diff options
author | Andy Schwerin <schwerin@10gen.com> | 2013-09-20 10:36:01 -0400 |
---|---|---|
committer | Andy Schwerin <schwerin@10gen.com> | 2013-09-23 16:20:12 -0400 |
commit | a7f7c028c4cdda1ab0939c6c7788bb39bd94cc5f (patch) | |
tree | 270b9930bff0f280252850cd90ef0bf8e7de0a17 /src/mongo/s | |
parent | 234f50a33cd6d2a2e0a30c4b1bddb1c7de176799 (diff) | |
download | mongo-a7f7c028c4cdda1ab0939c6c7788bb39bd94cc5f.tar.gz |
SERVER-1105 Use ResourcePattern type when identifying the resource component of required privileges.
This patch has two principal components. First, it changes the interface to Privilege and
AuthorizationSession to use ResourcePattern in place of std::string for identifying resources.
Second, it examines all call sites of the authorization session interface in commands and
other code to ensure that the correct resource requirements are conveyed to the authorization_session.
Diffstat (limited to 'src/mongo/s')
-rw-r--r-- | src/mongo/s/commands_admin.cpp | 30 | ||||
-rw-r--r-- | src/mongo/s/commands_public.cpp | 77 | ||||
-rw-r--r-- | src/mongo/s/cursors.cpp | 10 | ||||
-rw-r--r-- | src/mongo/s/d_migrate.cpp | 14 | ||||
-rw-r--r-- | src/mongo/s/d_split.cpp | 6 | ||||
-rw-r--r-- | src/mongo/s/d_state.cpp | 8 | ||||
-rw-r--r-- | src/mongo/s/d_writeback.cpp | 4 | ||||
-rw-r--r-- | src/mongo/s/merge_chunks_cmd.cpp | 8 | ||||
-rw-r--r-- | src/mongo/s/shard.cpp | 2 | ||||
-rw-r--r-- | src/mongo/s/shardconnection.cpp | 2 | ||||
-rw-r--r-- | src/mongo/s/strategy_shard.cpp | 27 | ||||
-rw-r--r-- | src/mongo/s/strategy_single.cpp | 8 |
12 files changed, 101 insertions, 95 deletions
diff --git a/src/mongo/s/commands_admin.cpp b/src/mongo/s/commands_admin.cpp index b3607dcb9c4..611ea0d12c8 100644 --- a/src/mongo/s/commands_admin.cpp +++ b/src/mongo/s/commands_admin.cpp @@ -101,7 +101,7 @@ namespace mongo { std::vector<Privilege>* out) { ActionSet actions; actions.addAction(ActionType::netstat); - out->push_back(Privilege(AuthorizationManager::CLUSTER_RESOURCE_NAME, actions)); + out->push_back(Privilege(ResourcePattern::forClusterResource(), actions)); } bool run(const string& , BSONObj& cmdObj, int, string& errmsg, BSONObjBuilder& result, bool) { result.append("configserver", configServer.getPrimary().getConnString() ); @@ -121,7 +121,7 @@ namespace mongo { std::vector<Privilege>* out) { ActionSet actions; actions.addAction(ActionType::flushRouterConfig); - out->push_back(Privilege(AuthorizationManager::CLUSTER_RESOURCE_NAME, actions)); + out->push_back(Privilege(ResourcePattern::forClusterResource(), actions)); } bool run(const string& , BSONObj& cmdObj, int, string& errmsg, BSONObjBuilder& result, bool) { grid.flushConfig(); @@ -138,7 +138,7 @@ namespace mongo { std::vector<Privilege>* out) { ActionSet actions; actions.addAction(ActionType::fsync); - out->push_back(Privilege(AuthorizationManager::SERVER_RESOURCE_NAME, actions)); + out->push_back(Privilege(ResourcePattern::forClusterResource(), actions)); } bool run(const string& , BSONObj& cmdObj, int, string& errmsg, BSONObjBuilder& result, bool) { if ( cmdObj["lock"].trueValue() ) { @@ -186,7 +186,7 @@ namespace mongo { std::vector<Privilege>* out) { ActionSet actions; actions.addAction(ActionType::movePrimary); - out->push_back(Privilege(AuthorizationManager::CLUSTER_RESOURCE_NAME, actions)); + out->push_back(Privilege(ResourcePattern::forClusterResource(), actions)); } bool run(const string& , BSONObj& cmdObj, int, string& errmsg, BSONObjBuilder& result, bool) { string dbname = cmdObj.firstElement().valuestrsafe(); @@ -375,7 +375,7 @@ namespace mongo { std::vector<Privilege>* out) { ActionSet actions; actions.addAction(ActionType::enableSharding); - out->push_back(Privilege(AuthorizationManager::CLUSTER_RESOURCE_NAME, actions)); + out->push_back(Privilege(ResourcePattern::forClusterResource(), actions)); } bool run(const string& , BSONObj& cmdObj, int, string& errmsg, BSONObjBuilder& result, bool) { string dbname = cmdObj.firstElement().valuestrsafe(); @@ -426,7 +426,7 @@ namespace mongo { std::vector<Privilege>* out) { ActionSet actions; actions.addAction(ActionType::shardCollection); - out->push_back(Privilege(AuthorizationManager::CLUSTER_RESOURCE_NAME, actions)); + out->push_back(Privilege(ResourcePattern::forClusterResource(), actions)); } bool run(const