diff options
| author | Andy Schwerin <schwerin@10gen.com> | 2013-07-03 14:56:21 -0400 |
|---|---|---|
| committer | Andy Schwerin <schwerin@10gen.com> | 2013-07-10 13:26:13 -0400 |
| commit | d430713c403fa6b065337cf7e480ed70940631ab (patch) | |
| tree | 9ab7ffad94b732bfdf0589b4ccfd882990183ebe /src/mongo/db | |
| parent | 290750178aee02a006f730205068fc8cffcb7031 (diff) | |
| download | mongo-d430713c403fa6b065337cf7e480ed70940631ab.tar.gz | |
SERVER-1891 Consolidate command authorization checking logic.
Diffstat (limited to 'src/mongo/db')
| -rw-r--r-- | src/mongo/db/commands.cpp | 49 | ||||
| -rw-r--r-- | src/mongo/db/commands.h | 20 | ||||
| -rw-r--r-- | src/mongo/db/dbcommands.cpp | 29 |
3 files changed, 72 insertions, 26 deletions
diff --git a/src/mongo/db/commands.cpp b/src/mongo/db/commands.cpp index 493f8793644..3ededf1ec93 100644 --- a/src/mongo/db/commands.cpp +++ b/src/mongo/db/commands.cpp @@ -209,6 +209,14 @@ namespace mongo { return client->getAuthorizationSession()->checkAuthForPrivileges(privileges); } + void Command::appendCommandStatus(BSONObjBuilder& result, const Status& status) { + appendCommandStatus(result, status.isOK(), status.reason()); + BSONObj tmp = result.asTempObj(); + if (!status.isOK() && !tmp.hasField("code")) { + result.append("code", status.code()); + } + } + void Command::logIfSlow( const Timer& timer, const string& msg ) { int ms = timer.millis(); if ( ms > cmdLine.slowMS ) { @@ -216,6 +224,47 @@ namespace mongo { } } + static Status _checkAuthorizationImpl(Command* c, + ClientBasic* client, + const std::string& dbname, + const BSONObj& cmdObj, + bool fromRepl) { + if ( c->adminOnly() && ! fromRepl && dbname != "admin" ) { + return Status(ErrorCodes::Unauthorized, str::stream() << c->name << + " may only be run against the admin database."); + } + if (AuthorizationManager::isAuthEnabled()) { + Status status = c->checkAuthForCommand(client, dbname, cmdObj); + if (status == ErrorCodes::Unauthorized) { + return Status(ErrorCodes::Unauthorized, + str::stream() << "not authorized on " << dbname << + " to execute command " << cmdObj); + } + if (!status.isOK()) { + return status; + } + } + else if (c->adminOnly() && + c->localHostOnlyIfNoAuth(cmdObj) && + !client->getIsLocalHostConnection()) { + + return Status(ErrorCodes::Unauthorized, str::stream() << c->name << + " must run from localhost when running db without auth"); + } + return Status::OK(); + } + + Status Command::_checkAuthorization(Command* c, + ClientBasic* client, + const std::string& dbname, + const BSONObj& cmdObj, + bool fromRepl) { + Status status = _checkAuthorizationImpl(c, client, dbname, cmdObj, fromRepl); + if (!status.isOK()) { + log() << status << std::endl; + } + return status; + } } #include "../client/connpool.h" diff --git a/src/mongo/db/commands.h b/src/mongo/db/commands.h index 5f52aa97de7..edaa185e867 100644 --- a/src/mongo/db/commands.h +++ b/src/mongo/db/commands.h @@ -197,9 +197,29 @@ namespace mongo { // Helper for setting errmsg and ok field in command result object. static void appendCommandStatus(BSONObjBuilder& result, bool ok, const std::string& errmsg); + static void appendCommandStatus(BSONObjBuilder& result, const Status& status); // Set by command line. Controls whether or not testing-only commands should be available. static int testCommandsEnabled; + + private: + /** + * Checks to see if the client is authorized to run the given command with the given + * parameters on the given named database. + * + * fromRepl is true if this command is running as part of oplog application, which for + * historic reasons has slightly different authorization semantics. TODO(schwerin): Check + * to see if this oddity can now be eliminated. + * + * Returns Status::OK() if the command is authorized. Most likely returns + * ErrorCodes::Unauthorized otherwise, but any return other than Status::OK implies not + * authorized. + */ + static Status _checkAuthorization(Command* c, + ClientBasic* client, + const std::string& dbname, + const BSONObj& cmdObj, + bool fromRepl); }; bool _runCommands(const char *ns, BSONObj& jsobj, BufBuilder &b, BSONObjBuilder& anObjBuilder, bool fromRepl, int queryOptions); diff --git a/src/mongo/db/dbcommands.cpp b/src/mongo/db/dbcommands.cpp index 3a2a9036f62..8fa0c7d9442 100644 --- a/src/mongo/db/dbcommands.cpp +++ b/src/mongo/db/dbcommands.cpp @@ -2110,35 +2110,12 @@ namespace mongo { std::string dbname = nsToDatabase( cmdns ); scoped_ptr<MaintenanceModeSetter> mmSetter; - if (c->adminOnly() && - c->localHostOnlyIfNoAuth(cmdObj) && - !AuthorizationManager::isAuthEnabled() && - !client.getIsLocalHostConnection()) { - log() << "command denied: " << cmdObj.toString() << endl; - appendCommandStatus(result, - false, - "unauthorized: this command must run from localhost when running " - "db without auth"); + Status status = _checkAuthorization(c, &client, dbname, cmdObj, fromRepl); + if (!status.isOK()) { + appendCommandStatus(result, status); return; } - if ( c->adminOnly() && ! fromRepl && dbname != "admin" ) { - log() << "command denied: " << cmdObj.toString() << endl; - appendCommandStatus(result, false, "access denied; use admin db"); - return; - } - - if (AuthorizationManager::isAuthEnabled()) { - Status status = c->checkAuthForCommand(&client, dbname, cmdObj); - if (!status.isOK()) { - log() << "command denied: " << cmdObj.toString() << endl; - result.append("note", str::stream() << "not authorized for command: " << - c->name << " on database " << dbname); - appendCommandStatus(result, false, status.reason()); - return; - } - } - if ( cmdObj["help"].trueValue() ) { client.curop()->ensureStarted(); stringstream ss; |