SERVER-9516 Support schemaV24 users, for use prior to auth schema upgrade.

To enable this support, one must change the _version field when constructing the
AuthorizationManager, which is not possible in this change set.  A separate
change will introduce proper version detection and writing of
admin.system.version, at which point this functionality can be enabled.

1 files changed, 36 insertions, 2 deletions

diff --git a/src/mongo/db/auth/user.h b/src/mongo/db/auth/user.h
index 2964d373cc8..f34649fe26e 100644
--- a/src/mongo/db/auth/user.h
+++ b/src/mongo/db/auth/user.h
@@ -87,6 +87,19 @@ namespace mongo {
         const ActionSet getActionsForResource(const ResourcePattern& resource) const;
 
         /**
+         * Gets the schema version of user documents used to build this user.  See comment on
+         * _schemaVersion field, below.
+         */
+        int getSchemaVersion() const { return _schemaVersion; }
+
+        /**
+         * Returns true if this user object, generated from V1-schema user documents,
+         * has been probed for privileges on database "dbname", according to the V1
+         * implicit privilge acquisition rules.
+         */
+        bool hasProbedV1(const StringData& dbname) const;
+
+        /**
          * Returns true if this copy of information about this user is still valid. If this returns
          * false, this object should no longer be used and should be returned to the
          * AuthorizationManager and a new User object for this user should be requested.
@@ -143,6 +156,19 @@ namespace mongo {
         void addPrivileges(const PrivilegeVector& privileges);
 
         /**
+         * Sets the schema version of documents used for building this user to 1, for V1 and V0
+         * documents.  The default value is 2, for V2 documents.
+         */
+        void setSchemaVersion1();
+
+        /**
+         * Marks that this user object, generated from V1-schema user documents,
+         * has been probed for privileges on database "dbname", according to the V1
+         * implicit privilge acquisition rules.
+         */
+        void markProbedV1(const StringData& dbname);
+
+        /**
          * Marks this instance of the User object as invalid, most likely because information about
          * the user has been updated and needs to be reloaded from the AuthorizationManager.
          *
@@ -167,7 +193,6 @@ namespace mongo {
          */
         void decrementRefCount();
 
-
     private:
 
         UserName _name;
@@ -178,15 +203,24 @@ namespace mongo {
         // Roles the user has privileges from
         unordered_set<RoleName> _roles;
 
+        // List of databases already probed for privilege information for this user.  Only
+        // meaningful for V1-schema users.
+        std::vector<std::string> _probedDatabases;
+
+        // Credential information.
         CredentialData _credentials;
 
+        // Schema version of user documents used to build this user.  Valid values are 1 (for V1 and
+        // V0 documents) and 2 (for V2 documents).  We need this information because the V1 and V0
+        // users need to do extra probing when checking for privileges.  See
+        // AuthorizationManager::updateV1UserForResource().  Defaults to 2.
+        int _schemaVersion;
 
         // _refCount and _isInvalidated are modified exclusively by the AuthorizationManager
         // _isInvalidated can be read by any consumer of User, but _refCount can only be
         // meaningfully read by the AuthorizationManager, as _refCount is guarded by the AM's _lock
         uint32_t _refCount;
         AtomicUInt32 _isValid; // Using as a boolean
-
     };
 
 } // namespace mongo