResourcePattern::forClusterResource(),
+ ActionType::replSetGetStatus)) {
return Status(ErrorCodes::Unauthorized, "Unauthorized");
}
- if (!AuthorizationSession::get(client)->isAuthorizedForActionsOnResource(
- ResourcePattern::forClusterResource(), ActionType::connPoolStats)) {
+ if (!as->isAuthorizedForActionsOnResource(ResourcePattern::forClusterResource(),
+ ActionType::connPoolStats)) {
return Status(ErrorCodes::Unauthorized, "Unauthorized");
}
- if (!AuthorizationSession::get(client)->isAuthorizedForActionsOnResource(
+ if (!as->isAuthorizedForActionsOnResource(
ResourcePattern::forExactNamespace(NamespaceString("local", "oplog.rs")),
ActionType::collStats)) {
return Status(ErrorCodes::Unauthorized, "Unauthorized");
diff --git a/src/mongo/s/commands/cluster_get_shard_version_cmd.cpp b/src/mongo/s/commands/cluster_get_shard_version_cmd.cpp
index 5b4eebb96b8..8062c712298 100644
--- a/src/mongo/s/commands/cluster_get_shard_version_cmd.cpp
+++ b/src/mongo/s/commands/cluster_get_shard_version_cmd.cpp
@@ -64,12 +64,13 @@ public:
return " example: { getShardVersion : 'alleyinsider.foo' } ";
}
- Status checkAuthForCommand(Client* client,
- const std::string& dbname,
- const BSONObj& cmdObj) const override {
- if (!AuthorizationSession::get(client)->isAuthorizedForActionsOnResource(
- ResourcePattern::forExactNamespace(parseNs({boost::none, dbname}, cmdObj)),
- ActionType::getShardVersion)) {
+ Status checkAuthForOperation(OperationContext* opCtx,
+ const DatabaseName& dbName,
+ const BSONObj& cmdObj) const override {
+ if (!AuthorizationSession::get(opCtx->getClient())
+ ->isAuthorizedForActionsOnResource(
+ ResourcePattern::forExactNamespace(parseNs(dbName, cmdObj)),
+ ActionType::getShardVersion)) {
return Status(ErrorCodes::Unauthorized, "Unauthorized");
}
diff --git a/src/mongo/s/commands/cluster_index_filter_cmd.cpp b/src/mongo/s/commands/cluster_index_filter_cmd.cpp
index f58433fbf2e..976508dbd4c 100644
--- a/src/mongo/s/commands/cluster_index_filter_cmd.cpp
+++ b/src/mongo/s/commands/cluster_index_filter_cmd.cpp
@@ -68,11 +68,11 @@ public:
return false;
}
- Status checkAuthForCommand(Client* client,
- const std::string& dbname,
- const BSONObj& cmdObj) const {
- AuthorizationSession* authzSession = AuthorizationSession::get(client);
- ResourcePattern pattern = parseResourcePattern(dbname, cmdObj);
+ Status checkAuthForOperation(OperationContext* opCtx,
+ const DatabaseName& dbName,
+ const BSONObj& cmdObj) const {
+ auto* authzSession = AuthorizationSession::get(opCtx->getClient());
+ ResourcePattern pattern = parseResourcePattern(dbName.db(), cmdObj);
if (authzSession->isAuthorizedForActionsOnResource(pattern,
ActionType::planCacheIndexFilter)) {
diff --git a/src/mongo/s/commands/cluster_list_collections_cmd.cpp b/src/mongo/s/commands/cluster_list_collections_cmd.cpp
index f1be781cf9d..d033660ca5d 100644
--- a/src/mongo/s/commands/cluster_list_collections_cmd.cpp
+++ b/src/mongo/s/commands/cluster_list_collections_cmd.cpp
@@ -209,11 +209,11 @@ public:
return false;
}
- Status checkAuthForCommand(Client* client,
- const std::string& dbname,
