diff options
author | Spencer T Brody <spencer@10gen.com> | 2013-10-25 15:03:59 -0400 |
---|---|---|
committer | Spencer T Brody <spencer@10gen.com> | 2013-10-28 14:57:51 -0400 |
commit | 0e35f9154fe51586d4bbc30267772a664b8df907 (patch) | |
tree | ea957c71863f019d40933c3561e593aac67f24e0 /src/mongo/db/commands/rename_collection_common.cpp | |
parent | 38b665b22722ab442a9c022b54558e3cd7a9b84f (diff) | |
download | mongo-0e35f9154fe51586d4bbc30267772a664b8df907.tar.gz |
SERVER-8213 Make copyDB and clone work with auth when using new-style users
Diffstat (limited to 'src/mongo/db/commands/rename_collection_common.cpp')
-rw-r--r-- | src/mongo/db/commands/rename_collection_common.cpp | 59 |
1 files changed, 42 insertions, 17 deletions
diff --git a/src/mongo/db/commands/rename_collection_common.cpp b/src/mongo/db/commands/rename_collection_common.cpp index 33931b19547..fca7c97ba7f 100644 --- a/src/mongo/db/commands/rename_collection_common.cpp +++ b/src/mongo/db/commands/rename_collection_common.cpp @@ -33,35 +33,60 @@ #include "mongo/db/auth/action_set.h" #include "mongo/db/auth/action_type.h" +#include "mongo/db/auth/authorization_session.h" #include "mongo/db/auth/privilege.h" +#include "mongo/db/client_basic.h" #include "mongo/db/jsobj.h" #include "mongo/db/namespace_string.h" namespace mongo { namespace rename_collection { - void addPrivilegesRequiredForRenameCollection(const BSONObj& cmdObj, - std::vector<Privilege>* out) { + Status checkAuthForRenameCollectionCommand(ClientBasic* client, + const std::string& dbname, + const BSONObj& cmdObj) { NamespaceString sourceNS = NamespaceString(cmdObj.getStringField("renameCollection")); NamespaceString targetNS = NamespaceString(cmdObj.getStringField("to")); - uassert(17140, "Invalid source namespace " + sourceNS.ns(), sourceNS.isValid()); - uassert(17141, "Invalid target namespace " + targetNS.ns(), targetNS.isValid()); - ActionSet sourceActions; - ActionSet targetActions; + bool dropTarget = cmdObj["dropTarget"].trueValue(); - if (sourceNS.db() == targetNS.db()) { - sourceActions.addAction(ActionType::renameCollectionSameDB); - targetActions.addAction(ActionType::renameCollectionSameDB); - } else { - sourceActions.addAction(ActionType::cloneCollectionLocalSource); - sourceActions.addAction(ActionType::dropCollection); - targetActions.addAction(ActionType::createCollection); - targetActions.addAction(ActionType::cloneCollectionTarget); - targetActions.addAction(ActionType::createIndex); + if (sourceNS.db() == targetNS.db() && !sourceNS.isSystem() && !targetNS.isSystem()) { + bool authed1 = client->getAuthorizationSession()->isAuthorizedForActionsOnResource( + ResourcePattern::forDatabaseName(sourceNS.db()), + ActionType::renameCollectionSameDB); + + bool authed2 = true; + if (dropTarget) { + authed2 = client->getAuthorizationSession()->isAuthorizedForActionsOnResource( + ResourcePattern::forExactNamespace(targetNS), ActionType::dropCollection); + } + + if (authed1 && authed2) { + return Status::OK(); + } + } + + // Check privileges on source collection + ActionSet actions; + actions.addAction(ActionType::find); + actions.addAction(ActionType::dropCollection); + if (!client->getAuthorizationSession()->isAuthorizedForActionsOnResource( + ResourcePattern::forExactNamespace(sourceNS), actions)) { + return Status(ErrorCodes::Unauthorized, "Unauthorized"); + } + + // Check privileges on dest collection + actions.removeAllActions(); + actions.addAction(ActionType::insert); + actions.addAction(ActionType::createIndex); + if (dropTarget) { + actions.addAction(ActionType::dropCollection); + } + if (!client->getAuthorizationSession()->isAuthorizedForActionsOnResource( + ResourcePattern::forExactNamespace(targetNS), actions)) { + return Status(ErrorCodes::Unauthorized, "Unauthorized"); } - out->push_back(Privilege(ResourcePattern::forExactNamespace(sourceNS), sourceActions)); - out->push_back(Privilege(ResourcePattern::forExactNamespace(targetNS), targetActions)); + return Status::OK(); } } // namespace rename_collection |