diff options
author | Sara Golemon <sara.golemon@mongodb.com> | 2021-12-13 18:32:55 +0000 |
---|---|---|
committer | Evergreen Agent <no-reply@evergreen.mongodb.com> | 2021-12-29 17:43:13 +0000 |
commit | fd163ac958a6263a89b55faed127eceff9fea2f0 (patch) | |
tree | 1df62ed2676f33eec8e9305fbedecd5aa51bb9a0 /src/mongo/db/auth/action_type.idl | |
parent | a8305a25b2b5627e42c180279a870c50780df28b (diff) | |
download | mongo-fd163ac958a6263a89b55faed127eceff9fea2f0.tar.gz |
SERVER-61617 Restrict actionType/matchType combinations on serverless
Diffstat (limited to 'src/mongo/db/auth/action_type.idl')
-rw-r--r-- | src/mongo/db/auth/action_type.idl | 183 |
1 files changed, 160 insertions, 23 deletions
diff --git a/src/mongo/db/auth/action_type.idl b/src/mongo/db/auth/action_type.idl index c789cceb004..03e23892083 100644 --- a/src/mongo/db/auth/action_type.idl +++ b/src/mongo/db/auth/action_type.idl @@ -35,6 +35,9 @@ global: cpp_namespace: "mongo" +imports: + - "mongo/idl/basic_types.idl" + enums: ActionType: description: "test" @@ -177,29 +180,163 @@ enums: viewUser : "viewUser" applyOps : "applyOps" + # In 'MatchType' the extra_data field "serverlessActionTypes" is used + # by the AuthorizationSession while in multitenancy mode to determine + # whether or not an action is reasonable to be performed by a user + # who has been authorized via security token. + # See: MatchType: - description: "test" + description: Resource Match Types used in describing privilege grants. type: string values: - # Matches no resource. - kMatchNever : "never" - # Matches if the resource is the cluster resource. - kMatchClusterResource : "cluster" - # Matches if the resource's database name is _ns.db(). - kMatchDatabaseName : "database" - # Matches if the resource's collection name is _ns.coll(). - kMatchCollectionName : "collection" - # Matches if the resource's namespace name is _ns. - kMatchExactNamespace : "exact_namespace" - # Matches all databases and non-system collections. - kMatchAnyNormalResource : "any_normal" - # Matches absolutely anything. - kMatchAnyResource : "any" - # Matches a collection named "<db>.system.buckets.<collection>" - kMatchExactSystemBucketResource : "system_buckets" - # Matches a collection named "system.buckets.<collection>" in any db - kMatchSystemBucketInAnyDBResource : "system_buckets_in_any_db" - # Matches any collection with a prefix of "system.buckets." in db - kMatchAnySystemBucketInDBResource : "any_system_buckets_in_db" - # Matches any collection with a prefix of "system.buckets." in any db - kMatchAnySystemBucketResource : "any_system_buckets" + kMatchNever: + description: Bottom type for resource matches, matches nothing. + value: "never" + extra_data: + serverlessActionTypes: [] # Explicitly listing no action types valid. + + # resource: { cluster: true } + kMatchClusterResource: + description: Matches if the resource is the cluster resource. + value: "cluster" + extra_data: + serverlessActionTypes: + - killAnyCursor + - killAnySession + - killCursors + - killop + - listDatabases + + # resource: { db: '', collection: 'exact' } + kMatchCollectionName: + description: Matches if the resource's collection is a particular name. + value: "collection" + extra_data: + serverlessActionTypes: &actionsValidOnCollection + - bypassDocumentValidation + - changeStream + - collMod + - collStats + - convertToCapped + - createCollection + - createIndex + - dbCheck + - dbHash + - dbStats + - dropCollection + - dropIndex + - exportCollection + - find + - importCollection + - insert + - killAnyCursor + - killCursors + - listCollections + - listIndexes + - planCacheRead + - reIndex + - remove + - renameCollection + - renameCollectionSameDB + - update + - validate + + # resource: { db: 'exact', collection: '' } + kMatchDatabaseName: + description: Matches if the resource's database is a particular name. + value: "database" + extra_data: + serverlessActionTypes: &actionsValidOnDatabase + # Actions common to collection patterns. + # YAML doesn't support extending list aliases. + # Make changes above, then copy here. + - bypassDocumentValidation + - changeStream + - collMod + - collStats + - convertToCapped + - createCollection + - createIndex + - dbCheck + - dbHash + - dbStats + - dropCollection + - dropIndex + - exportCollection + - find + - importCollection + - insert + - killAnyCursor + - killCursors + - listCollections + - listIndexes + - planCacheRead + - reIndex + - remove + - renameCollection + - renameCollectionSameDB + - update + - validate + + # Actions specific to the database match types. + - applicationMessage + - dropDatabase + - viewRole + - viewUser + + # resource: { db: 'exact', collection: 'exact' } + kMatchExactNamespace: + description: Matches if the resource is an exact namespace. + value: "exact_namespace" + extra_data: + serverlessActionTypes: *actionsValidOnCollection + + # resource: { db: '', collection: '' } + kMatchAnyNormalResource: + description: Matches all databases and non-system collections. + value: "any_normal" + extra_data: + serverlessActionTypes: *actionsValidOnDatabase + + # resource: { anyResource: true } + kMatchAnyResource: + description: Matches absolutely anything. + value: "any" + extra_data: + serverlessActionTypes: *actionsValidOnDatabase + + # resource: { db: 'exact', system_buckets: 'exact' } + kMatchExactSystemBucketResource: + description: Matches a collection named "<db>.system.buckets.<collection>" + value: "system_buckets" + extra_data: + serverlessActionTypes: *actionsValidOnCollection + + # resource: { db: '', system_buckets: 'exact' } + kMatchSystemBucketInAnyDBResource: + description: Matches a collection named "system.buckets.<collection>" in any db + value: "system_buckets_in_any_db" + extra_data: + serverlessActionTypes: *actionsValidOnCollection + + # resource: { db: 'exact', system_buckets: '' } + kMatchAnySystemBucketInDBResource: + description: Matches any collection with a prefix of "system.buckets." in a specific db + value: "any_system_buckets_in_db" + extra_data: + serverlessActionTypes: *actionsValidOnCollection + + # resource: { db: '', system_buckets: '' } + kMatchAnySystemBucketResource: + description: Matches any collection with a prefix of "system.buckets." in any db + value: "any_system_buckets" + extra_data: + serverlessActionTypes: *actionsValidOnCollection + +structs: + MatchTypeExtraData: + description: Extra data defined in the MatchType enum + fields: + serverlessActionTypes: + description: Permitted action types for the match type when in serverless mode + type: array<string> |