SERVER-9518 Store delegatable roles list in User object in memory

author: Spencer T Brody <spencer@10gen.com> 2013-09-06 14:12:13 -0400
committer: Spencer T Brody <spencer@10gen.com> 2013-09-09 11:43:45 -0400
commit: eb46cc62a0d6e08e2cabc0862490d76f2833e8b1 (patch)
tree: 780c981e5ec88f919775bc8d3225c58fc820b503 /src/mongo/db/auth/user.h
parent: 667648a2d9e97ca0ecf995e89eba75fd3e70a08c (diff)
download: mongo-eb46cc62a0d6e08e2cabc0862490d76f2833e8b1.tar.gz
1 files changed, 22 insertions, 1 deletions
diff --git a/src/mongo/db/auth/user.h b/src/mongo/db/auth/user.h
index 0e164797d33..f2d3cfbb385 100644
--- a/src/mongo/db/auth/user.h
+++ b/src/mongo/db/auth/user.h
@@ -63,6 +63,16 @@ namespace mongo {
         const RoleNameIterator getRoles() const;
 
         /**
+         * Returns an iterator that can be used to get the list of roles this user can delegate.
+         */
+        const RoleNameIterator getDelegatableRoles() const;
+
+        /**
+         * Returns whether or not this user is allowed to delegate the given role.
+         */
+        bool canDelegateRole(const RoleName& role) const;
+
+        /**
          * Returns the CredentialData for this user.
          */
         const CredentialData& getCredentials() const;
@@ -109,6 +119,16 @@ namespace mongo {
         void addRoles(const std::vector<RoleName>& roles);
 
         /**
+         * Adds the given role name to the list of roles that this user is allowed to delegate.
+         */
+        void addDelegatableRole(const RoleName& role);
+
+        /**
+         * Adds the given role names to the list of roles that this user is allowed to delegate.
+         */
+        void addDelegatableRoles(const std::vector<RoleName>& roles);
+
+        /**
          * Adds the given privilege to the list of privileges this user is authorized for.
          */
         void addPrivilege(const Privilege& privilege);
@@ -153,7 +173,8 @@ namespace mongo {
         // Maps resource name to privilege on that resource
         ResourcePrivilegeMap _privileges;
 
-        unordered_set<RoleName> _roles;
+        unordered_set<RoleName> _roles; // Roles the user actually has privileges from
+        unordered_set<RoleName> _delegatableRoles; // Roles the user is allowed to delegate
 
         CredentialData _credentials;
author	Spencer T Brody <spencer@10gen.com>	2013-09-06 14:12:13 -0400
committer	Spencer T Brody <spencer@10gen.com>	2013-09-09 11:43:45 -0400
commit	eb46cc62a0d6e08e2cabc0862490d76f2833e8b1 (patch)
tree	780c981e5ec88f919775bc8d3225c58fc820b503 /src/mongo/db/auth/user.h
parent	667648a2d9e97ca0ecf995e89eba75fd3e70a08c (diff)
download	mongo-eb46cc62a0d6e08e2cabc0862490d76f2833e8b1.tar.gz