diff options
Diffstat (limited to 'src/mongo/s/commands')
24 files changed, 228 insertions, 138 deletions
diff --git a/src/mongo/s/commands/cluster_add_shard_cmd.cpp b/src/mongo/s/commands/cluster_add_shard_cmd.cpp index 9b7e013accd..9c059c51e59 100644 --- a/src/mongo/s/commands/cluster_add_shard_cmd.cpp +++ b/src/mongo/s/commands/cluster_add_shard_cmd.cpp @@ -30,6 +30,7 @@ #include "mongo/platform/basic.h" +#include "mongo/db/auth/authorization_session.h" #include "mongo/db/commands.h" #include "mongo/s/client/shard_registry.h" #include "mongo/s/grid.h" @@ -65,12 +66,16 @@ public: return "add a new shard to the system"; } - void addRequiredPrivileges(const std::string& dbname, - const BSONObj& cmdObj, - std::vector<Privilege>* out) const override { - ActionSet actions; - actions.addAction(ActionType::addShard); - out->push_back(Privilege(ResourcePattern::forClusterResource(), actions)); + Status checkAuthForOperation(OperationContext* opCtx, + const DatabaseName&, + const BSONObj&) const override { + auto* as = AuthorizationSession::get(opCtx->getClient()); + if (!as->isAuthorizedForActionsOnResource(ResourcePattern::forClusterResource(), + ActionType::addShard)) { + return {ErrorCodes::Unauthorized, "unauthorized"}; + } + + return Status::OK(); } bool run(OperationContext* opCtx, diff --git a/src/mongo/s/commands/cluster_build_info.cpp b/src/mongo/s/commands/cluster_build_info.cpp index c946ab8e6af..18abb7c950b 100644 --- a/src/mongo/s/commands/cluster_build_info.cpp +++ b/src/mongo/s/commands/cluster_build_info.cpp @@ -90,9 +90,11 @@ public: return false; } - void addRequiredPrivileges(const std::string& dbname, - const BSONObj& cmdObj, - std::vector<Privilege>* out) const final {} // No auth required + Status checkAuthForOperation(OperationContext*, + const DatabaseName&, + const BSONObj&) const override { + return Status::OK(); // No auth required + } std::string help() const final { return "get version #, etc.\n" diff --git a/src/mongo/s/commands/cluster_coll_stats_cmd.cpp b/src/mongo/s/commands/cluster_coll_stats_cmd.cpp index 25b3e15b578..b33da24608f 100644 --- a/src/mongo/s/commands/cluster_coll_stats_cmd.cpp +++ b/src/mongo/s/commands/cluster_coll_stats_cmd.cpp @@ -30,6 +30,7 @@ #include "mongo/platform/basic.h" +#include "mongo/db/auth/authorization_session.h" #include "mongo/db/commands.h" #include "mongo/db/timeseries/timeseries_commands_conversion_helper.h" #include "mongo/logv2/log.h" @@ -182,12 +183,16 @@ public: return false; } - void addRequiredPrivileges(const std::string& dbname, - const BSONObj& cmdObj, - std::vector<Privilege>* out) const override { - ActionSet actions; - actions.addAction(ActionType::collStats); - out->push_back(Privilege(parseResourcePattern(dbname, cmdObj), actions)); + Status checkAuthForOperation(OperationContext* opCtx, + const DatabaseName& dbName, + const BSONObj& cmdObj) const override { + auto* as = AuthorizationSession::get(opCtx->getClient()); + if (!as->isAuthorizedForActionsOnResource(parseResourcePattern(dbName.db(), cmdObj), + ActionType::collStats)) { + return {ErrorCodes::Unauthorized, "unauthorized"}; + } + + return Status::OK(); } bool run(OperationContext* opCtx, diff --git a/src/mongo/s/commands/cluster_compact_cmd.cpp b/src/mongo/s/commands/cluster_compact_cmd.cpp index 055e8d81688..e53ce4ef780 100644 --- a/src/mongo/s/commands/cluster_compact_cmd.cpp +++ b/src/mongo/s/commands/cluster_compact_cmd.cpp @@ -29,6 +29,7 @@ #include "mongo/platform/basic.h" +#include "mongo/db/auth/authorization_session.h" #include "mongo/db/commands.h" namespace mongo { @@ -46,12 +47,16 @@ public: return false; } - void addRequiredPrivileges(const std::string& dbname, - const BSONObj& cmdObj, - std::vector<Privilege>* out) const override { - ActionSet actions; - actions.addAction(ActionType::compact); - out->push_back(Privilege(parseResourcePattern(dbname, cmdObj), actions)); + Status checkAuthForOperation(OperationContext* opCtx, + const DatabaseName& dbName, + const BSONObj& cmdObj) const override { + auto* as = AuthorizationSession::get(opCtx->getClient()); + if (!as->isAuthorizedForActionsOnResource(parseResourcePattern(dbName.db(), cmdObj), + ActionType::compact)) { + return {ErrorCodes::Unauthorized, "unauthorized"}; + } + + return Status::OK(); } bool supportsWriteConcern(const BSONObj& cmd) const override { diff --git a/src/mongo/s/commands/cluster_convert_to_capped_cmd.cpp b/src/mongo/s/commands/cluster_convert_to_capped_cmd.cpp index 35f7e9d9701..a34450631fb 100644 --- a/src/mongo/s/commands/cluster_convert_to_capped_cmd.cpp +++ b/src/mongo/s/commands/cluster_convert_to_capped_cmd.cpp @@ -91,12 +91,16 @@ public: return CommandHelpers::parseNsCollectionRequired(dbName, cmdObj); } - void addRequiredPrivileges(const std::string& dbname, - const BSONObj& cmdObj, - std::vector<Privilege>* out) const override { - ActionSet actions; - actions.addAction(ActionType::convertToCapped); - out->push_back(Privilege(parseResourcePattern(dbname, cmdObj), actions)); + Status checkAuthForOperation(OperationContext* opCtx, + const DatabaseName& dbName, + const BSONObj& cmdObj) const override { + auto* as = AuthorizationSession::get(opCtx->getClient()); + if (!as->isAuthorizedForActionsOnResource(parseResourcePattern(dbName.db(), cmdObj), + ActionType::convertToCapped)) { + return {ErrorCodes::Unauthorized, "unauthorized"}; + } + + return Status::OK(); } bool run(OperationContext* opCtx, diff --git a/src/mongo/s/commands/cluster_count_cmd.h b/src/mongo/s/commands/cluster_count_cmd.h index 32aae8fb5f6..d90421f550f 100644 --- a/src/mongo/s/commands/cluster_count_cmd.h +++ b/src/mongo/s/commands/cluster_count_cmd.h @@ -32,6 +32,7 @@ #include <vector> #include "mongo/bson/util/bson_extract.h" +#include "mongo/db/auth/authorization_session.h" #include "mongo/db/commands.h" #include "mongo/db/fle_crud.h" #include "mongo/db/query/count_command_as_aggregation_command.h" @@ -86,13 +87,16 @@ public: Status::OK()}; } - void addRequiredPrivileges(const std::string& dbname, - const BSONObj& cmdObj, - std::vector<Privilege>* out) const override { - ActionSet actions; - actions.addAction(ActionType::find); - out->push_back(Privilege(parseResourcePattern(dbname, cmdObj), actions)); - Impl::addRequiredPrivileges(dbname, cmdObj, out); + Status checkAuthForOperation(OperationContext* opCtx, + const DatabaseName& dbName, + const BSONObj& cmdObj) const override { + auto* as = AuthorizationSession::get(opCtx->getClient()); + if (!as->isAuthorizedForActionsOnResource(parseResourcePattern(dbName.db(), cmdObj), + ActionType::find)) { + return {ErrorCodes::Unauthorized, "unauthorized"}; + } + + return Impl::checkAuthForOperation(opCtx); } bool errmsgRun(OperationContext* opCtx, diff --git a/src/mongo/s/commands/cluster_count_cmd_s.cpp