string& , BSONObj& cmdObj, int, string& errmsg, BSONObjBuilder& result, bool) { const string ns = cmdObj.firstElement().valuestrsafe(); @@ -794,7 +794,7 @@ namespace mongo { std::vector<Privilege>* out) { ActionSet actions; actions.addAction(ActionType::getShardVersion); - out->push_back(Privilege(AuthorizationManager::CLUSTER_RESOURCE_NAME, actions)); + out->push_back(Privilege(ResourcePattern::forClusterResource(), actions)); } bool run(const string& , BSONObj& cmdObj, int, string& errmsg, BSONObjBuilder& result, bool) { string ns = cmdObj.firstElement().valuestrsafe(); @@ -838,7 +838,7 @@ namespace mongo { std::vector<Privilege>* out) { ActionSet actions; actions.addAction(ActionType::split); - out->push_back(Privilege(AuthorizationManager::CLUSTER_RESOURCE_NAME, actions)); + out->push_back(Privilege(ResourcePattern::forClusterResource(), actions)); } bool run(const string& , BSONObj& cmdObj, int, string& errmsg, BSONObjBuilder& result, bool) { if ( ! okForConfigChanges( errmsg ) ) @@ -988,7 +988,7 @@ namespace mongo { std::vector<Privilege>* out) { ActionSet actions; actions.addAction(ActionType::moveChunk); - out->push_back(Privilege(AuthorizationManager::CLUSTER_RESOURCE_NAME, actions)); + out->push_back(Privilege(ResourcePattern::forClusterResource(), actions)); } bool run(const string& , BSONObj& cmdObj, int, string& errmsg, BSONObjBuilder& result, bool) { if ( ! okForConfigChanges( errmsg ) ) @@ -1087,7 +1087,7 @@ namespace mongo { std::vector<Privilege>* out) { ActionSet actions; actions.addAction(ActionType::listShards); - out->push_back(Privilege(AuthorizationManager::CLUSTER_RESOURCE_NAME, actions)); + out->push_back(Privilege(ResourcePattern::forClusterResource(), actions)); } bool run(const string& , BSONObj& cmdObj, int, string& errmsg, BSONObjBuilder& result, bool) { ScopedDbConnection conn(configServer.getPrimary().getConnString(), 30); @@ -1118,7 +1118,7 @@ namespace mongo { std::vector<Privilege>* out) { ActionSet actions; actions.addAction(ActionType::addShard); - out->push_back(Privilege(AuthorizationManager::CLUSTER_RESOURCE_NAME, actions)); + out->push_back(Privilege(ResourcePattern::forClusterResource(), actions)); } bool run(const string& , BSONObj& cmdObj, int, string& errmsg, BSONObjBuilder& result, bool) { errmsg.clear(); @@ -1186,7 +1186,7 @@ namespace mongo { std::vector<Privilege>* out) { ActionSet actions; actions.addAction(ActionType::removeShard); - out->push_back(Privilege(AuthorizationManager::CLUSTER_RESOURCE_NAME, actions)); + out->push_back(Privilege(ResourcePattern::forClusterResource(), actions)); } bool run(const string& , BSONObj& cmdObj, int, string& errmsg, BSONObjBuilder& result, bool) { string target = cmdObj.firstElement().valuestrsafe(); @@ -1504,7 +1504,7 @@ namespace mongo { std::vector<Privilege>* out) { ActionSet actions; actions.addAction(ActionType::listDatabases); - out->push_back(Privilege(AuthorizationManager::SERVER_RESOURCE_NAME, actions)); + out->push_back(Privilege(ResourcePattern::forClusterResource(), actions)); } bool run(const string& , BSONObj& jsobj, int, string& errmsg, BSONObjBuilder& result, bool /*fromRepl*/) { @@ -1632,7 +1632,7 @@ namespace mongo { std::vector<Privilege>* out) { ActionSet actions; actions.addAction(ActionType::closeAllDatabases); - out->push_back(Privilege(AuthorizationManager::SERVER_RESOURCE_NAME, actions)); + out->push_back(Privilege(ResourcePattern::forClusterResource(), actions)); } bool run(const string& , BSONObj& jsobj, int, string& errmsg, BSONObjBuilder& /*result*/, bool /*fromRepl*/) { @@ -1656,7 +1656,7 @@ namespace mongo { // TODO: Should this require no auth since it's not supported in mongos anyway? ActionSet actions; actions.addAction(ActionType::replSetGetStatus); - out->push_back(Privilege(AuthorizationManager::SERVER_RESOURCE_NAME, actions)); + out->push_back(Privilege(ResourcePattern::forClusterResource(), actions)); } bool run(const string& , BSONObj& jsobj, int, string& errmsg, BSONObjBuilder& result, bool /*fromRepl*/) { if ( jsobj["forShell"].trueValue() ) { diff --git a/src/mongo/s/commands_public.cpp b/src/mongo/s/commands_public.cpp index 9f8054304c7..0ffa5398f04 100644 --- a/src/mongo/s/commands_public.cpp +++ b/src/mongo/s/commands_public.cpp @@ -231,7 +231,7 @@ namespace mongo { std::vector<Privilege>* out) { ActionSet