diff options
| author | Andy Schwerin <schwerin@10gen.com> | 2013-07-03 14:56:21 -0400 |
|---|---|---|
| committer | Andy Schwerin <schwerin@10gen.com> | 2013-07-10 13:26:13 -0400 |
| commit | d430713c403fa6b065337cf7e480ed70940631ab (patch) | |
| tree | 9ab7ffad94b732bfdf0589b4ccfd882990183ebe /src/mongo/db/commands.cpp | |
| parent | 290750178aee02a006f730205068fc8cffcb7031 (diff) | |
| download | mongo-d430713c403fa6b065337cf7e480ed70940631ab.tar.gz | |
SERVER-1891 Consolidate command authorization checking logic.
Diffstat (limited to 'src/mongo/db/commands.cpp')
| -rw-r--r-- | src/mongo/db/commands.cpp | 49 |
1 files changed, 49 insertions, 0 deletions
diff --git a/src/mongo/db/commands.cpp b/src/mongo/db/commands.cpp index 493f8793644..3ededf1ec93 100644 --- a/src/mongo/db/commands.cpp +++ b/src/mongo/db/commands.cpp @@ -209,6 +209,14 @@ namespace mongo { return client->getAuthorizationSession()->checkAuthForPrivileges(privileges); } + void Command::appendCommandStatus(BSONObjBuilder& result, const Status& status) { + appendCommandStatus(result, status.isOK(), status.reason()); + BSONObj tmp = result.asTempObj(); + if (!status.isOK() && !tmp.hasField("code")) { + result.append("code", status.code()); + } + } + void Command::logIfSlow( const Timer& timer, const string& msg ) { int ms = timer.millis(); if ( ms > cmdLine.slowMS ) { @@ -216,6 +224,47 @@ namespace mongo { } } + static Status _checkAuthorizationImpl(Command* c, + ClientBasic* client, + const std::string& dbname, + const BSONObj& cmdObj, + bool fromRepl) { + if ( c->adminOnly() && ! fromRepl && dbname != "admin" ) { + return Status(ErrorCodes::Unauthorized, str::stream() << c->name << + " may only be run against the admin database."); + } + if (AuthorizationManager::isAuthEnabled()) { + Status status = c->checkAuthForCommand(client, dbname, cmdObj); + if (status == ErrorCodes::Unauthorized) { + return Status(ErrorCodes::Unauthorized, + str::stream() << "not authorized on " << dbname << + " to execute command " << cmdObj); + } + if (!status.isOK()) { + return status; + } + } + else if (c->adminOnly() && + c->localHostOnlyIfNoAuth(cmdObj) && + !client->getIsLocalHostConnection()) { + + return Status(ErrorCodes::Unauthorized, str::stream() << c->name << + " must run from localhost when running db without auth"); + } + return Status::OK(); + } + + Status Command::_checkAuthorization(Command* c, + ClientBasic* client, + const std::string& dbname, + const BSONObj& cmdObj, + bool fromRepl) { + Status status = _checkAuthorizationImpl(c, client, dbname, cmdObj, fromRepl); + if (!status.isOK()) { + log() << status << std::endl; + } + return status; + } } #include "../client/connpool.h" |