diff options
| author | Spencer T Brody <spencer@10gen.com> | 2012-12-11 12:42:05 -0500 |
|---|---|---|
| committer | Spencer T Brody <spencer@10gen.com> | 2012-12-11 17:33:19 -0500 |
| commit | 7aff4a70be26ba72eb4b4ba855eac25d4a8e72d9 (patch) | |
| tree | 4c859c4f93801c5999a1976b23469c0db7b8edfd /src | |
| parent | 79782656749bd25cb4df50bfbb3df46e22236c24 (diff) | |
| download | mongo-7aff4a70be26ba72eb4b4ba855eac25d4a8e72d9.tar.gz | |
SERVER-7122 Add required privileges to more commands
Diffstat (limited to 'src')
| -rw-r--r-- | src/mongo/db/commands/fail_point_cmd.cpp | 14 | ||||
| -rw-r--r-- | src/mongo/db/commands/group.cpp | 22 | ||||
| -rw-r--r-- | src/mongo/db/geo/2d.cpp | 13 | ||||
| -rw-r--r-- | src/mongo/db/geo/geonear.cpp | 13 | ||||
| -rw-r--r-- | src/mongo/db/geo/haystack.cpp | 14 | ||||
| -rw-r--r-- | src/mongo/db/oplog.cpp | 12 | ||||
| -rw-r--r-- | src/mongo/db/repl/rs_initiate.cpp | 13 | ||||
| -rw-r--r-- | src/mongo/s/d_split.cpp | 31 | ||||
| -rw-r--r-- | src/mongo/s/d_state.cpp | 36 |
9 files changed, 159 insertions, 9 deletions
diff --git a/src/mongo/db/commands/fail_point_cmd.cpp b/src/mongo/db/commands/fail_point_cmd.cpp index 88616b39197..53d8f57db4b 100644 --- a/src/mongo/db/commands/fail_point_cmd.cpp +++ b/src/mongo/db/commands/fail_point_cmd.cpp @@ -16,6 +16,11 @@ #include "mongo/db/commands/fail_point_cmd.h" +#include <vector> + +#include "mongo/db/auth/action_set.h" +#include "mongo/db/auth/action_type.h" +#include "mongo/db/auth/privilege.h" #include "mongo/db/commands.h" #include "mongo/util/fail_point_service.h" @@ -58,6 +63,15 @@ namespace mongo { return true; } + // No auth needed because it only works when enabled via command line. + virtual bool requiresAuth() { + return false; + } + + virtual void addRequiredPrivileges(const std::string& dbname, + const BSONObj& cmdObj, + std::vector<Privilege>* out) {} + virtual void help(stringstream& h) const { h << "modifies the settings of a fail point"; } diff --git a/src/mongo/db/commands/group.cpp b/src/mongo/db/commands/group.cpp index 5c0e09b0630..5d5f82cae9a 100644 --- a/src/mongo/db/commands/group.cpp +++ b/src/mongo/db/commands/group.cpp @@ -17,10 +17,16 @@ */ #include "pch.h" -#include "../commands.h" -#include "../instance.h" -#include "../../scripting/engine.h" -#include "../clientcursor.h" + +#include <vector> + +#include "mongo/db/auth/action_set.h" +#include "mongo/db/auth/action_type.h" +#include "mongo/db/auth/privilege.h" +#include "mongo/db/commands.h" +#include "mongo/db/instance.h" +#include "mongo/scripting/engine.h" +#include "mongo/db/clientcursor.h" namespace mongo { @@ -33,7 +39,13 @@ namespace mongo { virtual void help( stringstream &help ) const { help << "http://dochub.mongodb.org/core/aggregation"; } - + virtual void addRequiredPrivileges(const std::string& dbname, + const BSONObj& cmdObj, + std::vector<Privilege>* out) { + ActionSet actions; + actions.addAction(ActionType::find); + out->push_back(Privilege(parseNs(dbname, cmdObj), actions)); + } BSONObj getKey( const BSONObj& obj , const BSONObj& keyPattern , ScriptingFunction func , double avgSize , Scope * s ) { if ( func ) { BSONObjBuilder b( obj.objsize() + 32 ); diff --git a/src/mongo/db/geo/2d.cpp b/src/mongo/db/geo/2d.cpp index 56323069532..8ebf6896a3b 100644 --- a/src/mongo/db/geo/2d.cpp +++ b/src/mongo/db/geo/2d.cpp @@ -15,6 +15,12 @@ */ #include "pch.h" + +#include <vector> + +#include "mongo/db/auth/action_set.h" +#include "mongo/db/auth/action_type.h" +#include "mongo/db/auth/privilege.h" #include "mongo/db/namespace-inl.h" #include "mongo/db/jsobj.h" #include "mongo/db/index.h" @@ -2452,6 +2458,13 @@ namespace mongo { virtual LockType locktype() const { return READ; } bool slaveOk() const { return true; } bool slaveOverrideOk() const { return true; } + virtual void addRequiredPrivileges(const std::string& dbname, + const BSONObj& cmdObj, + std::vector<Privilege>* out) { + ActionSet actions; + actions.addAction(ActionType::find); + out->push_back(Privilege(parseNs(dbname, cmdObj), actions)); + } bool run(const string& dbname, BSONObj& cmdObj, int, string& errmsg, BSONObjBuilder& result, bool fromRepl) { string ns = dbname + "." + cmdObj.firstElement().valuestr(); diff --git a/src/mongo/db/geo/geonear.cpp b/src/mongo/db/geo/geonear.cpp index 94d449d36dd..892dd65af18 100644 --- a/src/mongo/db/geo/geonear.cpp +++ b/src/mongo/db/geo/geonear.cpp @@ -14,6 +14,11 @@ * along with this program. If not, see <http://www.gnu.org/licenses/>. */ +#include <vector> + +#include "mongo/db/auth/action_set.h" +#include "mongo/db/auth/action_type.h" +#include "mongo/db/auth/privilege.h" #include "mongo/db/commands.h" #include "mongo/db/jsobj.h" #include "mongo/db/namespace_details.h" @@ -36,7 +41,13 @@ namespace mongo { void help(stringstream& h) const { h << "http://dochub.mongodb.org/core/geo#GeospatialIndexing-geoNearCommand"; } - + virtual void addRequiredPrivileges(const std::string& dbname, + const BSONObj& cmdObj, + std::vector<Privilege>* out) { + ActionSet actions; + actions.addAction(ActionType::find); + out->push_back(Privilege(parseNs(dbname, cmdObj), actions)); + } bool run(const string& dbname, BSONObj& cmdObj, int, string& errmsg, BSONObjBuilder& result, bool fromRepl) { string ns = dbname + "." + cmdObj.firstElement().valuestr(); NamespaceDetails *d = nsdetails(ns.c_str()); diff --git a/src/mongo/db/geo/haystack.cpp b/src/mongo/db/geo/haystack.cpp index 42a07f443e7..728dc37b6f7 100644 --- a/src/mongo/db/geo/haystack.cpp +++ b/src/mongo/db/geo/haystack.cpp @@ -17,6 +17,12 @@ */ #include "pch.h" + +#include <vector> + +#include "mongo/db/auth/action_set.h" +#include "mongo/db/auth/action_type.h" +#include "mongo/db/auth/privilege.h" #include "mongo/db/namespace-inl.h" #include "mongo/db/jsobj.h" #include "mongo/db/index.h" @@ -309,7 +315,13 @@ namespace mongo { virtual LockType locktype() const { return READ; } bool slaveOk() const { return true; } bool slaveOverrideOk() const { return true; } - + virtual void addRequiredPrivileges(const std::string& dbname, + const BSONObj& cmdObj, + std::vector<Privilege>* out) { + ActionSet actions; + actions.addAction(ActionType::find); + out->push_back(Privilege(parseNs(dbname, cmdObj), actions)); + } bool run(const string& dbname, BSONObj& cmdObj, int, string& errmsg, BSONObjBuilder& result, bool fromRepl) { string ns = dbname + "." + cmdObj.firstElement().valuestr(); diff --git a/src/mongo/db/oplog.cpp b/src/mongo/db/oplog.cpp index faaa696e3e7..8179ae8a61a 100644 --- a/src/mongo/db/oplog.cpp +++ b/src/mongo/db/oplog.cpp @@ -20,6 +20,11 @@ #include "mongo/db/oplog.h" +#include <vector> + +#include "mongo/db/auth/action_set.h" +#include "mongo/db/auth/action_type.h" +#include "mongo/db/auth/privilege.h" #include "mongo/db/commands.h" #include "mongo/db/index_update.h" #include "mongo/db/instance.h" @@ -881,6 +886,13 @@ namespace mongo { virtual void help( stringstream &help ) const { help << "internal (sharding)\n{ applyOps : [ ] , preCondition : [ { ns : ... , q : ... , res : ... } ] }"; } + virtual void addRequiredPrivileges(const std::string& dbname, + const BSONObj& cmdObj, + std::vector<Privilege>* out) { + ActionSet actions; + actions.addAction(ActionType::applyOps); + out->push_back(Privilege(AuthorizationManager::SERVER_RESOURCE_NAME, actions)); + } virtual bool run(const string& dbname, BSONObj& cmdObj, int, string& errmsg, BSONObjBuilder& result, bool fromRepl) { if ( cmdObj.firstElement().type() != Array ) { diff --git a/src/mongo/db/repl/rs_initiate.cpp b/src/mongo/db/repl/rs_initiate.cpp index cd7be30e5e0..13a6f1f90eb 100644 --- a/src/mongo/db/repl/rs_initiate.cpp +++ b/src/mongo/db/repl/rs_initiate.cpp @@ -18,6 +18,12 @@ */ #include "pch.h" + +#include <vector> + +#include "mongo/db/auth/action_set.h" +#include "mongo/db/auth/action_type.h" +#include "mongo/db/auth/privilege.h" #include "../cmdline.h" #include "../commands.h" #include "../../util/mmap.h" @@ -150,6 +156,13 @@ namespace mongo { h << "Initiate/christen a replica set."; h << "\nhttp://dochub.mongodb.org/core/replicasetcommands"; } + virtual void addRequiredPrivileges(const std::string& dbname, + const BSONObj& cmdObj, + std::vector<Privilege>* out) { + ActionSet actions; + actions.addAction(ActionType::replSetInitiate); + out->push_back(Privilege(AuthorizationManager::SERVER_RESOURCE_NAME, actions)); + } virtual bool run(const string& , BSONObj& cmdObj, int, string& errmsg, BSONObjBuilder& result, bool fromRepl) { log() << "replSet replSetInitiate admin command received from client" << rsLog; diff --git a/src/mongo/s/d_split.cpp b/src/mongo/s/d_split.cpp index 0c7a70fdca1..96fab9a0cc8 100644 --- a/src/mongo/s/d_split.cpp +++ b/src/mongo/s/d_split.cpp @@ -19,7 +19,11 @@ #include "pch.h" #include <map> #include <string> +#include <vector> +#include "mongo/db/auth/action_set.h" +#include "mongo/db/auth/action_type.h" +#include "mongo/db/auth/privilege.h" #include "mongo/db/btreecursor.h" #include "../db/commands.h" #include "../db/jsobj.h" @@ -47,6 +51,10 @@ namespace mongo { virtual void help( stringstream &help ) const { help << "Deprecated internal command. Use splitVector command instead. \n"; } + // No auth required as this command no longer does anything. + virtual void addRequiredPrivileges(const std::string& dbname, + const BSONObj& cmdObj, + std::vector<Privilege>* out) {} bool run(const string& dbname, BSONObj& jsobj, int, string& errmsg, BSONObjBuilder& result, bool fromRepl ) { errmsg = "medianKey command no longer supported. Calling this indicates mismatch between mongo versions."; return false; @@ -61,7 +69,13 @@ namespace mongo { virtual void help( stringstream &help ) const { help << "Internal command.\n"; } - + virtual void addRequiredPrivileges(const std::string& dbname, + const BSONObj& cmdObj, + std::vector<Privilege>* out) { + ActionSet actions; + actions.addAction(ActionType::find); + out->push_back(Privilege(parseNs(dbname, cmdObj), actions)); + } bool run(const string& dbname, BSONObj& jsobj, int, string& errmsg, BSONObjBuilder& result, bool fromRepl ) { const char* ns = jsobj.getStringField( "checkShardingIndex" ); @@ -183,6 +197,13 @@ namespace mongo { " 'force' will produce one split point even if data is small; defaults to false\n" "NOTE: This command may take a while to run"; } + virtual void addRequiredPrivileges(const std::string& dbname, + const BSONObj& cmdObj, + std::vector<Privilege>* out) { + ActionSet