actions; actions.addAction(ActionType::dropIndexes); - out->push_back(Privilege(parseNs(dbname, cmdObj), actions)); + out->push_back(Privilege(parseResourcePattern(dbname, cmdObj), actions)); } } dropIndexesCmd; @@ -243,7 +243,7 @@ namespace mongo { std::vector<Privilege>* out) { ActionSet actions; actions.addAction(ActionType::reIndex); - out->push_back(Privilege(parseNs(dbname, cmdObj), actions)); + out->push_back(Privilege(parseResourcePattern(dbname, cmdObj), actions)); } } reIndexCmd; @@ -255,7 +255,7 @@ namespace mongo { std::vector<Privilege>* out) { ActionSet actions; actions.addAction(ActionType::collMod); - out->push_back(Privilege(parseNs(dbname, cmdObj), actions)); + out->push_back(Privilege(parseResourcePattern(dbname, cmdObj), actions)); } } collectionModCmd; @@ -271,7 +271,7 @@ namespace mongo { std::vector<Privilege>* out) { ActionSet actions; actions.addAction(ActionType::profileEnable); - out->push_back(Privilege(dbname, actions)); + out->push_back(Privilege(ResourcePattern::forDatabaseName(dbname), actions)); } } profileCmd; @@ -284,8 +284,7 @@ namespace mongo { std::vector<Privilege>* out) { ActionSet actions; actions.addAction(ActionType::validate); - // TODO: should the resource needed be the collection name instead of the db name? - out->push_back(Privilege(dbname, actions)); + out->push_back(Privilege(parseResourcePattern(dbname, cmdObj), actions)); } virtual void aggregateResults(const vector<BSONObj>& results, BSONObjBuilder& output) { for (vector<BSONObj>::const_iterator it(results.begin()), end(results.end()); it!=end; it++){ @@ -319,7 +318,7 @@ namespace mongo { std::vector<Privilege>* out) { ActionSet actions; actions.addAction(ActionType::repairDatabase); - out->push_back(Privilege(dbname, actions)); + out->push_back(Privilege(ResourcePattern::forDatabaseName(dbname), actions)); } } repairDatabaseCmd; @@ -331,7 +330,7 @@ namespace mongo { std::vector<Privilege>* out) { ActionSet actions; actions.addAction(ActionType::dbStats); - out->push_back(Privilege(dbname, actions)); + out->push_back(Privilege(ResourcePattern::forDatabaseName(dbname), actions)); } virtual void aggregateResults(const vector<BSONObj>& results, BSONObjBuilder& output) { @@ -379,7 +378,7 @@ namespace mongo { std::vector<Privilege>* out) { ActionSet actions; actions.addAction(ActionType::createCollection); - out->push_back(Privilege(dbname, actions)); + out->push_back(Privilege(parseResourcePattern(dbname, cmdObj), actions)); } bool run(const string& dbName, BSONObj& cmdObj, @@ -400,7 +399,7 @@ namespace mongo { std::vector<Privilege>* out) { ActionSet actions; actions.addAction(ActionType::dropCollection); - out->push_back(Privilege(parseNs(dbname, cmdObj), actions)); + out->push_back(Privilege(parseResourcePattern(dbname, cmdObj), actions)); } bool run(const string& dbName , BSONObj& cmdObj, int, string& errmsg, BSONObjBuilder& result, bool) { string collection = cmdObj.firstElement().valuestrsafe(); @@ -448,7 +447,7 @@ namespace mongo { std::vector<Privilege>* out) { ActionSet actions; actions.addAction(ActionType::dropDatabase); - out->push_back(Privilege(dbname, actions)); + out->push_back(Privilege(ResourcePattern::forDatabaseName(dbname), actions)); } bool run(const string& dbName , BSONObj& cmdObj, int, string& errmsg, BSONObjBuilder& result, bool) { // disallow dropping the config database from mongos @@ -552,7 +551,8 @@ namespace mongo { // read from the source DB. ActionSet actions; actions.addAction(ActionType::copyDBTarget); - out->push_back(Privilege(dbname, actions)); // NOTE: dbname is always admin + out->push_back(Privilege(ResourcePattern::forDatabaseName(cmdObj["todb"].str()), + actions)); } bool run(const string& dbName, BSONObj& cmdObj, int, string& errmsg, BSONObjBuilder& result, bool) { string todb = cmdObj.getStringField("todb"); @@ -602,7 +602,7 @@ namespace mongo { std::vector<Privilege>* out) { ActionSet actions; actions.addAction(ActionType::find); - out->push_back(Privilege(parseNs(dbname, cmdObj), actions)); + out->push_back(Privilege(parseResourcePattern(dbname, cmdObj), actions)); } bool run( const string& dbName, BSONObj& cmdObj, @@ -699,7 +699,7 @@ namespace mongo { std::vector<Privilege>* out) { ActionSet actions; actions.addAction(ActionType::collStats); - out->push_back(Privilege(parseNs(dbname, cmdObj), actions)); + out->push_back(Privilege(parseResourcePattern(dbname, cmdObj), actions)); } bool