diff options
Diffstat (limited to 'src/mongo/db/auth')
-rw-r--r-- | src/mongo/db/auth/authorization_session.h | 8 | ||||
-rw-r--r-- | src/mongo/db/auth/authorization_session_impl.cpp | 40 | ||||
-rw-r--r-- | src/mongo/db/auth/authorization_session_impl.h | 4 | ||||
-rw-r--r-- | src/mongo/db/auth/authorization_session_test.cpp | 37 | ||||
-rw-r--r-- | src/mongo/db/auth/role_graph_builtin_roles.cpp | 40 |
5 files changed, 13 insertions, 116 deletions
diff --git a/src/mongo/db/auth/authorization_session.h b/src/mongo/db/auth/authorization_session.h index 5042a1fd7e5..6afd520910b 100644 --- a/src/mongo/db/auth/authorization_session.h +++ b/src/mongo/db/auth/authorization_session.h @@ -202,12 +202,8 @@ public: const BSONObj& update, bool upsert) = 0; - // Checks if this connection has the privileges necessary to insert the given document - // to the given namespace. Correctly interprets inserts to system.indexes and performs - // the proper auth checks for index building. - virtual Status checkAuthForInsert(OperationContext* opCtx, - const NamespaceString& ns, - const BSONObj& document) = 0; + // Checks if this connection has the privileges necessary to insert to the given namespace. + virtual Status checkAuthForInsert(OperationContext* opCtx, const NamespaceString& ns) = 0; // Checks if this connection has the privileges necessary to perform a delete on the given // namespace. diff --git a/src/mongo/db/auth/authorization_session_impl.cpp b/src/mongo/db/auth/authorization_session_impl.cpp index c1920d36d63..7ef744aef6e 100644 --- a/src/mongo/db/auth/authorization_session_impl.cpp +++ b/src/mongo/db/auth/authorization_session_impl.cpp @@ -351,30 +351,14 @@ Status AuthorizationSessionImpl::checkAuthForGetMore(const NamespaceString& ns, } Status AuthorizationSessionImpl::checkAuthForInsert(OperationContext* opCtx, - const NamespaceString& ns, - const BSONObj& document) { - if (ns.coll() == "system.indexes"_sd) { - BSONElement nsElement = document["ns"]; - if (nsElement.type() != String) { - return Status(nsElement.type() == BSONType::EOO ? ErrorCodes::NoSuchKey - : ErrorCodes::TypeMismatch, - "Cannot authorize inserting into " - "system.indexes documents without a string-typed \"ns\" field."); - } - NamespaceString indexNS(nsElement.valueStringData()); - if (!isAuthorizedForActionsOnNamespace(indexNS, ActionType::createIndex)) { - return Status(ErrorCodes::Unauthorized, - str::stream() << "not authorized to create index on " << indexNS.ns()); - } - } else { - ActionSet required{ActionType::insert}; - if (documentValidationDisabled(opCtx)) { - required.addAction(ActionType::bypassDocumentValidation); - } - if (!isAuthorizedForActionsOnNamespace(ns, required)) { - return Status(ErrorCodes::Unauthorized, - str::stream() << "not authorized for insert on " << ns.ns()); - } + const NamespaceString& ns) { + ActionSet required{ActionType::insert}; + if (documentValidationDisabled(opCtx)) { + required.addAction(ActionType::bypassDocumentValidation); + } + if (!isAuthorizedForActionsOnNamespace(ns, required)) { + return Status(ErrorCodes::Unauthorized, + str::stream() << "not authorized for insert on " << ns.ns()); } return Status::OK(); @@ -747,13 +731,9 @@ bool AuthorizationSessionImpl::isAuthorizedToListCollections(StringData dbname, return true; } - // Check for the listCollections ActionType on the database or find on system.namespaces for - // pre 3.0 systems. + // Check for the listCollections ActionType on the database. return