actions; + actions.addAction(ActionType::splitVector); + out->push_back(Privilege(AuthorizationManager::CLUSTER_RESOURCE_NAME, actions)); + } bool run(const string& dbname, BSONObj& jsobj, int, string& errmsg, BSONObjBuilder& result, bool fromRepl ) { @@ -460,7 +481,13 @@ namespace mongo { virtual bool slaveOk() const { return false; } virtual bool adminOnly() const { return true; } virtual LockType locktype() const { return NONE; } - + virtual void addRequiredPrivileges(const std::string& dbname, + const BSONObj& cmdObj, + std::vector<Privilege>* out) { + ActionSet actions; + actions.addAction(ActionType::splitChunk); + out->push_back(Privilege(AuthorizationManager::CLUSTER_RESOURCE_NAME, actions)); + } bool run(const string& dbname, BSONObj& cmdObj, int, string& errmsg, BSONObjBuilder& result, bool fromRepl ) { // diff --git a/src/mongo/s/d_state.cpp b/src/mongo/s/d_state.cpp index ab81e74cb1d..dccbc5fda84 100644 --- a/src/mongo/s/d_state.cpp +++ b/src/mongo/s/d_state.cpp @@ -25,7 +25,11 @@ #include "pch.h" #include <map> #include <string> +#include <vector> +#include "mongo/db/auth/action_set.h" +#include "mongo/db/auth/action_type.h" +#include "mongo/db/auth/privilege.h" #include "../db/commands.h" #include "../db/jsobj.h" #include "../db/db.h" @@ -415,6 +419,14 @@ namespace mongo { virtual bool slaveOk() const { return true; } + virtual void addRequiredPrivileges(const std::string& dbname, + const BSONObj& cmdObj, + std::vector<Privilege>* out) { + ActionSet actions; + actions.addAction(ActionType::unsetSharding); + out->push_back(Privilege(AuthorizationManager::CLUSTER_RESOURCE_NAME, actions)); + } + bool run(const string& , BSONObj& cmdObj, int, string& errmsg, BSONObjBuilder& result, bool) { ShardedConnectionInfo::reset(); return true; @@ -433,6 +445,14 @@ namespace mongo { virtual bool slaveOk() const { return true; } virtual LockType locktype() const { return NONE; } + virtual void addRequiredPrivileges(const std::string& dbname, + const BSONObj& cmdObj, + std::vector<Privilege>* out) { + ActionSet actions; + actions.addAction(ActionType::setShardVersion); + out->push_back(Privilege(AuthorizationManager::CLUSTER_RESOURCE_NAME, actions)); + } + bool checkConfigOrInit( const string& configdb , bool authoritative , string& errmsg , BSONObjBuilder& result , bool locked=false ) const { if ( configdb.size() == 0 ) { errmsg = "no configdb"; @@ -704,6 +724,14 @@ namespace mongo { virtual LockType locktype() const { return NONE; } + virtual void addRequiredPrivileges(const std::string& dbname, + const BSONObj& cmdObj, + std::vector<Privilege>* out) { + ActionSet actions; + actions.addAction(ActionType::getShardVersion); + out->push_back(Privilege(AuthorizationManager::CLUSTER_RESOURCE_NAME, actions)); + } + bool run(const string& , BSONObj& cmdObj, int, string& errmsg, BSONObjBuilder& result, bool) { string ns = cmdObj["getShardVersion"].valuestrsafe(); if ( ns.size() == 0 ) { @@ -733,6 +761,14 @@ namespace mongo { virtual LockType locktype() const { return WRITE; } // TODO: figure out how to make this not need to lock + virtual void addRequiredPrivileges(const std::string& dbname, + const BSONObj& cmdObj, + std::vector<Privilege>* out) { + ActionSet actions; + actions.addAction(ActionType::shardingState); + out->push_back(Privilege(AuthorizationManager::CLUSTER_RESOURCE_NAME, actions)); + } + bool run(const string& , BSONObj& cmdObj, int, string& errmsg, BSONObjBuilder& result, bool) { shardingState.appendInfo( result ); return true; |