run(const string& dbName , BSONObj& cmdObj, int, string& errmsg, BSONObjBuilder& result, bool) { string collection = cmdObj.firstElement().valuestrsafe(); @@ -831,7 +831,7 @@ namespace mongo { virtual void addRequiredPrivileges(const std::string& dbname, const BSONObj& cmdObj, std::vector<Privilege>* out) { - find_and_modify::addPrivilegesRequiredForFindAndModify(dbname, cmdObj, out); + find_and_modify::addPrivilegesRequiredForFindAndModify(this, dbname, cmdObj, out); } bool run(const string& dbName, BSONObj& cmdObj, int, string& errmsg, BSONObjBuilder& result, bool) { string collection = cmdObj.firstElement().valuestrsafe(); @@ -882,7 +882,7 @@ namespace mongo { std::vector<Privilege>* out) { ActionSet actions; actions.addAction(ActionType::find); - out->push_back(Privilege(parseNs(dbname, cmdObj), actions)); + out->push_back(Privilege(parseResourcePattern(dbname, cmdObj), actions)); } bool run(const string& dbName, BSONObj& cmdObj, int, string& errmsg, BSONObjBuilder& result, bool) { string fullns = cmdObj.firstElement().String(); @@ -947,7 +947,7 @@ namespace mongo { std::vector<Privilege>* out) { ActionSet actions; actions.addAction(ActionType::convertToCapped); - out->push_back(Privilege(parseNs(dbname, cmdObj), actions)); + out->push_back(Privilege(parseResourcePattern(dbname, cmdObj), actions)); } virtual string getFullNS( const string& dbName , const BSONObj& cmdObj ) { @@ -965,7 +965,7 @@ namespace mongo { std::vector<Privilege>* out) { ActionSet actions; actions.addAction(ActionType::find); - out->push_back(Privilege(parseNs(dbname, cmdObj), actions)); + out->push_back(Privilege(parseResourcePattern(dbname, cmdObj), actions)); } virtual bool passOptions() const { return true; } virtual string getFullNS( const string& dbName , const BSONObj& cmdObj ) { @@ -983,7 +983,7 @@ namespace mongo { std::vector<Privilege>* out) { ActionSet actions; actions.addAction(ActionType::splitVector); - out->push_back(Privilege(AuthorizationManager::CLUSTER_RESOURCE_NAME, actions)); + out->push_back(Privilege(ResourcePattern::forClusterResource(), actions)); } virtual bool run(const string& dbName , BSONObj& cmdObj, int options, string& errmsg, BSONObjBuilder& result, bool) { string x = cmdObj.firstElement().valuestrsafe(); @@ -1012,7 +1012,7 @@ namespace mongo { std::vector<Privilege>* out) { ActionSet actions; actions.addAction(ActionType::find); - out->push_back(Privilege(parseNs(dbname, cmdObj), actions)); + out->push_back(Privilege(parseResourcePattern(dbname, cmdObj), actions)); } bool run(const string& dbName , BSONObj& cmdObj, int options, string& errmsg, BSONObjBuilder& result, bool) { string collection = cmdObj.firstElement().valuestrsafe(); @@ -1072,24 +1072,23 @@ namespace mongo { virtual void help( stringstream &help ) const { help << " example: { filemd5 : ObjectId(aaaaaaa) , root : \"fs\" }"; } + + virtual std::string parseNs(const std::string& dbname, const BSONObj& cmdObj) const { + std::string collectionName = cmdObj.getStringField("root"); + if (collectionName.empty()) + collectionName = "fs"; + collectionName += ".chunks"; + return NamespaceString(dbname, collectionName).ns(); + } + virtual void addRequiredPrivileges(const std::string& dbname, const BSONObj& cmdObj, std::vector<Privilege>* out) { - ActionSet actions; - actions.addAction(ActionType::find); - out->push_back(Privilege(parseNs(dbname, cmdObj), actions)); + out->push_back(Privilege(parseResourcePattern(dbname, cmdObj), ActionType::find)); } - bool run(const string& dbName , BSONObj& cmdObj, int, string& errmsg, BSONObjBuilder& result, bool) { - string fullns = dbName; - fullns += "."; - { - string root = cmdObj.getStringField( "root" ); - if ( root.size() == 0 ) - root = "fs"; - fullns += root; - } - fullns += ".chunks"; + bool run(const string& dbName , BSONObj& cmdObj, int, string& errmsg, BSONObjBuilder& result, bool) { + const std::string fullns = parseNs(dbName, cmdObj); DBConfigPtr conf = grid.getDBConfig( dbName , false ); if ( ! conf || ! conf->isShardingEnabled() || ! conf->isSharded( fullns ) ) { @@ -1199,7 +1198,7 @@ namespace mongo { std::vector<Privilege>* out) { ActionSet actions; actions.addAction(ActionType::find); - out->push_back(Privilege(parseNs(dbname, cmdObj), actions)); + out->push_back(Privilege(parseResourcePattern(dbname, cmdObj), actions)); } bool