- const BSONObj& cmdObj) const final {
- AuthorizationSession* authzSession = AuthorizationSession::get(client);
- return authzSession->checkAuthorizedToListCollections(dbname, cmdObj).getStatus();
+ Status checkAuthForOperation(OperationContext* opCtx,
+ const DatabaseName& dbName,
+ const BSONObj& cmdObj) const final {
+ auto* authzSession = AuthorizationSession::get(opCtx->getClient());
+ return authzSession->checkAuthorizedToListCollections(dbName.db(), cmdObj).getStatus();
}
bool runWithRequestParser(OperationContext* opCtx,
diff --git a/src/mongo/s/commands/cluster_merge_chunks_cmd.cpp b/src/mongo/s/commands/cluster_merge_chunks_cmd.cpp
index 70052f94d45..b318b2e2bd0 100644
--- a/src/mongo/s/commands/cluster_merge_chunks_cmd.cpp
+++ b/src/mongo/s/commands/cluster_merge_chunks_cmd.cpp
@@ -60,12 +60,13 @@ public:
"usage: { mergeChunks : <ns>, bounds : [ <min key>, <max key> ] }";
}
- Status checkAuthForCommand(Client* client,
- const std::string& dbname,
- const BSONObj& cmdObj) const override {
- if (!AuthorizationSession::get(client)->isAuthorizedForActionsOnResource(
- ResourcePattern::forExactNamespace(parseNs({boost::none, dbname}, cmdObj)),
- ActionType::splitChunk)) {
+ Status checkAuthForOperation(OperationContext* opCtx,
+ const DatabaseName& dbName,
+ const BSONObj& cmdObj) const override {
+ if (!AuthorizationSession::get(opCtx->getClient())
+ ->isAuthorizedForActionsOnResource(
+ ResourcePattern::forExactNamespace(parseNs(dbName, cmdObj)),
+ ActionType::splitChunk)) {
return Status(ErrorCodes::Unauthorized, "Unauthorized");
}
return Status::OK();
diff --git a/src/mongo/s/commands/cluster_move_primary_cmd.cpp b/src/mongo/s/commands/cluster_move_primary_cmd.cpp
index b39a3f7f23d..661f0821698 100644
--- a/src/mongo/s/commands/cluster_move_primary_cmd.cpp
+++ b/src/mongo/s/commands/cluster_move_primary_cmd.cpp
@@ -70,12 +70,13 @@ public:
return " example: { moveprimary : 'foo' , to : 'localhost:9999' }";
}
- virtual Status checkAuthForCommand(Client* client,
- const std::string& dbname,
- const BSONObj& cmdObj) const {
- if (!AuthorizationSession::get(client)->isAuthorizedForActionsOnResource(
- ResourcePattern::forDatabaseName(parseNs({boost::none, dbname}, cmdObj).db()),
- ActionType::moveChunk)) {
+ Status checkAuthForOperation(OperationContext* opCtx,
+ const DatabaseName& dbName,
+ const BSONObj& cmdObj) const {
+ if (!AuthorizationSession::get(opCtx->getClient())
+ ->isAuthorizedForActionsOnResource(
+ ResourcePattern::forDatabaseName(parseNs(dbName, cmdObj).db()),
+ ActionType::moveChunk)) {
return Status(ErrorCodes::Unauthorized, "Unauthorized");
}
diff --git a/src/mongo/s/commands/cluster_oplog_note_cmd.cpp b/src/mongo/s/commands/cluster_oplog_note_cmd.cpp
index 12c16f58ffc..4ba10bd0dca 100644
--- a/src/mongo/s/commands/cluster_oplog_note_cmd.cpp
+++ b/src/mongo/s/commands/cluster_oplog_note_cmd.cpp
@@ -72,11 +72,12 @@ public:
return "Performs a no-op entry on the oplog on each shard";
}
- virtual Status checkAuthForCommand(Client* client,
- const std::string& dbname,
- const BSONObj& cmdObj) const {