b/src/mongo/s/commands/cluster_count_cmd_s.cpp index d177d19d5ec..4226d06a189 100644 --- a/src/mongo/s/commands/cluster_count_cmd_s.cpp +++ b/src/mongo/s/commands/cluster_count_cmd_s.cpp @@ -42,10 +42,9 @@ struct ClusterCountCmdS { return kApiVersions1; } - static void addRequiredPrivileges(const std::string& dbname, - const BSONObj& cmdObj, - std::vector<Privilege>* out) { + static Status checkAuthForOperation(OperationContext*) { // No additional required privileges on a mongos. + return Status::OK(); } static void checkCanRunHere(OperationContext* opCtx) { diff --git a/src/mongo/s/commands/cluster_create_indexes_cmd.cpp b/src/mongo/s/commands/cluster_create_indexes_cmd.cpp index 3a56ea99141..7699a802d01 100644 --- a/src/mongo/s/commands/cluster_create_indexes_cmd.cpp +++ b/src/mongo/s/commands/cluster_create_indexes_cmd.cpp @@ -68,10 +68,16 @@ public: return false; } - void addRequiredPrivileges(const std::string& dbname, - const BSONObj& cmdObj, - std::vector<Privilege>* out) const final { - out->push_back(Privilege(parseResourcePattern(dbname, cmdObj), ActionType::createIndex)); + Status checkAuthForOperation(OperationContext* opCtx, + const DatabaseName& dbName, + const BSONObj& cmdObj) const override { + auto* as = AuthorizationSession::get(opCtx->getClient()); + if (!as->isAuthorizedForActionsOnResource(parseResourcePattern(dbName.db(), cmdObj), + ActionType::createIndex)) { + return {ErrorCodes::Unauthorized, "unauthorized"}; + } + + return Status::OK(); } bool supportsWriteConcern(const BSONObj& cmd) const final { diff --git a/src/mongo/s/commands/cluster_distinct_cmd.cpp b/src/mongo/s/commands/cluster_distinct_cmd.cpp index a4690c8c4db..1bcddd4aa80 100644 --- a/src/mongo/s/commands/cluster_distinct_cmd.cpp +++ b/src/mongo/s/commands/cluster_distinct_cmd.cpp @@ -31,6 +31,7 @@ #include "mongo/platform/basic.h" #include "mongo/bson/bsonobj_comparator.h" +#include "mongo/db/auth/authorization_session.h" #include "mongo/db/commands.h" #include "mongo/db/query/collation/collator_factory_interface.h" #include "mongo/db/query/parsed_distinct.h" @@ -89,12 +90,16 @@ public: return ReadConcernSupportResult::allSupportedAndDefaultPermitted(); } - void addRequiredPrivileges(const std::string& dbname, - const BSONObj& cmdObj, - std::vector<Privilege>* out) const override { - ActionSet actions; - actions.addAction(ActionType::find); - out->push_back(Privilege(parseResourcePattern(dbname, cmdObj), actions)); + Status checkAuthForOperation(OperationContext* opCtx, + const DatabaseName& dbName, + const BSONObj& cmdObj) const override { + auto* as = AuthorizationSession::get(opCtx->getClient()); + if (!as->isAuthorizedForActionsOnResource(parseResourcePattern(dbName.db(), cmdObj), + ActionType::find)) { + return {ErrorCodes::Unauthorized, "unauthorized"}; + } + + return Status::OK(); } bool allowedInTransactions() const final { diff --git a/src/mongo/s/commands/cluster_drop_indexes_cmd.cpp b/src/mongo/s/commands/cluster_drop_indexes_cmd.cpp index 45b20abae15..076b8a1d61d 100644 --- a/src/mongo/s/commands/cluster_drop_indexes_cmd.cpp +++ b/src/mongo/s/commands/cluster_drop_indexes_cmd.cpp @@ -30,6 +30,7 @@ #include "mongo/platform/basic.h" +#include "mongo/db/auth/authorization_session.h" #include "mongo/db/commands.h" #include "mongo/logv2/log.h" #include "mongo/rpc/get_status_from_command_result.h" @@ -62,12 +63,16 @@ public: return false; } - void addRequiredPrivileges(const std::string& dbname, - const BSONObj& cmdObj, - std::vector<Privilege>* out) const override { - ActionSet actions; - actions.addAction(ActionType::dropIndex); - out->push_back(Privilege(parseResourcePattern(dbname, cmdObj), actions)); + Status checkAuthForOperation(OperationContext* opCtx, + const DatabaseName& dbName, + const BSONObj& cmdObj) const override { + auto* as = AuthorizationSession::get(opCtx->getClient()); + if (!as->isAuthorizedForActionsOnResource(parseResourcePattern(dbName.db(), cmdObj), + ActionType::dropIndex)) { + return {ErrorCodes::Unauthorized, "unauthorized"}; + } + + return Status::OK(); } void validateResult(const BSONObj& resultObj) final { diff --git a/src/mongo/s/commands/cluster_filemd5_cmd.cpp b/src/mongo/s/commands/cluster_filemd5_cmd.cpp index 3922205749c..600f41ba3bd 100644 --- a/src/mongo/s/commands/cluster_filemd5_cmd.cpp +++ b/src/mongo/s/commands/cluster_filemd5_cmd.cpp @@ -30,6 +30,7 @@ #include "mongo/platform/basic.h" +#include "mongo/db/auth/authorization_session.h" #include "mongo/db/commands.h" #include "mongo/rpc/get_status_from_command_result.h" #include "mongo/s/cluster_commands_helpers.h" @@ -71,10 +72,16 @@ public: return NamespaceString(dbName, collectionName); } - void addRequiredPrivileges(const std::string& dbname, - const BSONObj& cmdObj, - std::vector<Privilege>* out) const override { - out->push_back(Privilege(parseResourcePattern(dbname, cmdObj), ActionType::find)); + Status checkAuthForOperation(OperationContext* opCtx, + const DatabaseName& dbName, + const BSONObj& cmdObj) const override { + auto* as = AuthorizationSession::get(opCtx->getClient()); + if (!as->isAuthorizedForActionsOnResource(parseResourcePattern(dbName.db(), cmdObj), + ActionType::find)) { + return {ErrorCodes::Unauthorized, "unauthorized"}; + } + + return Status::OK(); } bool supportsWriteConcern(const BSONObj& cmd) const override { diff --git a/src/mongo/s/commands/cluster_find_and_modify_cmd.cpp b/src/mongo/s/commands/cluster_find_and_modify_cmd.cpp index d373c9d753b..e51c61b3acc 100644 --- a/src/mongo/s/commands/cluster_find_and_modify_cmd.cpp +++ b/src/mongo/s/commands/cluster_find_and_modify_cmd.cpp @@ -347,12 +347,12 @@ public: {{ErrorCodes::InvalidOptions, "default read concern not permitted"}}}; } - void addRequiredPrivileges(const std::string& dbname, - const BSONObj& cmdObj, - std::vector<Privilege>* out) const override { - bool update = cmdObj["update"].trueValue(); - bool upsert = cmdObj["upsert"].trueValue(); - bool remove = cmdObj["remove"].trueValue(); + Status checkAuthForOperation(OperationContext* opCtx, + const DatabaseName& dbName, + const BSONObj& cmdObj) const override { + const bool update = cmdObj["update"].trueValue(); + const bool upsert = cmdObj["upsert"].trueValue(); + const bool remove = cmdObj["remove"].trueValue(); ActionSet actions; actions.addAction(ActionType::find); @@ -369,12 +369,18 @@ public: actions.addAction(ActionType::bypassDocumentValidation); } - std::string ns = CommandHelpers::parseNsFromCommand(dbname, cmdObj); - ResourcePattern resource(CommandHelpers::resourcePatternForNamespace(ns)); + auto nss = CommandHelpers::parseNsFromCommand(dbName, cmdObj); + ResourcePattern resource(CommandHelpers::resourcePatternForNamespace(nss.ns())); uassert(17137, "Invalid