run(const string& dbName , BSONObj& cmdObj, int options, string& errmsg, BSONObjBuilder& result, bool) { string collection = cmdObj.firstElement().valuestrsafe(); @@ -1305,7 +1304,7 @@ namespace mongo { virtual void addRequiredPrivileges(const std::string& dbname, const BSONObj& cmdObj, std::vector<Privilege>* out) { - mr::addPrivilegesRequiredForMapReduce(dbname, cmdObj, out); + mr::addPrivilegesRequiredForMapReduce(this, dbname, cmdObj, out); } string getTmpName( const string& coll ) { @@ -1725,7 +1724,7 @@ namespace mongo { const BSONObj& cmdObj, std::vector<Privilege>* out) { // applyOps can do pretty much anything, so require all privileges. - out->push_back(Privilege(AuthorizationManager::WILDCARD_RESOURCE_NAME, + out->push_back(Privilege(ResourcePattern::forAnyResource(), getGlobalAuthorizationManager()->getAllUserActions())); } virtual bool run(const string& dbName , BSONObj& cmdObj, int, string& errmsg, BSONObjBuilder& result, bool) { @@ -1743,7 +1742,7 @@ namespace mongo { std::vector<Privilege>* out) { ActionSet actions; actions.addAction(ActionType::compact); - out->push_back(Privilege(parseNs(dbname, cmdObj), actions)); + out->push_back(Privilege(parseResourcePattern(dbname, cmdObj), actions)); } virtual bool run(const string& dbName , BSONObj& cmdObj, int, string& errmsg, BSONObjBuilder& result, bool) { errmsg = "compact not allowed through mongos"; @@ -1758,7 +1757,7 @@ namespace mongo { const BSONObj& cmdObj, std::vector<Privilege>* out) { // $eval can do pretty much anything, so require all privileges. - out->push_back(Privilege(AuthorizationManager::WILDCARD_RESOURCE_NAME, + out->push_back(Privilege(ResourcePattern::forAnyResource(), getGlobalAuthorizationManager()->getAllUserActions())); } virtual bool run(const string& dbName, @@ -1837,7 +1836,7 @@ namespace mongo { void PipelineCommand::addRequiredPrivileges(const std::string& dbname, const BSONObj& cmdObj, std::vector<Privilege>* out) { - Pipeline::addRequiredPrivileges(dbname, cmdObj, out); + Pipeline::addRequiredPrivileges(this, dbname, cmdObj, out); } bool PipelineCommand::run(const string &dbName , BSONObj &cmdObj, diff --git a/src/mongo/s/cursors.cpp b/src/mongo/s/cursors.cpp index 178e1e5ac41..f38feba9048 100644 --- a/src/mongo/s/cursors.cpp +++ b/src/mongo/s/cursors.cpp @@ -314,8 +314,8 @@ namespace mongo { MapSharded::iterator i = _cursors.find( id ); if ( i != _cursors.end() ) { - const bool isAuthorized = authSession->checkAuthorization( - i->second->getNS(), ActionType::killCursors); + const bool isAuthorized = authSession->isAuthorizedForActionsOnNamespace( + NamespaceString(i->second->getNS()), ActionType::killCursors); audit::logKillCursorsAuthzCheck( client, NamespaceString(i->second->getNS()), @@ -334,8 +334,8 @@ namespace mongo { continue; } verify(refsNSIt != _refsNS.end()); - const bool isAuthorized = authSession->checkAuthorization( - refsNSIt->second, ActionType::killCursors); + const bool isAuthorized = authSession->isAuthorizedForActionsOnNamespace( + NamespaceString(refsNSIt->second), ActionType::killCursors); audit::logKillCursorsAuthzCheck( client, NamespaceString(refsNSIt->second), @@ -411,7 +411,7 @@ namespace mongo { std::vector<Privilege>* out) { ActionSet actions; actions.addAction(ActionType::cursorInfo); - out->push_back(Privilege(AuthorizationManager::SERVER_RESOURCE_NAME, actions)); + out->push_back(Privilege(ResourcePattern::forClusterResource(), actions)); } virtual LockType locktype() const { return NONE; } bool run(const string&, BSONObj& jsobj, int, string& errmsg, BSONObjBuilder& result, bool fromRepl ) { diff --git a/src/mongo/s/d_migrate.cpp b/src/mongo/s/d_migrate.cpp index e18a805be0d..77274df9d77 100644 --- a/src/mongo/s/d_migrate.cpp +++ b/src/mongo/s/d_migrate.cpp @@ -672,7 +672,7 @@ namespace mongo { std::vector<Privilege>* out) { ActionSet actions; actions.addAction(ActionType::_transferMods); - out->push_back(Privilege(AuthorizationManager::SERVER_RESOURCE_NAME, actions)); + out->push_back(Privilege(ResourcePattern::forClusterResource(), actions)); } bool run(const string& , BSONObj& cmdObj, int, string& errmsg, BSONObjBuilder& result, bool) { return migrateFromStatus.transferMods( errmsg, result ); @@ -688,7 +688,7 @@ namespace mongo { std::vector<Privilege>* out) { ActionSet