- if (!AuthorizationSession::get(client)->isAuthorizedForActionsOnResource(
- ResourcePattern::forClusterResource(), ActionType::appendOplogNote)) {
+ Status checkAuthForOperation(OperationContext* opCtx,
+ const DatabaseName&,
+ const BSONObj&) const override {
+ if (!AuthorizationSession::get(opCtx->getClient())
+ ->isAuthorizedForActionsOnResource(ResourcePattern::forClusterResource(),
+ ActionType::appendOplogNote)) {
return Status(ErrorCodes::Unauthorized, "Unauthorized");
}
return Status::OK();
diff --git a/src/mongo/s/commands/cluster_plan_cache_clear_cmd.cpp b/src/mongo/s/commands/cluster_plan_cache_clear_cmd.cpp
index 35602bae6d4..338014024c4 100644
--- a/src/mongo/s/commands/cluster_plan_cache_clear_cmd.cpp
+++ b/src/mongo/s/commands/cluster_plan_cache_clear_cmd.cpp
@@ -68,11 +68,11 @@ public:
return CommandHelpers::parseNsCollectionRequired(dbName, cmdObj);
}
- Status checkAuthForCommand(Client* client,
- const std::string& dbname,
- const BSONObj& cmdObj) const {
- AuthorizationSession* authzSession = AuthorizationSession::get(client);
- ResourcePattern pattern = parseResourcePattern(dbname, cmdObj);
+ Status checkAuthForOperation(OperationContext* opCtx,
+ const DatabaseName& dbName,
+ const BSONObj& cmdObj) const {
+ AuthorizationSession* authzSession = AuthorizationSession::get(opCtx->getClient());
+ ResourcePattern pattern = parseResourcePattern(dbName.db(), cmdObj);
if (authzSession->isAuthorizedForActionsOnResource(pattern, ActionType::planCacheWrite)) {
return Status::OK();
diff --git a/src/mongo/s/commands/cluster_remove_shard_from_zone_cmd.cpp b/src/mongo/s/commands/cluster_remove_shard_from_zone_cmd.cpp
index 4b63870523a..9fa3038eaf7 100644
--- a/src/mongo/s/commands/cluster_remove_shard_from_zone_cmd.cpp
+++ b/src/mongo/s/commands/cluster_remove_shard_from_zone_cmd.cpp
@@ -87,10 +87,10 @@ public:
return "removes a shard from the zone";
}
- Status checkAuthForCommand(Client* client,
- const std::string& dbname,
- const BSONObj& cmdObj) const final {
- auto* as = AuthorizationSession::get(client);
+ Status checkAuthForOperation(OperationContext* opCtx,
+ const DatabaseName&,
+ const BSONObj&) const final {
+ auto* as = AuthorizationSession::get(opCtx->getClient());
if (as->isAuthorizedForActionsOnResource(ResourcePattern::forClusterResource(),
ActionType::enableSharding)) {
diff --git a/src/mongo/s/commands/cluster_repair_sharded_collection_chunks_history_cmd.cpp b/src/mongo/s/commands/cluster_repair_sharded_collection_chunks_history_cmd.cpp
index a3b154f0a1c..94483788136 100644
--- a/src/mongo/s/commands/cluster_repair_sharded_collection_chunks_history_cmd.cpp
+++ b/src/mongo/s/commands/cluster_repair_sharded_collection_chunks_history_cmd.cpp
@@ -74,12 +74,13 @@ public:
// The command intentionally uses the permission control of split/mergeChunks since it only
// modifies the contents of chunk entries and increments the collection/shard versions without
// causing any data placement changes
- Status checkAuthForCommand(Client* client,
- const std::string& dbname,
- const BSONObj& cmdObj) const override {
