SERVER-1105 Use ResourcePattern type when identifying the resource component of required privileges.

This patch has two principal components. First, it changes the interface to Privilege and AuthorizationSession to use ResourcePattern in place of std::string for identifying resources. Second, it examines all call sites of the authorization session interface in commands and other code to ensure that the correct resource requirements are conveyed to the authorization_session.
author: Andy Schwerin <schwerin@10gen.com> 2013-09-20 10:36:01 -0400
committer: Andy Schwerin <schwerin@10gen.com> 2013-09-23 16:20:12 -0400
commit: a7f7c028c4cdda1ab0939c6c7788bb39bd94cc5f (patch)
tree: 270b9930bff0f280252850cd90ef0bf8e7de0a17 /src/mongo/db/clientcursor.cpp
parent: 234f50a33cd6d2a2e0a30c4b1bddb1c7de176799 (diff)
download: mongo-a7f7c028c4cdda1ab0939c6c7788bb39bd94cc5f.tar.gz
1 files changed, 7 insertions, 7 deletions
diff --git a/src/mongo/db/clientcursor.cpp b/src/mongo/db/clientcursor.cpp
index edfa10658b1..22d04a5ebad 100644
--- a/src/mongo/db/clientcursor.cpp
+++ b/src/mongo/db/clientcursor.cpp
@@ -629,27 +629,27 @@ namespace mongo {
     }
 
     bool ClientCursor::eraseIfAuthorized(CursorId id) {
-        std::string ns;
+        NamespaceString ns;
         {
             recursive_scoped_lock lock(ccmutex);
             ClientCursor* cursor = find_inlock(id);
             if (!cursor) {
                 audit::logKillCursorsAuthzCheck(
                         &cc(),
-                        NamespaceString(""),
+                        NamespaceString(),
                         id,
                         ErrorCodes::CursorNotFound);
                 return false;
             }
-            ns = cursor->ns();
+            ns = NamespaceString(cursor->ns());
         }
 
         // Can't be in a lock when checking authorization
-        const bool isAuthorized = cc().getAuthorizationSession()->checkAuthorization(
+        const bool isAuthorized = cc().getAuthorizationSession()->isAuthorizedForActionsOnNamespace(
                 ns, ActionType::killCursors);
         audit::logKillCursorsAuthzCheck(
                 &cc(),
-                NamespaceString(ns),
+                ns,
                 id,
                 isAuthorized ? ErrorCodes::OK : ErrorCodes::Unauthorized);
         if (!isAuthorized) {
@@ -665,7 +665,7 @@ namespace mongo {
             // Cursor was deleted in another thread since we found it earlier in this function.
             return false;
         }
-        if (cursor->ns() != ns) {
+        if (ns != cursor->ns()) {
             warning() << "Cursor namespace changed. Previous ns: " << ns << ", current ns: "
                     << cursor->ns() << endl;
             return false;
@@ -1009,7 +1009,7 @@ namespace mongo {
                                            std::vector<Privilege>* out) {
             ActionSet actions;
             actions.addAction(ActionType::cursorInfo);
-            out->push_back(Privilege(AuthorizationManager::SERVER_RESOURCE_NAME, actions));
+            out->push_back(Privilege(ResourcePattern::forClusterResource(), actions));
         }
         bool run(const string& dbname, BSONObj& jsobj, int, string& errmsg, BSONObjBuilder& result,
                  bool fromRepl ) {
author	Andy Schwerin <schwerin@10gen.com>	2013-09-20 10:36:01 -0400
committer	Andy Schwerin <schwerin@10gen.com>	2013-09-23 16:20:12 -0400
commit	a7f7c028c4cdda1ab0939c6c7788bb39bd94cc5f (patch)
tree	270b9930bff0f280252850cd90ef0bf8e7de0a17 /src/mongo/db/clientcursor.cpp
parent	234f50a33cd6d2a2e0a30c4b1bddb1c7de176799 (diff)
download	mongo-a7f7c028c4cdda1ab0939c6c7788bb39bd94cc5f.tar.gz