AuthorizationSessionImpl::isAuthorizedForActionsOnResource( - ResourcePattern::forDatabaseName(dbname), ActionType::listCollections) || - AuthorizationSessionImpl::isAuthorizedForActionsOnResource( - ResourcePattern::forExactNamespace(NamespaceString(dbname, "system.namespaces")), - ActionType::find); + ResourcePattern::forDatabaseName(dbname), ActionType::listCollections); } bool AuthorizationSessionImpl::isAuthenticatedAsUserWithRole(const RoleName& roleName) { diff --git a/src/mongo/db/auth/authorization_session_impl.h b/src/mongo/db/auth/authorization_session_impl.h index 5449d2a99b8..b0b6bb731d3 100644 --- a/src/mongo/db/auth/authorization_session_impl.h +++ b/src/mongo/db/auth/authorization_session_impl.h @@ -113,9 +113,7 @@ public: const BSONObj& update, bool upsert) override; - Status checkAuthForInsert(OperationContext* opCtx, - const NamespaceString& ns, - const BSONObj& document) override; + Status checkAuthForInsert(OperationContext* opCtx, const NamespaceString& ns) override; Status checkAuthForDelete(OperationContext* opCtx, const NamespaceString& ns, diff --git a/src/mongo/db/auth/authorization_session_test.cpp b/src/mongo/db/auth/authorization_session_test.cpp index e629f50cac5..cad01f09e9b 100644 --- a/src/mongo/db/auth/authorization_session_test.cpp +++ b/src/mongo/db/auth/authorization_session_test.cpp @@ -149,20 +149,12 @@ const ResourcePattern otherUsersCollResource( ResourcePattern::forExactNamespace(NamespaceString("other.system.users"))); const ResourcePattern thirdUsersCollResource( ResourcePattern::forExactNamespace(NamespaceString("third.system.users"))); -const ResourcePattern testIndexesCollResource( - ResourcePattern::forExactNamespace(NamespaceString("test.system.indexes"))); -const ResourcePattern otherIndexesCollResource( - ResourcePattern::forExactNamespace(NamespaceString("other.system.indexes"))); -const ResourcePattern thirdIndexesCollResource( - ResourcePattern::forExactNamespace(NamespaceString("third.system.indexes"))); const ResourcePattern testProfileCollResource( ResourcePattern::forExactNamespace(NamespaceString("test.system.profile"))); const ResourcePattern otherProfileCollResource( ResourcePattern::forExactNamespace(NamespaceString("other.system.profile"))); const ResourcePattern thirdProfileCollResource( ResourcePattern::forExactNamespace(NamespaceString("third.system.profile"))); -const ResourcePattern testSystemNamespacesResource( - ResourcePattern::forExactNamespace(NamespaceString("test.system.namespaces"))); TEST_F(AuthorizationSessionTest, AddUserAndCheckAuthorization) { // Check that disabling auth checks works @@ -360,12 +352,8 @@ TEST_F(AuthorizationSessionTest, SystemCollectionsAccessControl) { ASSERT_FALSE( authzSession->isAuthorizedForActionsOnResource(otherUsersCollResource, ActionType::find)); ASSERT_TRUE( - authzSession->isAuthorizedForActionsOnResource(testIndexesCollResource, ActionType::find)); - ASSERT_TRUE( authzSession->isAuthorizedForActionsOnResource(testProfileCollResource, ActionType::find)); ASSERT_TRUE( - authzSession->isAuthorizedForActionsOnResource(otherIndexesCollResource, ActionType::find)); - ASSERT_TRUE( authzSession->isAuthorizedForActionsOnResource(otherProfileCollResource, ActionType::find)); // Logging in as useradminany@test implicitly logs out rwany@test. @@ -379,12 +367,8 @@ TEST_F(AuthorizationSessionTest, SystemCollectionsAccessControl) { ASSERT_TRUE( authzSession->isAuthorizedForActionsOnResource(otherUsersCollResource, ActionType::find)); ASSERT_FALSE( - authzSession->isAuthorizedForActionsOnResource(testIndexesCollResource, ActionType::find)); - ASSERT_FALSE( authzSession->isAuthorizedForActionsOnResource(testProfileCollResource, ActionType::find)); ASSERT_FALSE( - authzSession->isAuthorizedForActionsOnResource(otherIndexesCollResource, ActionType::find)); - ASSERT_FALSE( authzSession->isAuthorizedForActionsOnResource(otherProfileCollResource, ActionType::find)); // Logging in as rw@test implicitly logs out useradminany@test. @@ -399,12 +383,8 @@ TEST_F(AuthorizationSessionTest, SystemCollectionsAccessControl) { ASSERT_FALSE( authzSession->isAuthorizedForActionsOnResource(otherUsersCollResource, ActionType::find)); ASSERT_TRUE( - authzSession->isAuthorizedForActionsOnResource(testIndexesCollResource, ActionType::find)); - ASSERT_TRUE( authzSession->isAuthorizedForActionsOnResource(testProfileCollResource, ActionType::find)); ASSERT_FALSE( - authzSession->isAuthorizedForActionsOnResource(otherIndexesCollResource, ActionType::find)); - ASSERT_FALSE( authzSession->isAuthorizedForActionsOnResource(otherProfileCollResource, ActionType::find)); @@ -419,12 +399,8 @@ TEST_F(AuthorizationSessionTest, SystemCollectionsAccessControl) { ASSERT_FALSE( authzSession->isAuthorizedForActionsOnResource(otherUsersCollResource, ActionType::find)); ASSERT_FALSE( - authzSession->isAuthorizedForActionsOnResource(testIndexesCollResource, ActionType::find)); - ASSERT_FALSE( authzSession->isAuthorizedForActionsOnResource(testProfileCollResource, ActionType::find)); ASSERT_FALSE( - authzSession->isAuthorizedForActionsOnResource(otherIndexesCollResource, ActionType::find)); - ASSERT_FALSE( authzSession->isAuthorizedForActionsOnResource(otherProfileCollResource, ActionType::find)); } @@ -1252,19 +1228,6 @@ TEST_F(AuthorizationSessionTest, CannotListCollectionsWithoutListCollectionsPriv ASSERT_FALSE(authzSession->isAuthorizedToListCollections(testQuxNss.db(), cmd)); } -TEST_F(AuthorizationSessionTest, CanListCollectionsWithLegacySystemNamespacesAccess) { - BSONObj cmd = BSON("listCollections" << 1); - - // Deprecated: permissions for the find action on test.system.namespaces allows us to list - // collections in the test database. - authzSession->assumePrivilegesForDB( - Privilege(testSystemNamespacesResource, {ActionType::find})); - - ASSERT_TRUE(authzSession->isAuthorizedToListCollections(testFooNss.db(), cmd)); - ASSERT_TRUE(authzSession->isAuthorizedToListCollections(testBarNss.db(), cmd)); - ASSERT_TRUE(authzSession->isAuthorizedToListCollections(testQuxNss.db(), cmd)); -} - TEST_F(AuthorizationSessionTest, CanListCollectionsWithListCollectionsPrivilege) { BSONObj cmd = BSON("listCollections" << 1); // The listCollections privilege authorizes the list collections command. diff --git a/src/mongo/db/auth/role_graph_builtin_roles.cpp b/src/mongo/db/auth/role_graph_builtin_roles.cpp index 8f096ac641d..d9875a20f96 100644 --- a/src/mongo/db/auth/role_graph_builtin_roles.cpp +++ b/src/mongo/db/auth/role_graph_builtin_roles.cpp @@ -261,16 +261,8 @@ void addReadOnlyDbPrivileges(PrivilegeVector* privileges, StringData dbName) { privileges, Privilege(ResourcePattern::forDatabaseName(dbName), readRoleActions)); Privilege::addPrivilegeToPrivilegeVector( privileges, - Privilege(ResourcePattern::forExactNamespace(NamespaceString(dbName, "system.indexes")), - readRoleActions)); - Privilege::addPrivilegeToPrivilegeVector( - privileges, Privilege(ResourcePattern::forExactNamespace(NamespaceString(dbName, "system.js")), readRoleActions)); - Privilege::addPrivilegeToPrivilegeVector( - privileges, - Privilege(ResourcePattern::forExactNamespace(NamespaceString(dbName, "system.namespaces")), - readRoleActions)); } void