diff options
author | Spencer Jackson <spencer.jackson@mongodb.com> | 2017-10-04 15:18:07 -0400 |
---|---|---|
committer | Spencer Jackson <spencer.jackson@mongodb.com> | 2017-10-09 17:25:18 -0400 |
commit | 893d4efbdfc7d536d7b6c44a9cb31dcdb7f8fd20 (patch) | |
tree | 9c9b81be8592744c0779428a86db7bcdadf75972 /src/mongo/db | |
parent | 574f5ae3d799ff2ba551200157495104ad697e96 (diff) | |
download | mongo-893d4efbdfc7d536d7b6c44a9cb31dcdb7f8fd20.tar.gz |
SERVER-31389: Make an ActionType for manipulating authentication restrictions
Diffstat (limited to 'src/mongo/db')
-rw-r--r-- | src/mongo/db/auth/action_types.txt | 1 | ||||
-rw-r--r-- | src/mongo/db/auth/role_graph_builtin_roles.cpp | 1 | ||||
-rw-r--r-- | src/mongo/db/commands/user_management_commands_common.cpp | 64 |
3 files changed, 62 insertions, 4 deletions
diff --git a/src/mongo/db/auth/action_types.txt b/src/mongo/db/auth/action_types.txt index d037cc255ae..45eedf4312f 100644 --- a/src/mongo/db/auth/action_types.txt +++ b/src/mongo/db/auth/action_types.txt @@ -98,6 +98,7 @@ "revokeRolesFromRole", # Not used for permissions checks, but to id the event in logs. "revokeRolesFromUser", # Not used for permissions checks, but to id the event in logs. "serverStatus", +"setAuthenticationRestriction", "setParameter", "shardCollection", # Not used for permissions checks, but to id the event in logs. "shardingState", diff --git a/src/mongo/db/auth/role_graph_builtin_roles.cpp b/src/mongo/db/auth/role_graph_builtin_roles.cpp index 018f8dffb96..c466f334c72 100644 --- a/src/mongo/db/auth/role_graph_builtin_roles.cpp +++ b/src/mongo/db/auth/role_graph_builtin_roles.cpp @@ -149,6 +149,7 @@ MONGO_INITIALIZER(AuthorizationBuiltinRoles)(InitializerContext* context) { << ActionType::dropRole << ActionType::grantRole << ActionType::revokeRole + << ActionType::setAuthenticationRestriction << ActionType::viewUser << ActionType::viewRole; diff --git a/src/mongo/db/commands/user_management_commands_common.cpp b/src/mongo/db/commands/user_management_commands_common.cpp index 608719e0341..09a110b9051 100644 --- a/src/mongo/db/commands/user_management_commands_common.cpp +++ b/src/mongo/db/commands/user_management_commands_common.cpp @@ -110,6 +110,20 @@ Status checkAuthorizedToRevokePrivileges(AuthorizationSession* authzSession, return Status::OK(); } +Status checkAuthorizedToSetRestrictions(AuthorizationSession* authzSession, + bool hasAuthRestriction, + StringData dbname) { + if (hasAuthRestriction) { + if (!authzSession->isAuthorizedForActionsOnResource( + ResourcePattern::forDatabaseName(dbname), + ActionType::setAuthenticationRestriction)) { + return Status(ErrorCodes::Unauthorized, "Unauthorized"); + } + } + + return Status::OK(); +} + Status checkAuthForCreateUserCommand(Client* client, const std::string& dbname, const BSONObj& cmdObj) { @@ -127,7 +141,18 @@ Status checkAuthForCreateUserCommand(Client* client, << args.userName.getDB()); } - return checkAuthorizedToGrantRoles(authzSession, args.roles); + status = checkAuthorizedToGrantRoles(authzSession, args.roles); + if (!status.isOK()) { + return status; + } + + status = checkAuthorizedToSetRestrictions( + authzSession, static_cast<bool>(args.authenticationRestrictions), args.userName.getDB()); + if (!status.isOK()) { + return status; + } + + return Status::OK(); } Status checkAuthForUpdateUserCommand(Client* client, @@ -172,7 +197,16 @@ Status checkAuthForUpdateUserCommand(Client* client, "authorized to revoke any role in the system"); } - return checkAuthorizedToGrantRoles(authzSession, args.roles); + status = checkAuthorizedToGrantRoles(authzSession, args.roles); + if (!status.isOK()) { + return status; + } + } + + status = checkAuthorizedToSetRestrictions( + authzSession, static_cast<bool>(args.authenticationRestrictions), args.userName.getDB()); + if (!status.isOK()) { + return status; } return Status::OK(); @@ -214,7 +248,18 @@ Status checkAuthForCreateRoleCommand(Client* client, return status; } - return checkAuthorizedToGrantPrivileges(authzSession, args.privileges); + status = checkAuthorizedToGrantPrivileges(authzSession, args.privileges); + if (!status.isOK()) { + return status; + } + + status = checkAuthorizedToSetRestrictions( + authzSession, static_cast<bool>(args.authenticationRestrictions), args.roleName.getDB()); + if (!status.isOK()) { + return status; + } + + return Status::OK(); } Status checkAuthForUpdateRoleCommand(Client* client, @@ -241,7 +286,18 @@ Status checkAuthForUpdateRoleCommand(Client* client, return status; } - return checkAuthorizedToGrantPrivileges(authzSession, args.privileges); + status = checkAuthorizedToGrantPrivileges(authzSession, args.privileges); + if (!status.isOK()) { + return status; + } + + status = checkAuthorizedToSetRestrictions( + authzSession, static_cast<bool>(args.authenticationRestrictions), args.roleName.getDB()); + if (!status.isOK()) { + return status; + } + + return Status::OK(); } Status checkAuthForGrantRolesToRoleCommand(Client* client, |