actions; actions.addAction(ActionType::_migrateClone); - out->push_back(Privilege(AuthorizationManager::SERVER_RESOURCE_NAME, actions)); + out->push_back(Privilege(ResourcePattern::forClusterResource(), actions)); } bool run(const string& , BSONObj& cmdObj, int, string& errmsg, BSONObjBuilder& result, bool) { return migrateFromStatus.clone( errmsg, result ); @@ -717,7 +717,7 @@ namespace mongo { std::vector<Privilege>* out) { ActionSet actions; actions.addAction(ActionType::moveChunk); - out->push_back(Privilege(AuthorizationManager::CLUSTER_RESOURCE_NAME, actions)); + out->push_back(Privilege(ResourcePattern::forClusterResource(), actions)); } bool run(const string& , BSONObj& cmdObj, int, string& errmsg, BSONObjBuilder& result, bool) { @@ -2036,7 +2036,7 @@ namespace mongo { std::vector<Privilege>* out) { ActionSet actions; actions.addAction(ActionType::_recvChunkStart); - out->push_back(Privilege(AuthorizationManager::SERVER_RESOURCE_NAME, actions)); + out->push_back(Privilege(ResourcePattern::forClusterResource(), actions)); } bool run(const string& , BSONObj& cmdObj, int, string& errmsg, BSONObjBuilder& result, bool) { @@ -2129,7 +2129,7 @@ namespace mongo { std::vector<Privilege>* out) { ActionSet actions; actions.addAction(ActionType::_recvChunkStatus); - out->push_back(Privilege(AuthorizationManager::SERVER_RESOURCE_NAME, actions)); + out->push_back(Privilege(ResourcePattern::forClusterResource(), actions)); } bool run(const string& , BSONObj& cmdObj, int, string& errmsg, BSONObjBuilder& result, bool) { migrateStatus.status( result ); @@ -2146,7 +2146,7 @@ namespace mongo { std::vector<Privilege>* out) { ActionSet actions; actions.addAction(ActionType::_recvChunkCommit); - out->push_back(Privilege(AuthorizationManager::SERVER_RESOURCE_NAME, actions)); + out->push_back(Privilege(ResourcePattern::forClusterResource(), actions)); } bool run(const string& , BSONObj& cmdObj, int, string& errmsg, BSONObjBuilder& result, bool) { bool ok = migrateStatus.startCommit(); @@ -2164,7 +2164,7 @@ namespace mongo { std::vector<Privilege>* out) { ActionSet actions; actions.addAction(ActionType::_recvChunkAbort); - out->push_back(Privilege(AuthorizationManager::SERVER_RESOURCE_NAME, actions)); + out->push_back(Privilege(ResourcePattern::forClusterResource(), actions)); } bool run(const string& , BSONObj& cmdObj, int, string& errmsg, BSONObjBuilder& result, bool) { migrateStatus.abort(); diff --git a/src/mongo/s/d_split.cpp b/src/mongo/s/d_split.cpp index ae72c795b9b..da7a99eddfc 100644 --- a/src/mongo/s/d_split.cpp +++ b/src/mongo/s/d_split.cpp @@ -88,7 +88,7 @@ namespace mongo { std::vector<Privilege>* out) { ActionSet actions; actions.addAction(ActionType::find); - out->push_back(Privilege(parseNs(dbname, cmdObj), actions)); + out->push_back(Privilege(parseResourcePattern(dbname, cmdObj), actions)); } bool run(const string& dbname, BSONObj& jsobj, int, string& errmsg, BSONObjBuilder& result, bool fromRepl ) { @@ -222,7 +222,7 @@ namespace mongo { std::vector<Privilege>* out) { ActionSet actions; actions.addAction(ActionType::splitVector); - out->push_back(Privilege(AuthorizationManager::CLUSTER_RESOURCE_NAME, actions)); + out->push_back(Privilege(ResourcePattern::forClusterResource(), actions)); } bool run(const string& dbname, BSONObj& jsobj, int, string& errmsg, BSONObjBuilder& result, bool fromRepl ) { @@ -507,7 +507,7 @@ namespace mongo { std::vector<Privilege>* out) { ActionSet actions; actions.addAction(ActionType::splitChunk); - out->push_back(Privilege(AuthorizationManager::CLUSTER_RESOURCE_NAME, actions)); + out->push_back(Privilege(ResourcePattern::forClusterResource(), actions)); } bool run(const string& dbname, BSONObj& cmdObj, int, string& errmsg, BSONObjBuilder& result, bool fromRepl ) { diff --git a/src/mongo/s/d_state.cpp b/src/mongo/s/d_state.cpp index d84c00f3b1a..e41af37165e 100644 --- a/src/mongo/s/d_state.cpp +++ b/src/mongo/s/d_state.cpp @@ -786,7 +786,7 @@ namespace mongo { std::vector<Privilege>* out) { ActionSet actions; actions.addAction(ActionType::unsetSharding); - out->push_back(Privilege(AuthorizationManager::CLUSTER_RESOURCE_NAME, actions)); + out->push_back(Privilege(ResourcePattern::forClusterResource(), actions)); } bool run(const string& , BSONObj& cmdObj, int, string& errmsg, BSONObjBuilder& result, bool) { @@ -812,7 +812,7 @@ namespace mongo { std::vector<Privilege>* out) { ActionSet actions; actions.addAction(ActionType::setShardVersion); - out->push_back(Privilege(AuthorizationManager::CLUSTER_RESOURCE_NAME, actions)); + out->push_back(Privilege(ResourcePattern::forClusterResource(), actions)); } bool checkConfigOrInit( const string& configdb , bool authoritative , string& errmsg , BSONObjBuilder& result , bool locked=false ) const { @@ -1120,7 +1120,7 @@ namespace mongo { std::vector<Privilege>* out) { ActionSet actions; actions.addAction(ActionType::getShardVersion); - out->push_back(Privilege(AuthorizationManager::CLUSTER_RESOURCE_NAME, actions)); + out->push_back(Privilege(ResourcePattern::forClusterResource(), actions)); } bool run(const string& , BSONObj& cmdObj, int, string& errmsg, BSONObjBuilder& result, bool) { @@ -1163,7 +1163,7 @@ namespace mongo { std::vector<Privilege>* out) { ActionSet actions; actions.addAction(ActionType::shardingState); - out->push_back(Privilege(AuthorizationManager::CLUSTER_RESOURCE_NAME, actions)); + out->push_back(Privilege(ResourcePattern::forClusterResource(), actions)); } bool run(const string& , BSONObj& cmdObj, int, string& errmsg, BSONObjBuilder& result, bool) { diff --git a/src/mongo/s/d_writeback.cpp b/src/mongo/s/d_writeback.cpp index f8b7db8c60b..33da7dc3d55 100644 --- a/src/mongo/s/d_writeback.cpp +++ b/src/mongo/s/d_writeback.cpp @@ -168,7 +168,7 @@ namespace mongo { std::vector<Privilege>* out) { ActionSet actions; actions.addAction(ActionType::writebacklisten); - out->push_back(Privilege(AuthorizationManager::CLUSTER_RESOURCE_NAME, actions)); + out->push_back(Privilege(ResourcePattern::forClusterResource(), actions)); } bool run(const string& , BSONObj& cmdObj, int, string& errmsg, BSONObjBuilder& result, bool) { @@ -220,7 +220,7 @@ namespace mongo { std::vector<Privilege>* out) { ActionSet actions; actions.addAction(ActionType::writeBacksQueued); - out->push_back(Privilege(AuthorizationManager::CLUSTER_RESOURCE_NAME, actions)); + out->push_back(Privilege(ResourcePattern::forClusterResource(), actions)); } WriteBacksQueuedCommand() : Command( "writeBacksQueued" ) {} diff --git a/src/mongo/s/merge_chunks_cmd.cpp b/src/mongo/s/merge_chunks_cmd.cpp index 742bad635dc..bb76b561843 100644 --- a/src/mongo/s/merge_chunks_cmd.cpp +++ b/src/mongo/s/merge_chunks_cmd.cpp @@ -55,9 +55,11 @@ namespace mongo { virtual Status checkAuthForCommand( ClientBasic* client, const std::string& dbname, const BSONObj& cmdObj ) { - return client->getAuthorizationSession()->checkAuthForPrivilege( - Privilege( AuthorizationManager::CLUSTER_RESOURCE_NAME, - ActionType::mergeChunks ) ); + if (!client->getAuthorizationSession()->isAuthorizedForActionsOnResource( + ResourcePattern::forClusterResource(), ActionType::mergeChunks)) { + return Status(ErrorCodes::Unauthorized, "Not authorized for mergeChunks."); + } + return Status::OK(); } virtual bool slaveOk() const { return false; } diff --git a/src/mongo/s/shard.cpp b/src/mongo/s/shard.cpp index 00c8c3405e4..371acfe8af4 100644 --- a/src/mongo/s/shard.cpp +++ b/src/mongo/s/shard.cpp @@ -288,7 +288,7 @@ namespace mongo { std::vector<Privilege>* out) { ActionSet actions; actions.addAction(ActionType::getShardMap); - out->push_back(Privilege(AuthorizationManager::CLUSTER_RESOURCE_NAME, actions)); + out->push_back(Privilege(ResourcePattern::forClusterResource(), actions)); } virtual bool run(const string&, mongo::BSONObj&, int, std::string& errmsg , mongo::BSONObjBuilder& result, bool) { return staticShardInfo.getShardMap( result , errmsg ); diff --git a/src/mongo/s/shardconnection.cpp b/src/mongo/s/shardconnection.cpp index 07e1c465f32..f6f057f6ab8 100644 --- a/src/mongo/s/shardconnection.cpp +++ b/src/mongo/s/shardconnection.cpp @@ -99,7 +99,7 @@ namespace mongo { { ActionSet actions; actions.addAction( ActionType::connPoolStats ); - out->push_back( Privilege( AuthorizationManager::SERVER_RESOURCE_NAME, actions ) ); + out->push_back( Privilege( ResourcePattern::forClusterResource(), actions ) ); } virtual bool run ( const string&, mongo::BSONObj&, int, std::string&, mongo::BSONObjBuilder& result, bool ) { diff --git a/src/mongo/s/strategy_shard.cpp b/src/mongo/s/strategy_shard.cpp index 4cbfe290373..de5899cbb2b 100644 --- a/src/mongo/s/strategy_shard.cpp +++ b/src/mongo/s/strategy_shard.cpp @@ -67,10 +67,11 @@ namespace mongo { QueryMessage