SERVER-1105 Update AuthorizationSession's logic for collection-level access control.

Also requires changing the privileges of the built-in roles.  This patch takes the opportunity to remove the 2.2-style read-only roles in favor of the 2.4-style "read" and "readAnyDatabase" roles, and renames the 2.2-style read-write roles "dbOwner" and "root".  The "root" name, at least, is subject to change prior to the next unstable release.

Test harnesses are updated as needed to use the correct builtin roles.

1 files changed, 12 insertions, 2 deletions

diff --git a/src/mongo/db/auth/privilege.h b/src/mongo/db/auth/privilege.h
index dda2aca6c09..710e18e6be8 100644
--- a/src/mongo/db/auth/privilege.h
+++ b/src/mongo/db/auth/privilege.h
@@ -24,11 +24,23 @@
 
 namespace mongo {
 
+    class Privilege;
+    typedef std::vector<Privilege> PrivilegeVector;
+
     /**
      * A representation of the permission to perform a set of actions on a resource.
      */
     class Privilege {
     public:
+        /**
+         * Adds "privilegeToAdd" to "privileges", de-duping "privilegeToAdd" if the vector already
+         * contains a privilege on the same resource.
+         *
+         * This method is the preferred way to add privileges to  privilege vectors.
+         */
+        static void addPrivilegeToPrivilegeVector(PrivilegeVector* privileges,
+                                                  const Privilege& privilegeToAdd);
+
 
         Privilege() {};
         Privilege(const ResourcePattern& resource, const ActionType& action);
@@ -53,6 +65,4 @@ namespace mongo {
         ActionSet _actions; // bitmask of actions this privilege grants
     };
 
-    typedef std::vector<Privilege> PrivilegeVector;
-
 } // namespace mongo