diff options
author | Moustafa Maher <m.maher@10gen.com> | 2021-03-03 00:08:53 +0000 |
---|---|---|
committer | Evergreen Agent <no-reply@evergreen.mongodb.com> | 2021-08-04 23:26:46 +0000 |
commit | 865eccaf35aca29d1b71764d50227cdf853752d0 (patch) | |
tree | c3947ff401fc19d372908a59957e7d8b2c14831c /src | |
parent | 31194b8dd00e0862d2b0ebc5d6502360724e7297 (diff) | |
download | mongo-865eccaf35aca29d1b71764d50227cdf853752d0.tar.gz |
SERVER-36263 Bypassing operation validation in applyOps should require special privilege
Diffstat (limited to 'src')
-rw-r--r-- | src/mongo/db/auth/action_types.txt | 1 | ||||
-rw-r--r-- | src/mongo/db/auth/role_graph_builtin_roles.cpp | 2 | ||||
-rw-r--r-- | src/mongo/db/commands/oplog_application_checks.cpp | 5 |
3 files changed, 8 insertions, 0 deletions
diff --git a/src/mongo/db/auth/action_types.txt b/src/mongo/db/auth/action_types.txt index 71582f7f85b..4ecac2e6dbe 100644 --- a/src/mongo/db/auth/action_types.txt +++ b/src/mongo/db/auth/action_types.txt @@ -9,6 +9,7 @@ "anyAction", # Special ActionType that represents *all* actions "appendOplogNote", "applicationMessage", +"applyOps", "auditLogRotate", # Not used for permissions checks, but to id the event in logs. "authCheck", # Not used for permissions checks, but to id the authorization-checking event in logs. "authenticate", # Not used for permission checks, but to id authentication events in logs. diff --git a/src/mongo/db/auth/role_graph_builtin_roles.cpp b/src/mongo/db/auth/role_graph_builtin_roles.cpp index 783be516d4c..1469c0eb162 100644 --- a/src/mongo/db/auth/role_graph_builtin_roles.cpp +++ b/src/mongo/db/auth/role_graph_builtin_roles.cpp @@ -393,6 +393,8 @@ void addDbAdminAnyDbPrivileges(PrivilegeVector* privileges) { Privilege::addPrivilegeToPrivilegeVector( privileges, Privilege(ResourcePattern::forCollectionName("system.profile"), profileActions)); + Privilege::addPrivilegeToPrivilegeVector( + privileges, Privilege(ResourcePattern::forClusterResource(), ActionType::applyOps)); } void addClusterMonitorPrivileges(PrivilegeVector* privileges) { diff --git a/src/mongo/db/commands/oplog_application_checks.cpp b/src/mongo/db/commands/oplog_application_checks.cpp index 783d1002b35..1980f710f6f 100644 --- a/src/mongo/db/commands/oplog_application_checks.cpp +++ b/src/mongo/db/commands/oplog_application_checks.cpp @@ -204,6 +204,11 @@ Status OplogApplicationChecks::checkAuthForCommand(OperationContext* opCtx, const BSONObj& cmdObj, OplogApplicationValidity validity) { AuthorizationSession* authSession = AuthorizationSession::get(opCtx->getClient()); + if (!authSession->isAuthorizedForActionsOnResource(ResourcePattern::forClusterResource(), + ActionType::applyOps)) { + return Status(ErrorCodes::Unauthorized, "Unauthorized"); + } + if (validity == OplogApplicationValidity::kNeedsSuperuser) { std::vector<Privilege> universalPrivileges; RoleGraph::generateUniversalPrivileges(&universalPrivileges); |