- if (!AuthorizationSession::get(client)->isAuthorizedForActionsOnResource(
- ResourcePattern::forExactNamespace(parseNs({boost::none, dbname}, cmdObj)),
- ActionType::splitChunk)) {
+ Status checkAuthForOperation(OperationContext* opCtx,
+ const DatabaseName& dbName,
+ const BSONObj& cmdObj) const override {
+ if (!AuthorizationSession::get(opCtx->getClient())
+ ->isAuthorizedForActionsOnResource(
+ ResourcePattern::forExactNamespace(parseNs(dbName, cmdObj)),
+ ActionType::splitChunk)) {
return Status(ErrorCodes::Unauthorized, "Unauthorized");
}
return Status::OK();
diff --git a/src/mongo/s/commands/cluster_repl_set_get_status_cmd.cpp b/src/mongo/s/commands/cluster_repl_set_get_status_cmd.cpp
index 4618c8d6116..96c9d4e73f3 100644
--- a/src/mongo/s/commands/cluster_repl_set_get_status_cmd.cpp
+++ b/src/mongo/s/commands/cluster_repl_set_get_status_cmd.cpp
@@ -57,9 +57,9 @@ public:
return "Not supported through mongos";
}
- virtual Status checkAuthForCommand(Client* client,
- const std::string& dbname,
- const BSONObj& cmdObj) const {
+ Status checkAuthForOperation(OperationContext*,
+ const DatabaseName&,
+ const BSONObj&) const override {
// Require no auth since this command isn't supported in mongos
return Status::OK();
}
diff --git a/src/mongo/s/commands/cluster_set_free_monitoring_cmd.cpp b/src/mongo/s/commands/cluster_set_free_monitoring_cmd.cpp
index f6f8b03b61a..0e5853aa42b 100644
--- a/src/mongo/s/commands/cluster_set_free_monitoring_cmd.cpp
+++ b/src/mongo/s/commands/cluster_set_free_monitoring_cmd.cpp
@@ -51,11 +51,12 @@ public:
return "setFreeMonitoring command must be run against mongod instances";
}
- Status checkAuthForCommand(Client* client,
- const std::string& dbname,
- const BSONObj& cmdObj) const final {
- if (!AuthorizationSession::get(client)->isAuthorizedForActionsOnResource(
- ResourcePattern::forClusterResource(), ActionType::setFreeMonitoring)) {
+ Status checkAuthForOperation(OperationContext* opCtx,
+ const DatabaseName&,
+ const BSONObj&) const final {
+ if (!AuthorizationSession::get(opCtx->getClient())
+ ->isAuthorizedForActionsOnResource(ResourcePattern::forClusterResource(),
+ ActionType::setFreeMonitoring)) {
return Status(ErrorCodes::Unauthorized, "Unauthorized");
}
return Status::OK();
diff --git a/src/mongo/s/commands/cluster_shard_collection_cmd.cpp b/src/mongo/s/commands/cluster_shard_collection_cmd.cpp
index 86ccca809e8..9d7b8c22353 100644
--- a/src/mongo/s/commands/cluster_shard_collection_cmd.cpp
+++ b/src/mongo/s/commands/cluster_shard_collection_cmd.cpp
@@ -66,12 +66,13 @@ public:
return "Shard a collection. Requires key. Optional unique.";
}
- Status checkAuthForCommand(Client* client,
- const std::string& dbname,
- const BSONObj& cmdObj) const override {
- if (!AuthorizationSession::get(client)->isAuthorizedForActionsOnResource(
- ResourcePattern::forExactNamespace(parseNs({boost::none, dbname}, cmdObj)),
- ActionType::enableSharding)) {
+ Status checkAuthForOperation(OperationContext* opCtx,
+ const DatabaseName& dbName,
+ const BSONObj& cmdObj) const override {
+ if (!AuthorizationSession::get(opCtx->getClient())