target namespace " + resource.toString(), resource.isExactNamespacePattern()); - out->push_back(Privilege(resource, actions)); + + auto* as = AuthorizationSession::get(opCtx->getClient()); + if (!as->isAuthorizedForActionsOnResource(resource, actions)) { + return {ErrorCodes::Unauthorized, "unauthorized"}; + } + + return Status::OK(); } Status explain(OperationContext* opCtx, diff --git a/src/mongo/s/commands/cluster_fsync_cmd.cpp b/src/mongo/s/commands/cluster_fsync_cmd.cpp index 00972e17815..b79193f2b65 100644 --- a/src/mongo/s/commands/cluster_fsync_cmd.cpp +++ b/src/mongo/s/commands/cluster_fsync_cmd.cpp @@ -31,6 +31,7 @@ #include "mongo/client/read_preference.h" #include "mongo/client/remote_command_targeter.h" +#include "mongo/db/auth/authorization_session.h" #include "mongo/db/commands.h" #include "mongo/s/client/shard.h" #include "mongo/s/client/shard_registry.h" @@ -59,12 +60,16 @@ public: return false; } - void addRequiredPrivileges(const std::string& dbname, - const BSONObj& cmdObj, - std::vector<Privilege>* out) const override { - ActionSet actions; - actions.addAction(ActionType::fsync); - out->push_back(Privilege(ResourcePattern::forClusterResource(), actions)); + Status checkAuthForOperation(OperationContext* opCtx, + const DatabaseName&, + const BSONObj&) const override { + auto* as = AuthorizationSession::get(opCtx->getClient()); + if (!as->isAuthorizedForActionsOnResource(ResourcePattern::forClusterResource(), + ActionType::fsync)) { + return {ErrorCodes::Unauthorized, "unauthorized"}; + } + + return Status::OK(); } bool errmsgRun(OperationContext* opCtx, diff --git a/src/mongo/s/commands/cluster_get_last_error_cmd.cpp b/src/mongo/s/commands/cluster_get_last_error_cmd.cpp index 008a4d349e3..2b7f8c322ff 100644 --- a/src/mongo/s/commands/cluster_get_last_error_cmd.cpp +++ b/src/mongo/s/commands/cluster_get_last_error_cmd.cpp @@ -39,7 +39,7 @@ class GetLastErrorCmd : public BasicCommand { public: GetLastErrorCmd() : BasicCommand("getLastError", "getlasterror") {} - virtual bool supportsWriteConcern(const BSONObj& cmd) const override { + bool supportsWriteConcern(const BSONObj& cmd) const override { return false; } @@ -51,17 +51,17 @@ public: return "no longer supported"; } - virtual void addRequiredPrivileges(const std::string& dbname, - const BSONObj& cmdObj, - std::vector<Privilege>* out) const { - // No auth required for getlasterror + Status checkAuthForOperation(OperationContext*, + const DatabaseName&, + const BSONObj&) const override { + return Status::OK(); // No auth required } bool requiresAuth() const override { return false; } - virtual bool run(OperationContext*, const DatabaseName&, const BSONObj&, BSONObjBuilder&) { + bool run(OperationContext*, const DatabaseName&, const BSONObj&, BSONObjBuilder&) override { uasserted(5739001, "getLastError command is not supported"); return false; } diff --git a/src/mongo/s/commands/cluster_hello_cmd.cpp b/src/mongo/s/commands/cluster_hello_cmd.cpp index 005a6e2ec26..9c6b2f4fb9f 100644 --- a/src/mongo/s/commands/cluster_hello_cmd.cpp +++ b/src/mongo/s/commands/cluster_hello_cmd.cpp @@ -104,10 +104,10 @@ public: return "Status information for clients negotiating a connection with this server"; } - void addRequiredPrivileges(const std::string& dbname, - const BSONObj& cmdObj, - std::vector<Privilege>* out) const final { - // No auth required + Status