diff options
author | Kyle Suarez <kyle.suarez@mongodb.com> | 2016-08-25 08:51:25 -0400 |
---|---|---|
committer | Kyle Suarez <kyle.suarez@mongodb.com> | 2016-08-25 08:51:25 -0400 |
commit | 15050f49369d8972ae87444df760e78996309fdc (patch) | |
tree | e61995e80f02816baa62ec8f80abb31fe2c645b0 /src/mongo/db/auth/authorization_session.h | |
parent | 73ccc56a58ed5a8253e5859e4f528c7dad451831 (diff) | |
download | mongo-15050f49369d8972ae87444df760e78996309fdc.tar.gz |
SERVER-25738 authz for views for sharded create/collMod
Merges authz checks for create, collMod and aggregate into AuthorizationSession.
Diffstat (limited to 'src/mongo/db/auth/authorization_session.h')
-rw-r--r-- | src/mongo/db/auth/authorization_session.h | 26 |
1 files changed, 26 insertions, 0 deletions
diff --git a/src/mongo/db/auth/authorization_session.h b/src/mongo/db/auth/authorization_session.h index f2e6fd0c91c..3e75e0ed381 100644 --- a/src/mongo/db/auth/authorization_session.h +++ b/src/mongo/db/auth/authorization_session.h @@ -174,6 +174,25 @@ public: // identifier. Status checkAuthForKillCursors(const NamespaceString& ns, long long cursorID); + // Checks if this connection has the privileges necessary to run the aggregation pipeline + // specified in 'cmdObj' on the namespace 'ns'. + Status checkAuthForAggregate(const NamespaceString& ns, const BSONObj& cmdObj); + + // Checks if this connection has the privileges necessary to create 'ns' with the options + // supplied in 'cmdObj'. + Status checkAuthForCreate(const NamespaceString& ns, const BSONObj& cmdObj); + + // Checks if this connection has the privileges necessary to modify 'ns' with the options + // supplied in 'cmdObj'. + Status checkAuthForCollMod(const NamespaceString& ns, const BSONObj& cmdObj); + + // Checks if this connection has the privileges necessary to create or modify the view 'ns'. + // Call this function after verifying that the user has the 'createCollection' or 'collMod' + // action, respectively. + // + // 'cmdObj' must have a String field named 'viewOn'. + Status checkAuthForCreateOrModifyView(const NamespaceString& ns, const BSONObj& cmdObj); + // Checks if this connection has the privileges necessary to grant the given privilege // to a role. Status checkAuthorizedToGrantPrivilege(const Privilege& privilege); @@ -274,6 +293,13 @@ private: // lock on the admin database (to update out-of-date user privilege information). bool _isAuthorizedForPrivilege(const Privilege& privilege); + // Helper for recursively checking for privileges in an aggregation pipeline. + void _addPrivilegesForStage(const std::string& db, + const BSONObj& cmdObj, + PrivilegeVector* requiredPrivileges, + BSONObj stageSpec, + bool haveRecursed = false); + std::unique_ptr<AuthzSessionExternalState> _externalState; // All Users who have been authenticated on this connection. |