+ ->isAuthorizedForActionsOnResource(
+ ResourcePattern::forExactNamespace(parseNs(dbName, cmdObj)),
+ ActionType::enableSharding)) {
return Status(ErrorCodes::Unauthorized, "Unauthorized");
}
diff --git a/src/mongo/s/commands/cluster_split_cmd.cpp b/src/mongo/s/commands/cluster_split_cmd.cpp
index 2b8cf4a8171..dbd4ef0ddfb 100644
--- a/src/mongo/s/commands/cluster_split_cmd.cpp
+++ b/src/mongo/s/commands/cluster_split_cmd.cpp
@@ -112,12 +112,13 @@ public:
" NOTE: this does not move the chunks, it just creates a logical separation.";
}
- Status checkAuthForCommand(Client* client,
- const std::string& dbname,
- const BSONObj& cmdObj) const override {
- if (!AuthorizationSession::get(client)->isAuthorizedForActionsOnResource(
- ResourcePattern::forExactNamespace(parseNs({boost::none, dbname}, cmdObj)),
- ActionType::splitChunk)) {
+ Status checkAuthForOperation(OperationContext* opCtx,
+ const DatabaseName& dbName,
+ const BSONObj& cmdObj) const override {
+ if (!AuthorizationSession::get(opCtx->getClient())
+ ->isAuthorizedForActionsOnResource(
+ ResourcePattern::forExactNamespace(parseNs(dbName, cmdObj)),
+ ActionType::splitChunk)) {
return Status(ErrorCodes::Unauthorized, "Unauthorized");
}
return Status::OK();
diff --git a/src/mongo/s/commands/cluster_split_vector_cmd.cpp b/src/mongo/s/commands/cluster_split_vector_cmd.cpp
index 54eb9b6a1fa..7bd4c4eb900 100644
--- a/src/mongo/s/commands/cluster_split_vector_cmd.cpp
+++ b/src/mongo/s/commands/cluster_split_vector_cmd.cpp
@@ -57,12 +57,13 @@ public:
return false;
}
- Status checkAuthForCommand(Client* client,
- const std::string& dbname,
- const BSONObj& cmdObj) const override {
- if (!AuthorizationSession::get(client)->isAuthorizedForActionsOnResource(
- ResourcePattern::forExactNamespace(parseNs({boost::none, dbname}, cmdObj)),
- ActionType::splitVector)) {
+ Status checkAuthForOperation(OperationContext* opCtx,
+ const DatabaseName& dbName,
+ const BSONObj& cmdObj) const override {
+ if (!AuthorizationSession::get(opCtx->getClient())
+ ->isAuthorizedForActionsOnResource(
+ ResourcePattern::forExactNamespace(parseNs(dbName, cmdObj)),
+ ActionType::splitVector)) {
return Status(ErrorCodes::Unauthorized, "Unauthorized");
}
return Status::OK();
diff --git a/src/mongo/s/commands/cluster_update_zone_key_range_cmd.cpp b/src/mongo/s/commands/cluster_update_zone_key_range_cmd.cpp
index 197363e9173..eaf3fc21739 100644
--- a/src/mongo/s/commands/cluster_update_zone_key_range_cmd.cpp
+++ b/src/mongo/s/commands/cluster_update_zone_key_range_cmd.cpp
@@ -90,10 +90,10 @@ public:
return "assigns/remove a range of a sharded collection to a zone";
}
- Status checkAuthForCommand(Client* client,
- const std::string& dbname,
- const BSONObj& cmdObj) const final {
- auto* as = AuthorizationSession::get(client);
+ Status checkAuthForOperation(OperationContext* opCtx,
+ const DatabaseName&,
+ const BSONObj&) const final {
+ auto* as = AuthorizationSession::get(opCtx->getClient());
if (as->isAuthorizedForActionsOnResource(ResourcePattern::forClusterResource(),
ActionType::enableSharding)) {
View Lorry Controller Status