diff options
Diffstat (limited to 'src/mongo/db/auth/authorization_session.h')
-rw-r--r-- | src/mongo/db/auth/authorization_session.h | 20 |
1 files changed, 14 insertions, 6 deletions
diff --git a/src/mongo/db/auth/authorization_session.h b/src/mongo/db/auth/authorization_session.h index 2cd46a8d59f..96352b2a560 100644 --- a/src/mongo/db/auth/authorization_session.h +++ b/src/mongo/db/auth/authorization_session.h @@ -42,6 +42,7 @@ #include "mongo/db/auth/user_name.h" #include "mongo/db/auth/user_set.h" #include "mongo/db/namespace_string.h" +#include "mongo/util/concurrency/with_lock.h" namespace mongo { @@ -130,12 +131,15 @@ public: std::string getAuthenticatedUserNamesToken(); // Removes any authenticated principals whose authorization credentials came from the given - // database, and revokes any privileges that were granted via that principal. - void logoutDatabase(const std::string& dbname); + // database, and revokes any privileges that were granted via that principal. This function + // modifies state. Synchronizes with the Client lock. + void logoutDatabase(OperationContext* opCtx, const std::string& dbname); // Adds the internalSecurity user to the set of authenticated users. - // Used to grant internal threads full access. - void grantInternalAuthorization(); + // Used to grant internal threads full access. Takes in the Client + // as a parameter so it can take out a lock on the client. + void grantInternalAuthorization(Client* client); + void grantInternalAuthorization(OperationContext* opCtx); // Generates a vector of default privileges that are granted to any user, // regardless of which roles that user does or does not possess. @@ -268,8 +272,12 @@ public: // authenticated user. If either object has impersonated users, // those users will be considered as 'authenticated' for the purpose of this check. // - // The existence of 'opClient' must be guaranteed through locks taken by the caller. - bool isCoauthorizedWithClient(Client* opClient); + // The existence of 'opClient' must be guaranteed through locks taken by the caller, + // as demonstrated by opClientLock which must be a lock taken on opClient. + // + // Returns true if the current auth session and the opClient's auth session have users + // in common. + bool isCoauthorizedWithClient(Client* opClient, WithLock opClientLock); // Tells whether impersonation is active or not. This state is set when // setImpersonatedUserData is called and cleared when clearImpersonatedUserData is |