diff options
author | Spencer T Brody <spencer@mongodb.com> | 2015-11-18 17:07:50 -0500 |
---|---|---|
committer | Spencer T Brody <spencer@mongodb.com> | 2015-11-19 23:32:47 -0500 |
commit | 874fc812768718f015e81d6ce7bd2dab9ce14128 (patch) | |
tree | 073e256b8e5f6757155029e74358391d87274318 /src/mongo/db/auth/authz_manager_external_state_local.h | |
parent | 5b3257d526f8217e303609418da1769275f81d03 (diff) | |
download | mongo-874fc812768718f015e81d6ce7bd2dab9ce14128.tar.gz |
SERVER-21486 Redact bypassDocumentValidation from user privilege set when being talked to by a 3.0 mongos
Diffstat (limited to 'src/mongo/db/auth/authz_manager_external_state_local.h')
-rw-r--r-- | src/mongo/db/auth/authz_manager_external_state_local.h | 29 |
1 files changed, 22 insertions, 7 deletions
diff --git a/src/mongo/db/auth/authz_manager_external_state_local.h b/src/mongo/db/auth/authz_manager_external_state_local.h index 536404dcd51..2a43cacd630 100644 --- a/src/mongo/db/auth/authz_manager_external_state_local.h +++ b/src/mongo/db/auth/authz_manager_external_state_local.h @@ -54,13 +54,6 @@ class AuthzManagerExternalStateLocal : public AuthzManagerExternalState { public: virtual ~AuthzManagerExternalStateLocal() = default; - /** - * Takes a user document, and processes it with the RoleGraph, in order to recursively - * resolve roles and add the 'inheritedRoles', 'inheritedPrivileges', - * and 'warnings' fields. - */ - void resolveUserRoles(mutablebson::Document* userDoc, const std::vector<RoleName>& directRoles); - virtual Status initialize(OperationContext* txn); virtual Status getStoredAuthorizationVersion(OperationContext* txn, int* outVersion); @@ -132,6 +125,28 @@ private: Status _getRoleDescription_inlock(const RoleName& roleName, bool showPrivileges, BSONObj* result); + + /** + * Takes a user document, and processes it with the RoleGraph, in order to recursively + * resolve roles and add the 'inheritedRoles', 'inheritedPrivileges', + * and 'warnings' fields. + */ + void _resolveUserRoles(OperationContext* txn, + mutablebson::Document* userDoc, + const std::vector<RoleName>& directRoles); + + /** + * Gets the Protocol from 'txn' of the operation being run to determine if it was from + * OP_COMMAND or OP_QUERY. If OP_COMMAND, does nothing. If OP_QUERY, assumes that means it is + * a 3.0 mongos talking to us, and modifies the input PrivilegeVector to remove all references + * to any ActionTypes that didn't exist 3.0. This is because when a 3.0 mongos parses the + * privileges from a user document at authentication time, it skips any privileges containing + * any actions it doesn't know about. See SERVER-2146 for more details. + * TODO(SERVER-21561): Remove this after 3.2 + */ + void _redactPrivilegesForBackwardsCompatibilityIfNeeded(OperationContext* txn, + PrivilegeVector* privileges); + /** * Eventually consistent, in-memory representation of all roles in the system (both * user-defined and built-in). Synchronized via _roleGraphMutex. |