addReadWriteDbPrivileges(PrivilegeVector* privileges, StringData dbName) { @@ -291,14 +283,6 @@ void addUserAdminDbPrivileges(PrivilegeVector* privileges, StringData dbName) { void addDbAdminDbPrivileges(PrivilegeVector* privileges, StringData dbName) { Privilege::addPrivilegeToPrivilegeVector( privileges, Privilege(ResourcePattern::forDatabaseName(dbName), dbAdminRoleActions)); - Privilege::addPrivilegeToPrivilegeVector( - privileges, - Privilege(ResourcePattern::forExactNamespace(NamespaceString(dbName, "system.indexes")), - readRoleActions)); - Privilege::addPrivilegeToPrivilegeVector( - privileges, - Privilege(ResourcePattern::forExactNamespace(NamespaceString(dbName, "system.namespaces")), - readRoleActions)); ActionSet profileActions = readRoleActions; profileActions.addAction(ActionType::convertToCapped); @@ -329,13 +313,7 @@ void addReadOnlyAnyDbPrivileges(PrivilegeVector* privileges) { Privilege::addPrivilegeToPrivilegeVector( privileges, Privilege(ResourcePattern::forClusterResource(), ActionType::listDatabases)); Privilege::addPrivilegeToPrivilegeVector( - privileges, - Privilege(ResourcePattern::forCollectionName("system.indexes"), readRoleActions)); - Privilege::addPrivilegeToPrivilegeVector( privileges, Privilege(ResourcePattern::forCollectionName("system.js"), readRoleActions)); - Privilege::addPrivilegeToPrivilegeVector( - privileges, - Privilege(ResourcePattern::forCollectionName("system.namespaces"), readRoleActions)); } void addReadWriteAnyDbPrivileges(PrivilegeVector* privileges) { @@ -402,12 +380,6 @@ void addDbAdminAnyDbPrivileges(PrivilegeVector* privileges) { privileges, Privilege(ResourcePattern::forClusterResource(), ActionType::listDatabases)); Privilege::addPrivilegeToPrivilegeVector( privileges, Privilege(ResourcePattern::forAnyNormalResource(), dbAdminRoleActions)); - Privilege::addPrivilegeToPrivilegeVector( - privileges, - Privilege(ResourcePattern::forCollectionName("system.indexes"), readRoleActions)); - Privilege::addPrivilegeToPrivilegeVector( - privileges, - Privilege(ResourcePattern::forCollectionName("system.namespaces"), readRoleActions)); ActionSet profileActions = readRoleActions; profileActions.addAction(ActionType::convertToCapped); profileActions.addAction(ActionType::createCollection); @@ -509,14 +481,6 @@ void addQueryableBackupPrivileges(PrivilegeVector* privileges) { privileges, Privilege(ResourcePattern::forDatabaseName("local"), ActionType::find)); Privilege::addPrivilegeToPrivilegeVector( - privileges, - Privilege(ResourcePattern::forCollectionName("system.indexes"), ActionType::find)); - - Privilege::addPrivilegeToPrivilegeVector( - privileges, - Privilege(ResourcePattern::forCollectionName("system.namespaces"), ActionType::find)); - - Privilege::addPrivilegeToPrivilegeVector( privileges, Privilege(ResourcePattern::forCollectionName("system.js"), ActionType::find)); Privilege::addPrivilegeToPrivilegeVector( @@ -585,10 +549,6 @@ void addRestorePrivileges(PrivilegeVector* privileges) { Privilege::addPrivilegeToPrivilegeVector( privileges, Privilege(ResourcePattern::forCollectionName("system.js"), actions)); - // Need to be able to query system.namespaces to check existing collection options. - Privilege::addPrivilegeToPrivilegeVector( - privileges, - Privilege(ResourcePattern::forCollectionName("system.namespaces"), ActionType::find)); Privilege::addPrivilegeToPrivilegeVector( privileges, Privilege(ResourcePattern::forAnyResource(), ActionType::listCollections)); |