q( r.d() ); + NamespaceString ns(q.ns); ClientBasic* client = ClientBasic::getCurrent(); AuthorizationSession* authSession = client->getAuthorizationSession(); - Status status = authSession->checkAuthForQuery(q.ns, q.query); - audit::logQueryAuthzCheck(client, NamespaceString(q.ns), q.query, status.code()); + Status status = authSession->checkAuthForQuery(ns, q.query); + audit::logQueryAuthzCheck(client, ns, q.query, status.code()); uassertStatusOK(status); LOG(3) << "shard query: " << q.ns << " " << q.query << endl; @@ -215,9 +216,10 @@ namespace mongo { NULL == cursorCache.get( id ).get() || host.empty() ); ClientBasic* client = ClientBasic::getCurrent(); + NamespaceString nsString(ns); AuthorizationSession* authSession = client->getAuthorizationSession(); - Status status = authSession->checkAuthForGetMore( ns, id ); - audit::logGetMoreAuthzCheck( client, NamespaceString(ns), id, status.code() ); + Status status = authSession->checkAuthForGetMore( nsString, id ); + audit::logGetMoreAuthzCheck( client, nsString, id, status.code() ); uassertStatusOK(status); if( !host.empty() ){ @@ -577,12 +579,13 @@ namespace mongo { // We should always have a shard if we have any inserts verify(group.inserts.size() == 0 || group.shard.get()); + NamespaceString nsString(ns); for (vector<BSONObj>::iterator it = group.inserts.begin(); it != group.inserts.end(); ++it) { ClientBasic* client = ClientBasic::getCurrent(); AuthorizationSession* authSession = client->getAuthorizationSession(); - Status status = authSession->checkAuthForInsert(ns, *it); - audit::logInsertAuthzCheck(client, NamespaceString(ns), *it, status.code()); + Status status = authSession->checkAuthForInsert(nsString, *it); + audit::logInsertAuthzCheck(client, nsString, *it, status.code()); uassertStatusOK(status); } @@ -1033,12 +1036,13 @@ namespace mongo { const BSONObj toUpdate = d.nextJsObj(); + NamespaceString nsString(ns); ClientBasic* client = ClientBasic::getCurrent(); AuthorizationSession* authzSession = client->getAuthorizationSession(); - Status status = authzSession->checkAuthForUpdate(ns, query, toUpdate, upsert); + Status status = authzSession->checkAuthForUpdate(nsString, query, toUpdate, upsert); audit::logUpdateAuthzCheck( client, - NamespaceString(ns), + nsString, query, toUpdate, upsert, @@ -1202,10 +1206,11 @@ namespace mongo { const BSONObj query = d.nextJsObj(); + NamespaceString nsString(ns); ClientBasic* client = ClientBasic::getCurrent(); AuthorizationSession* authSession = client->getAuthorizationSession(); - Status status = authSession->checkAuthForDelete(ns, query); - audit::logDeleteAuthzCheck(client, NamespaceString(ns), query, status.code()); + Status status = authSession->checkAuthForDelete(nsString, query); + audit::logDeleteAuthzCheck(client, nsString, query, status.code()); uassertStatusOK(status); if( d.reservedField() & Reserved_FromWriteback ){ @@ -1275,7 +1280,7 @@ namespace mongo { while (d.moreJSObjs()) { BSONObj toInsert = d.nextJsObj(); Status status = authSession->checkAuthForInsert( - ns, + nsAsNs, toInsert); audit::logInsertAuthzCheck( client, diff --git a/src/mongo/s/strategy_single.cpp b/src/mongo/s/strategy_single.cpp index 89e4a97f3f9..08f95856a01 100644 --- a/src/mongo/s/strategy_single.cpp +++ b/src/mongo/s/strategy_single.cpp @@ -145,8 +145,8 @@ namespace mongo { ClientBasic* client = ClientBasic::getCurrent(); AuthorizationSession* authSession = client->getAuthorizationSession(); if ( strcmp( ns , "inprog" ) == 0 ) { - const bool isAuthorized = authSession->checkAuthorization( - AuthorizationManager::SERVER_RESOURCE_NAME, ActionType::inprog); + const bool isAuthorized = authSession->isAuthorizedForActionsOnResource( + ResourcePattern::forClusterResource(), ActionType::inprog); audit::logInProgAuthzCheck( client, q.query, isAuthorized ? ErrorCodes::OK : ErrorCodes::Unauthorized); uassert(ErrorCodes::Unauthorized, "not authorized to run inprog", isAuthorized); @@ -188,8 +188,8 @@ namespace mongo { arr.done(); } else if ( strcmp( ns , "killop" ) == 0 ) { - const bool isAuthorized = authSession->checkAuthorization( - AuthorizationManager::SERVER_RESOURCE_NAME, ActionType::killop); + const bool isAuthorized = authSession->isAuthorizedForActionsOnResource( + ResourcePattern::forClusterResource(), ActionType::killop); audit::logKillOpAuthzCheck( client, q.query, |