SERVER-54525 Access_check for none commands

author: Mark Benvenuto <mark.benvenuto@mongodb.com> 2021-03-21 22:46:19 -0400
committer: Evergreen Agent <no-reply@evergreen.mongodb.com> 2021-03-22 03:34:46 +0000
commit: 95f8791e5fcbe1945a7ecb3284079c1d8371f212 (patch)
tree: 49a97309b2daed75ca6f615e0351ba2a4d9bc3f9 /src/mongo/db
parent: 68dbfa5edbb55fec190e508607cf2276367f4f93 (diff)
download: mongo-95f8791e5fcbe1945a7ecb3284079c1d8371f212.tar.gz
11 files changed, 16 insertions, 11 deletions
diff --git a/src/mongo/db/auth/sasl_commands.cpp b/src/mongo/db/auth/sasl_commands.cpp
index 519f512ae90..55cbaf7f907 100644
--- a/src/mongo/db/auth/sasl_commands.cpp
+++ b/src/mongo/db/auth/sasl_commands.cpp
@@ -80,8 +80,6 @@ public:
             return NamespaceString(request().getDbName());
         }
 
-        void doCheckAuthorization(OperationContext*) const final {}
-
         Reply typedRun(OperationContext* opCtx);
     };
 
@@ -116,8 +114,6 @@ public:
             return NamespaceString(request().getDbName());
         }
 
-        void doCheckAuthorization(OperationContext*) const final {}
-
         Reply typedRun(OperationContext* opCtx);
     };
 
diff --git a/src/mongo/db/auth/sasl_commands.idl b/src/mongo/db/auth/sasl_commands.idl
index 638696c38a4..4c2bd66e02a 100644
--- a/src/mongo/db/auth/sasl_commands.idl
+++ b/src/mongo/db/auth/sasl_commands.idl
@@ -61,6 +61,8 @@ commands:
     saslStart:
         description: "Begin a SASL based authentication session"
         api_version: "1"
+        access_check:
+            none: true
         command_name: saslStart
         namespace: ignored
         cpp_name: SaslStartCommand
@@ -86,6 +88,8 @@ commands:
     saslContinue:
         description: "Continue a SASL based authentication session"
         api_version: "1"
+        access_check:
+            none: true
         command_name: saslContinue
         namespace: ignored
         cpp_name: SaslContinueCommand
diff --git a/src/mongo/db/commands/SConscript b/src/mongo/db/commands/SConscript
index 5e17f7f139c..c001db73420 100644
--- a/src/mongo/db/commands/SConscript
+++ b/src/mongo/db/commands/SConscript
@@ -607,6 +607,7 @@ env.Library(
     ],
     LIBDEPS=[
         '$BUILD_DIR/mongo/base',
+        '$BUILD_DIR/mongo/db/auth/authprivilege',
         '$BUILD_DIR/mongo/idl/idl_parser',
     ]
 )
diff --git a/src/mongo/db/commands/authentication_commands.cpp b/src/mongo/db/commands/authentication_commands.cpp
index 00c455021b1..4e953d09a82 100644
--- a/src/mongo/db/commands/authentication_commands.cpp
+++ b/src/mongo/db/commands/authentication_commands.cpp
@@ -377,8 +377,6 @@ public:
             return NamespaceString(request().getDbName());
         }
 
