diff options
author | Sara Golemon <sara.golemon@mongodb.com> | 2017-07-20 10:18:45 -0400 |
---|---|---|
committer | Sara Golemon <sara.golemon@mongodb.com> | 2017-07-23 14:20:02 -0400 |
commit | e0ab50638e7a140211cf95c8f260d5a088954252 (patch) | |
tree | d64e7d8746ebecca41f71e87ba5c6c960ad249da /src/mongo/db/auth/role_graph.h | |
parent | c21b84207ef98fc853cc3d0bc138b46a44c4940a (diff) | |
download | mongo-e0ab50638e7a140211cf95c8f260d5a088954252.tar.gz |
SERVER-29184 Update RoleGraph to propagate restrictions via subordinates
Diffstat (limited to 'src/mongo/db/auth/role_graph.h')
-rw-r--r-- | src/mongo/db/auth/role_graph.h | 14 |
1 files changed, 14 insertions, 0 deletions
diff --git a/src/mongo/db/auth/role_graph.h b/src/mongo/db/auth/role_graph.h index 5ce151b6928..6eae09223da 100644 --- a/src/mongo/db/auth/role_graph.h +++ b/src/mongo/db/auth/role_graph.h @@ -138,6 +138,16 @@ public: } /** + * Returns a vector of all restriction documents that the given role contains. + * This includes both the restrictions set on this role directly, + * as well as any restrictions inherited from the role's subordinate roles. + */ + const std::vector<SharedRestrictionDocument>& getAllAuthenticationRestrictions( + const RoleName& role) { + return _allRestrictionsForRole[role]; + } + + /** * Returns whether or not the given role exists in the role graph. Will implicitly * add the role to the graph if it is a built-in role and isn't already in the graph. */ @@ -324,6 +334,9 @@ private: // Maps a role name to a restriction document. using RestrictionDocumentMap = stdx::unordered_map<RoleName, SharedRestrictionDocument>; + // Maps a role name to all restriction documents from self and subordinates. + using RestrictionDocumentsMap = + stdx::unordered_map<RoleName, std::vector<SharedRestrictionDocument>>; EdgeSet _roleToSubordinates; unordered_map<RoleName, unordered_set<RoleName>> _roleToIndirectSubordinates; @@ -331,6 +344,7 @@ private: RolePrivilegeMap _directPrivilegesForRole; RolePrivilegeMap _allPrivilegesForRole; RestrictionDocumentMap _directRestrictionsForRole; + RestrictionDocumentsMap _allRestrictionsForRole; std::set<RoleName> _allRoles; }; |