checkAuthForOperation(OperationContext*, + const DatabaseName&, + const BSONObj&) const override { + return Status::OK(); // No auth required } bool requiresAuth() const final { diff --git a/src/mongo/s/commands/cluster_is_db_grid_cmd.cpp b/src/mongo/s/commands/cluster_is_db_grid_cmd.cpp index 6fc4f1b9263..d962e62e510 100644 --- a/src/mongo/s/commands/cluster_is_db_grid_cmd.cpp +++ b/src/mongo/s/commands/cluster_is_db_grid_cmd.cpp @@ -43,7 +43,7 @@ public: return false; } - virtual bool supportsWriteConcern(const BSONObj& cmd) const override { + bool supportsWriteConcern(const BSONObj& cmd) const override { return false; } @@ -51,16 +51,16 @@ public: return AllowedOnSecondary::kAlways; } - virtual void addRequiredPrivileges(const std::string& dbname, - const BSONObj& cmdObj, - std::vector<Privilege>* out) const { - // No auth required + Status checkAuthForOperation(OperationContext*, + const DatabaseName&, + const BSONObj&) const override { + return Status::OK(); // No auth required } - virtual bool run(OperationContext* opCtx, - const DatabaseName&, - const BSONObj& cmdObj, - BSONObjBuilder& result) { + bool run(OperationContext* opCtx, + const DatabaseName&, + const BSONObj& cmdObj, + BSONObjBuilder& result) override { result.append("isdbgrid", 1); result.append("hostname", getHostNameCached()); return true; diff --git a/src/mongo/s/commands/cluster_list_shards_cmd.cpp b/src/mongo/s/commands/cluster_list_shards_cmd.cpp index cb5fb91c6ec..e7b84626963 100644 --- a/src/mongo/s/commands/cluster_list_shards_cmd.cpp +++ b/src/mongo/s/commands/cluster_list_shards_cmd.cpp @@ -29,6 +29,7 @@ #include "mongo/platform/basic.h" +#include "mongo/db/auth/authorization_session.h" #include "mongo/db/commands.h" #include "mongo/s/catalog/type_shard.h" #include "mongo/s/grid.h" @@ -56,12 +57,16 @@ public: return false; } - void addRequiredPrivileges(const std::string& dbname, - const BSONObj& cmdObj, - std::vector<Privilege>* out) const override { - ActionSet actions; - actions.addAction(ActionType::listShards); - out->push_back(Privilege(ResourcePattern::forClusterResource(), actions)); + Status checkAuthForOperation(OperationContext* opCtx, + const DatabaseName&, + const BSONObj&) const override { + auto* as = AuthorizationSession::get(opCtx->getClient()); + if (!as->isAuthorizedForActionsOnResource(ResourcePattern::forClusterResource(), + ActionType::listShards)) { + return {ErrorCodes::Unauthorized, "unauthorized"}; + } + + return Status::OK(); } bool run(OperationContext* opCtx, diff --git a/src/mongo/s/commands/cluster_multicast_cmd.cpp b/src/mongo/s/commands/cluster_multicast_cmd.cpp index 90ff772122f..0d82a3d85a1 100644 --- a/src/mongo/s/commands/cluster_multicast_cmd.cpp +++ b/src/mongo/s/commands/cluster_multicast_cmd.cpp @@ -83,9 +83,11 @@ public: } // no privs because it's a test command - void addRequiredPrivileges(const std::string& dbname, - const BSONObj& cmdObj, - std::vector<Privilege>* out) const override {} + Status checkAuthForOperation(OperationContext*, + const DatabaseName&, + const BSONObj&) const override { + return Status::OK(); + } bool run(OperationContext* opCtx, const DatabaseName&, diff --git a/src/mongo/s/commands/cluster_netstat_cmd.cpp b/src/mongo/s/commands/cluster_netstat_cmd.cpp index 1b1fd469d6c..1003b9b0e44 100644 --- a/src/mongo/s/commands/cluster_netstat_cmd.cpp +++ b/src/mongo/s/commands/cluster_netstat_cmd.cpp @@ -29,6 +29,7 @@ #include "mongo/platform/basic.h" +#include "mongo/db/auth/authorization_session.h" #include "mongo/db/commands.h" #include "mongo/s/catalog/sharding_catalog_client.h" #include "mongo/s/client/shard_registry.h" @@ -57,12 +58,16 @@ public: return false; } - void addRequiredPrivileges(const std::string& dbname, - const BSONObj& cmdObj, - std::vector<Privilege>* out) const override { - ActionSet actions; - actions.addAction(ActionType::netstat); - out->push_back(Privilege(ResourcePattern::forClusterResource(), actions)); + Status checkAuthForOperation(OperationContext* opCtx, + const DatabaseName&, + const BSONObj&) const override { + auto* as = AuthorizationSession::get(opCtx->getClient()); + if (!as->isAuthorizedForActionsOnResource(ResourcePattern::forClusterResource(), + ActionType::netstat)) { + return {ErrorCodes::Unauthorized, "unauthorized"}; + } + + return Status::OK(); } bool run(OperationContext* opCtx, diff --git a/src/mongo/s/commands/cluster_remove_shard_cmd.cpp b/src/mongo/s/commands/cluster_remove_shard_cmd.cpp index ef31d7dce15..28b3e549d22 100644 --- a/src/mongo/s/commands/cluster_remove_shard_cmd.cpp +++ b/src/mongo/s/commands/cluster_remove_shard_cmd.cpp @@ -32,6 +32,7 @@ #include <string> +#include "mongo/db/auth/authorization_session.h" #include "mongo/db/commands.h" #include "mongo/s/client/shard.h" #include "mongo/s/client/shard_registry.h" @@ -63,12 +64,16 @@ public: return true; } - void addRequiredPrivileges(const std::string& dbname, - const BSONObj& cmdObj, - std::vector<Privilege>* out) const override { - ActionSet actions; - actions.addAction(ActionType::removeShard); - out->push_back(Privilege(ResourcePattern::forClusterResource(), actions)); + Status checkAuthForOperation(OperationContext* opCtx, + const DatabaseName& dbName, + const BSONObj& cmdObj) const override { + auto* as = AuthorizationSession::get(opCtx->getClient()); + if (!as->isAuthorizedForActionsOnResource(ResourcePattern::forClusterResource(), + ActionType::removeShard)) { + return {ErrorCodes::Unauthorized, "unauthorized"}; + } + + return Status::OK(); } bool run(OperationContext* opCtx, diff --git a/src/mongo/s/commands/cluster_validate_cmd.cpp b/src/mongo/s/commands/cluster_validate_cmd.cpp index e54997ace56..237895fa301 100644 --- a/src/mongo/s/commands/cluster_validate_cmd.cpp +++ b/src/mongo/s/commands/cluster_validate_cmd.cpp @@ -30,6 +30,7 @@ #include "mongo/platform/basic.h" +#include "mongo/db/auth/authorization_session.h" #include "mongo/db/commands.h" #include "mongo/rpc/get_status_from_command_result.h" #include "mongo/s/cluster_commands_helpers.h" @@ -57,12 +58,16 @@ public: return false; } - void addRequiredPrivileges(const std::string& dbname, - const BSONObj& cmdObj, - std::vector<Privilege>* out) const override { - ActionSet actions; - actions.addAction(ActionType::validate); - out->push_back(Privilege(parseResourcePattern(dbname, cmdObj), actions)); + Status checkAuthForOperation(OperationContext* opCtx, + const DatabaseName& dbName, + const BSONObj& cmdObj) const override { + auto* as = AuthorizationSession::get(opCtx->getClient()); + if (!as->isAuthorizedForActionsOnResource(parseResourcePattern(dbName.db(), cmdObj), + ActionType::validate)) { + return {ErrorCodes::Unauthorized, "unauthorized"}; + } + + return Status::OK(); } bool supportsWriteConcern(const