-        void doCheckAuthorization(OperationContext*) const final {}
-
         Reply typedRun(OperationContext* opCtx) final {
             return AuthenticationSession::doStep(
                 opCtx, AuthenticationSession::StepType::kAuthenticate, [&](auto session) {
diff --git a/src/mongo/db/commands/authentication_commands.idl b/src/mongo/db/commands/authentication_commands.idl
index ce3b6a5cc9d..59a1bfb5f41 100644
--- a/src/mongo/db/commands/authentication_commands.idl
+++ b/src/mongo/db/commands/authentication_commands.idl
@@ -48,6 +48,8 @@ commands:
     authenticate:
         description: "Begin a X509 based authentication session"
         api_version: "1"
+        access_check:
+            none: true
         namespace: ignored
         command_name: authenticate
         cpp_name: AuthenticateCommand
diff --git a/src/mongo/db/commands/generic.cpp b/src/mongo/db/commands/generic.cpp
index 52ed0d5c556..1a6e03f1f94 100644
--- a/src/mongo/db/commands/generic.cpp
+++ b/src/mongo/db/commands/generic.cpp
@@ -79,7 +79,6 @@ public:
         NamespaceString ns() const override {
             return NamespaceString(request().getDbName());
         }
-        void doCheckAuthorization(OperationContext* opCtx) const override {}
         virtual Reply typedRun(OperationContext* opCtx) override {
             // IMPORTANT: Don't put anything in here that might lock db - including authentication
             return Reply{};
diff --git a/src/mongo/db/commands/generic.idl b/src/mongo/db/commands/generic.idl
index b4c54b7568d..736d3059893 100644
--- a/src/mongo/db/commands/generic.idl
+++ b/src/mongo/db/commands/generic.idl
@@ -74,5 +74,7 @@ commands:
         command_name: ping
         strict: true
         api_version: 1
+        access_check:
+            none: true
         namespace: ignored
         reply_type: OkReply
diff --git a/src/mongo/db/commands/txn_cmds.cpp b/src/mongo/db/commands/txn_cmds.cpp
index 6ac83c5166b..9287537a5e2 100644
--- a/src/mongo/db/commands/txn_cmds.cpp
+++ b/src/mongo/db/commands/txn_cmds.cpp
@@ -88,8 +88,6 @@ public:
             return NamespaceString(request().getDbName());
         }
 
-        void doCheckAuthorization(OperationContext* opCtx) const final {}
-
         Reply typedRun(OperationContext* opCtx) final {
             auto txnParticipant = TransactionParticipant::get(opCtx);
             uassert(ErrorCodes::CommandFailed,
@@ -202,8 +200,6 @@ public:
             return NamespaceString(request().getDbName());
         }
 
-        void doCheckAuthorization(OperationContext* opCtx) const final {}
-
         Reply typedRun(OperationContext* opCtx) final {
             auto txnParticipant = TransactionParticipant::get(opCtx);
             uassert(ErrorCodes::CommandFailed,
diff --git a/src/mongo/db/commands/txn_cmds.idl b/src/mongo/db/commands/txn_cmds.idl
index aefe28142d0..61e7a5adb93 100644
--- a/src/mongo/db/commands/txn_cmds.idl
+++ b/src/mongo/db/commands/txn_cmds.idl
@@ -85,6 +85,8 @@ commands:
         cpp_name: CommitTransaction
         strict: true
         api_version: "1"
+        access_check:
+            none: true
         fields:
             commitTimestamp:
                 description: "Timestamp at which to commit the transaction. Required for prepared
@@ -105,6 +107,8 @@ commands:
         cpp_name: AbortTransaction
         strict: true
         api_version: "1"
+        access_check:
+            none: true
         fields:
             recoveryToken:
                 description: "A mongos that doesn't know about this transaction can attempt to make
diff --git a/src/mongo/db/repl/SConscript b/src/mongo/db/repl/SConscript
index c2bf8e36c53..9060306c408 100644
--- a/src/mongo/db/repl/SConscript
+++ b/src/mongo/db/repl/SConscript
@@ -1220,6 +1220,7 @@ env.Library(
     ],
     LIBDEPS_PRIVATE=[
         '$BUILD_DIR/mongo/db/auth/auth',
+        '$BUILD_DIR/mongo/db/auth/authprivilege',
         '$BUILD_DIR/mongo/idl/idl_parser',
         '$BUILD_DIR/mongo/rpc/metadata',
         'optime',
diff --git a/src/mongo/db/repl/hello.idl b/src/mongo/db/repl/hello.idl
index 51d594cdd0c..05f478694fa 100644
--- a/src/mongo/db/repl/hello.idl
+++ b/src/mongo/db/repl/hello.idl
@@ -202,6 +202,8 @@ commands:
         namespace: ignored
         cpp_name: HelloCommand
         api_version: "1"
+        access_check:
+            none: true
         reply_type: HelloCommandReply
         strict: true
         fields:
author	Mark Benvenuto <mark.benvenuto@mongodb.com>	2021-03-21 22:46:19 -0400
committer	Evergreen Agent <no-reply@evergreen.mongodb.com>	2021-03-22 03:34:46 +0000
commit	95f8791e5fcbe1945a7ecb3284079c1d8371f212 (patch)
tree	49a97309b2daed75ca6f615e0351ba2a4d9bc3f9 /src/mongo/db
parent	68dbfa5edbb55fec190e508607cf2276367f4f93 (diff)
download	mongo-95f8791e5fcbe1945a7ecb3284079c1d8371f212.tar.gz