diff options
Diffstat (limited to 'src/mongo/db/multitenancy.cpp')
-rw-r--r-- | src/mongo/db/multitenancy.cpp | 52 |
1 files changed, 4 insertions, 48 deletions
diff --git a/src/mongo/db/multitenancy.cpp b/src/mongo/db/multitenancy.cpp index 27ced8eee24..f12a4f7b55d 100644 --- a/src/mongo/db/multitenancy.cpp +++ b/src/mongo/db/multitenancy.cpp @@ -29,61 +29,17 @@ #include "mongo/db/multitenancy.h" -#include "mongo/db/auth/authorization_session.h" -#include "mongo/db/auth/security_token.h" -#include "mongo/db/multitenancy_gen.h" +#include "mongo/db/auth/validated_tenancy_scope.h" #include "mongo/db/tenant_id.h" -#include "mongo/logv2/log.h" - -#define MONGO_LOGV2_DEFAULT_COMPONENT ::mongo::logv2::LogComponent::kDefault - namespace mongo { -// Holds the tenantId for the operation if it was provided in the request on the $tenant field only -// if the tenantId was not also provided in the security token. -const auto dollarTenantDecoration = - OperationContext::declareDecoration<boost::optional<mongo::TenantId>>(); - -void parseDollarTenantFromRequest(OperationContext* opCtx, const OpMsg& request) { - // The internal security user is allowed to run commands on behalf of a tenant by passing - // the tenantId in the "$tenant" field. - auto tenantElem = request.body["$tenant"]; - if (!tenantElem) - return; - - uassert(ErrorCodes::InvalidOptions, - "Multitenancy not enabled, cannot set $tenant in command body", - gMultitenancySupport); - - uassert(ErrorCodes::Unauthorized, - "'$tenant' may only be specified with the useTenant action type", - AuthorizationSession::get(opCtx->getClient()) - ->isAuthorizedForActionsOnResource(ResourcePattern::forClusterResource(), - ActionType::useTenant)); - - auto tenantId = TenantId::parseFromBSON(tenantElem); - - uassert(6223901, - str::stream() << "Cannot pass $tenant id if also passing securityToken, securityToken: " - << auth::getSecurityToken(opCtx)->getAuthenticatedUser().getTenant() - << " $tenant: " << tenantId, - !auth::getSecurityToken(opCtx)); - - - dollarTenantDecoration(opCtx) = std::move(tenantId); - LOGV2_DEBUG( - 6223900, 4, "Setting tenantId from $tenant request parameter", "tenantId"_attr = tenantId); -} - boost::optional<TenantId> getActiveTenant(OperationContext* opCtx) { - auto token = auth::getSecurityToken(opCtx); - if (!token) { - return dollarTenantDecoration(opCtx); + if (auto token = auth::ValidatedTenancyScope::get(opCtx)) { + return token->tenantId(); } - invariant(!dollarTenantDecoration(opCtx)); - return token->getAuthenticatedUser().getTenant(); + return boost::none; } } // namespace mongo |