BSONObj& cmd) const override { diff --git a/src/mongo/s/commands/cluster_whats_my_uri_cmd.cpp b/src/mongo/s/commands/cluster_whats_my_uri_cmd.cpp index d8581f2706e..6191134aec8 100644 --- a/src/mongo/s/commands/cluster_whats_my_uri_cmd.cpp +++ b/src/mongo/s/commands/cluster_whats_my_uri_cmd.cpp @@ -55,16 +55,16 @@ public: return false; } - virtual void addRequiredPrivileges(const std::string& dbname, - const BSONObj& cmdObj, - std::vector<Privilege>* out) const { - // No auth required + Status checkAuthForOperation(OperationContext*, + const DatabaseName&, + const BSONObj&) const override { + return Status::OK(); // No auth required } - virtual bool run(OperationContext* opCtx, - const DatabaseName&, - const BSONObj& cmdObj, - BSONObjBuilder& result) { + bool run(OperationContext*, + const DatabaseName&, + const BSONObj&, + BSONObjBuilder& result) override { result << "you" << cc().getRemote().toString(); return true; } diff --git a/src/mongo/s/commands/flush_router_config_cmd.cpp b/src/mongo/s/commands/flush_router_config_cmd.cpp index addbd88edfc..e3bc756e510 100644 --- a/src/mongo/s/commands/flush_router_config_cmd.cpp +++ b/src/mongo/s/commands/flush_router_config_cmd.cpp @@ -30,6 +30,7 @@ #include "mongo/platform/basic.h" +#include "mongo/db/auth/authorization_session.h" #include "mongo/db/commands.h" #include "mongo/logv2/log.h" #include "mongo/s/grid.h" @@ -67,12 +68,16 @@ public: "{flushRouterconfig: 'db.coll'} flushes only the given collection"; } - void addRequiredPrivileges(const std::string& dbname, - const BSONObj& cmdObj, - std::vector<Privilege>* out) const override { - ActionSet actions; - actions.addAction(ActionType::flushRouterConfig); - out->push_back(Privilege(ResourcePattern::forClusterResource(), actions)); + Status checkAuthForOperation(OperationContext* opCtx, + const DatabaseName&, + const BSONObj&) const override { + auto* as = AuthorizationSession::get(opCtx->getClient()); + if (!as->isAuthorizedForActionsOnResource(ResourcePattern::forClusterResource(), + ActionType::flushRouterConfig)) { + return {ErrorCodes::Unauthorized, "unauthorized"}; + } + + return Status::OK(); } bool run(OperationContext* opCtx, diff --git a/src/mongo/s/commands/get_shard_map_cmd.cpp b/src/mongo/s/commands/get_shard_map_cmd.cpp index bbdf20d5ff0..f59d59717f4 100644 --- a/src/mongo/s/commands/get_shard_map_cmd.cpp +++ b/src/mongo/s/commands/get_shard_map_cmd.cpp @@ -31,6 +31,7 @@ #include "mongo/db/auth/action_set.h" #include "mongo/db/auth/action_type.h" +#include "mongo/db/auth/authorization_session.h" #include "mongo/db/auth/privilege.h" #include "mongo/db/commands.h" #include "mongo/s/grid.h" @@ -58,12 +59,16 @@ public: return true; } - void addRequiredPrivileges(const std::string& dbname, - const BSONObj& cmdObj, - std::vector<Privilege>* out) const override { - ActionSet actions; - actions.addAction(ActionType::getShardMap); - out->push_back(Privilege(ResourcePattern::forClusterResource(), actions)); + Status checkAuthForOperation(OperationContext* opCtx, + const DatabaseName&, + const BSONObj&) const override { + auto* as = AuthorizationSession::get(opCtx->getClient()); + if (!as->isAuthorizedForActionsOnResource(ResourcePattern::forClusterResource(), + ActionType::getShardMap)) { + return {ErrorCodes::Unauthorized, "unauthorized"}; + } + + return Status::OK(); } bool run(OperationContext* opCtx, |