diff options
author | Shreyas Kalyan <shreyas.kalyan@10gen.com> | 2019-01-29 17:55:46 -0500 |
---|---|---|
committer | Shreyas Kalyan <shreyas.kalyan@10gen.com> | 2019-02-04 14:33:43 -0500 |
commit | 1b1cf52e94c49ca4c6d8ba693e949c2b655e74b5 (patch) | |
tree | 4b1207bf363fa5ebde769e30030b3a8452bee360 /src | |
parent | f06d8bc5b4c1e7b167a93d57930ad919ec4760b9 (diff) | |
download | mongo-1b1cf52e94c49ca4c6d8ba693e949c2b655e74b5.tar.gz |
SERVER-39056 Further refine readWriteAnyDatabase
Diffstat (limited to 'src')
-rw-r--r-- | src/mongo/db/auth/authorization_session_impl.cpp | 4 | ||||
-rw-r--r-- | src/mongo/db/auth/role_graph_builtin_roles.cpp | 4 |
2 files changed, 7 insertions, 1 deletions
diff --git a/src/mongo/db/auth/authorization_session_impl.cpp b/src/mongo/db/auth/authorization_session_impl.cpp index 52b1f041fef..c54b632d943 100644 --- a/src/mongo/db/auth/authorization_session_impl.cpp +++ b/src/mongo/db/auth/authorization_session_impl.cpp @@ -663,7 +663,9 @@ static int buildResourceSearchList(const ResourcePattern& target, } resourceSearchList[size++] = ResourcePattern::forCollectionName(target.ns().coll()); } else if (target.isDatabasePattern()) { - resourceSearchList[size++] = ResourcePattern::forAnyNormalResource(); + if (target.ns().db() != "local" && target.ns().db() != "config") { + resourceSearchList[size++] = ResourcePattern::forAnyNormalResource(); + } } resourceSearchList[size++] = target; dassert(size <= resourceSearchListCapacity); diff --git a/src/mongo/db/auth/role_graph_builtin_roles.cpp b/src/mongo/db/auth/role_graph_builtin_roles.cpp index 0ac352e86ad..e9506a5f07c 100644 --- a/src/mongo/db/auth/role_graph_builtin_roles.cpp +++ b/src/mongo/db/auth/role_graph_builtin_roles.cpp @@ -330,6 +330,10 @@ void addUserAdminAnyDbPrivileges(PrivilegeVector* privileges) { Privilege::addPrivilegeToPrivilegeVector( privileges, Privilege(ResourcePattern::forAnyNormalResource(), userAdminRoleActions)); Privilege::addPrivilegeToPrivilegeVector( + privileges, Privilege(ResourcePattern::forDatabaseName("local"), userAdminRoleActions)); + Privilege::addPrivilegeToPrivilegeVector( + privileges, Privilege(ResourcePattern::forDatabaseName("config"), userAdminRoleActions)); + Privilege::addPrivilegeToPrivilegeVector( privileges, Privilege(ResourcePattern::forClusterResource(), ActionType::listDatabases)); Privilege::addPrivilegeToPrivilegeVector( privileges, |