summaryrefslogtreecommitdiff
path: root/src/mongo/db/commands/user_management_commands.cpp
diff options
context:
space:
mode:
authorSara Golemon <sara.golemon@mongodb.com>2021-10-13 21:04:55 +0000
committerEvergreen Agent <no-reply@evergreen.mongodb.com>2021-12-07 00:23:48 +0000
commitd7845457fd30cd1798f70444c2a66d725ab361b4 (patch)
tree335bd948371be032d209a26c564a140b4ea215a4 /src/mongo/db/commands/user_management_commands.cpp
parent4a915072ab5279480305a6023db6671e3f32cfd0 (diff)
downloadmongo-d7845457fd30cd1798f70444c2a66d725ab361b4.tar.gz
SERVER-61615 Parse authenticated user from security token and add to authorization session
Diffstat (limited to 'src/mongo/db/commands/user_management_commands.cpp')
-rw-r--r--src/mongo/db/commands/user_management_commands.cpp25
1 files changed, 18 insertions, 7 deletions
diff --git a/src/mongo/db/commands/user_management_commands.cpp b/src/mongo/db/commands/user_management_commands.cpp
index 199b127126c..178bd5c27f5 100644
--- a/src/mongo/db/commands/user_management_commands.cpp
+++ b/src/mongo/db/commands/user_management_commands.cpp
@@ -206,6 +206,16 @@ Status checkOkayToGrantPrivilegesToRole(const RoleName& role, const PrivilegeVec
return Status::OK();
}
+// Temporary placeholder pending availability of NamespaceWithTenant.
+NamespaceString getNamespaceWithTenant(const NamespaceString& nss,
+ const boost::optional<OID>& tenant) {
+ if (tenant) {
+ return NamespaceString(str::stream() << tenant.get() << '_' << nss.db(), nss.coll());
+ } else {
+ return nss;
+ }
+}
+
/**
* Finds all documents matching "query" in "collectionName". For each document returned,
* calls the function resultProcessor on it.
@@ -439,9 +449,11 @@ Status removeRoleDocuments(OperationContext* opCtx,
/**
* Creates the given user object in the given database.
*/
-Status insertPrivilegeDocument(OperationContext* opCtx, const BSONObj& userObj) {
- Status status =
- insertAuthzDocument(opCtx, AuthorizationManager::usersCollectionNamespace, userObj);
+Status insertPrivilegeDocument(OperationContext* opCtx,
+ const BSONObj& userObj,
+ const boost::optional<OID>& tenant = boost::none) {
+ auto nss = getNamespaceWithTenant(AuthorizationManager::usersCollectionNamespace, tenant);
+ Status status = insertAuthzDocument(opCtx, nss, userObj);
if (status.isOK()) {
return status;
}
@@ -1005,7 +1017,7 @@ void CmdUMCTyped<CreateUserCommand>::Invocation::typedRun(OperationContext* opCt
uassert(ErrorCodes::BadValue,
"Username cannot contain NULL characters",
cmd.getCommandParameter().find('\0') == std::string::npos);
- UserName userName(cmd.getCommandParameter(), dbname);
+ UserName userName(cmd.getCommandParameter(), dbname, cmd.getTenantOverride());
uassert(ErrorCodes::BadValue,
"Must provide a 'pwd' field for all user documents, except those"
@@ -1042,8 +1054,7 @@ void CmdUMCTyped<CreateUserCommand>::Invocation::typedRun(OperationContext* opCt
BSONObjBuilder userObjBuilder;
userObjBuilder.append("_id", userName.getUnambiguousName());
UUID::gen().appendToBuilder(&userObjBuilder, AuthorizationManager::USERID_FIELD_NAME);
- userObjBuilder.append(AuthorizationManager::USER_NAME_FIELD_NAME, userName.getUser());
- userObjBuilder.append(AuthorizationManager::USER_DB_FIELD_NAME, userName.getDB());
+ userName.appendToBSON(&userObjBuilder);
auto* serviceContext = opCtx->getClient()->getServiceContext();
auto* authzManager = AuthorizationManager::get(serviceContext);
@@ -1089,7 +1100,7 @@ void CmdUMCTyped<CreateUserCommand>::Invocation::typedRun(OperationContext* opCt
authRestrictionsArray);
// Must invalidate even on bad status
- auto status = insertPrivilegeDocument(opCtx, userObj);
+ auto status = insertPrivilegeDocument(opCtx, userObj, userName.getTenant());
authzManager->invalidateUserByName(opCtx, userName);
uassertStatusOK(status);
}
View Lorry Controller Status