summaryrefslogtreecommitdiff
path: root/src/mongo/s
diff options
context:
space:
mode:
Diffstat (limited to 'src/mongo/s')
-rw-r--r--src/mongo/s/commands_admin.cpp30
-rw-r--r--src/mongo/s/commands_public.cpp77
-rw-r--r--src/mongo/s/cursors.cpp10
-rw-r--r--src/mongo/s/d_migrate.cpp14
-rw-r--r--src/mongo/s/d_split.cpp6
-rw-r--r--src/mongo/s/d_state.cpp8
-rw-r--r--src/mongo/s/d_writeback.cpp4
-rw-r--r--src/mongo/s/merge_chunks_cmd.cpp8
-rw-r--r--src/mongo/s/shard.cpp2
-rw-r--r--src/mongo/s/shardconnection.cpp2
-rw-r--r--src/mongo/s/strategy_shard.cpp27
-rw-r--r--src/mongo/s/strategy_single.cpp8
12 files changed, 101 insertions, 95 deletions
diff --git a/src/mongo/s/commands_admin.cpp b/src/mongo/s/commands_admin.cpp
index b3607dcb9c4..611ea0d12c8 100644
--- a/src/mongo/s/commands_admin.cpp
+++ b/src/mongo/s/commands_admin.cpp
@@ -101,7 +101,7 @@ namespace mongo {
std::vector<Privilege>* out) {
ActionSet actions;
actions.addAction(ActionType::netstat);
- out->push_back(Privilege(AuthorizationManager::CLUSTER_RESOURCE_NAME, actions));
+ out->push_back(Privilege(ResourcePattern::forClusterResource(), actions));
}
bool run(const string& , BSONObj& cmdObj, int, string& errmsg, BSONObjBuilder& result, bool) {
result.append("configserver", configServer.getPrimary().getConnString() );
@@ -121,7 +121,7 @@ namespace mongo {
std::vector<Privilege>* out) {
ActionSet actions;
actions.addAction(ActionType::flushRouterConfig);
- out->push_back(Privilege(AuthorizationManager::CLUSTER_RESOURCE_NAME, actions));
+ out->push_back(Privilege(ResourcePattern::forClusterResource(), actions));
}
bool run(const string& , BSONObj& cmdObj, int, string& errmsg, BSONObjBuilder& result, bool) {
grid.flushConfig();
@@ -138,7 +138,7 @@ namespace mongo {
std::vector<Privilege>* out) {
ActionSet actions;
actions.addAction(ActionType::fsync);
- out->push_back(Privilege(AuthorizationManager::SERVER_RESOURCE_NAME, actions));
+ out->push_back(Privilege(ResourcePattern::forClusterResource(), actions));
}
bool run(const string& , BSONObj& cmdObj, int, string& errmsg, BSONObjBuilder& result, bool) {
if ( cmdObj["lock"].trueValue() ) {
@@ -186,7 +186,7 @@ namespace mongo {
std::vector<Privilege>* out) {
ActionSet actions;
actions.addAction(ActionType::movePrimary);
- out->push_back(Privilege(AuthorizationManager::CLUSTER_RESOURCE_NAME, actions));
+ out->push_back(Privilege(ResourcePattern::forClusterResource(), actions));
}
bool run(const string& , BSONObj& cmdObj, int, string& errmsg, BSONObjBuilder& result, bool) {
string dbname = cmdObj.firstElement().valuestrsafe();
@@ -375,7 +375,7 @@ namespace mongo {
std::vector<Privilege>* out) {
ActionSet actions;
actions.addAction(ActionType::enableSharding);
- out->push_back(Privilege(AuthorizationManager::CLUSTER_RESOURCE_NAME, actions));
+ out->push_back(Privilege(ResourcePattern::forClusterResource(), actions));
}
bool run(const string& , BSONObj& cmdObj, int, string& errmsg, BSONObjBuilder& result, bool) {
string dbname = cmdObj.firstElement().valuestrsafe();
@@ -426,7 +426,7 @@ namespace mongo {
std::vector<Privilege>* out) {
ActionSet actions;
actions.addAction(ActionType::shardCollection);
- out->push_back(Privilege(AuthorizationManager::CLUSTER_RESOURCE_NAME, actions));
+ out->push_back(Privilege(ResourcePattern::forClusterResource(), actions));
}
bool run(const string& , BSONObj& cmdObj, int, string& errmsg, BSONObjBuilder& result, bool) {
const string ns = cmdObj.firstElement().valuestrsafe();
@@ -794,7 +794,7 @@ namespace mongo {
std::vector<Privilege>* out) {
ActionSet actions;
actions.addAction(ActionType::getShardVersion);
- out->push_back(Privilege(AuthorizationManager::CLUSTER_RESOURCE_NAME, actions));
+ out->push_back(Privilege(ResourcePattern::forClusterResource(), actions));
}
bool run(const string& , BSONObj& cmdObj, int, string& errmsg, BSONObjBuilder& result, bool) {
string ns = cmdObj.firstElement().valuestrsafe();
@@ -838,7 +838,7 @@ namespace mongo {
std::vector<Privilege>* out) {
ActionSet actions;
actions.addAction(ActionType::split);
- out->push_back(Privilege(AuthorizationManager::CLUSTER_RESOURCE_NAME, actions));
+ out->push_back(Privilege(ResourcePattern::forClusterResource(), actions));
}
bool run(const string& , BSONObj& cmdObj, int, string& errmsg, BSONObjBuilder& result, bool) {
if ( ! okForConfigChanges( errmsg ) )
@@ -988,7 +988,7 @@ namespace mongo {
std::vector<Privilege>* out) {
ActionSet actions;
actions.addAction(ActionType::moveChunk);
- out->push_back(Privilege(AuthorizationManager::CLUSTER_RESOURCE_NAME, actions));
+ out->push_back(Privilege(ResourcePattern::forClusterResource(), actions));
}
bool run(const string& , BSONObj& cmdObj, int, string& errmsg, BSONObjBuilder& result, bool) {
if ( ! okForConfigChanges( errmsg ) )
@@ -1087,7 +1087,7 @@ namespace mongo {
std::vector<Privilege>* out) {
ActionSet actions;
actions.addAction(ActionType::listShards);
- out->push_back(Privilege(AuthorizationManager::CLUSTER_RESOURCE_NAME, actions));
+ out->push_back(Privilege(ResourcePattern::forClusterResource(), actions));
}
bool run(const string& , BSONObj& cmdObj, int, string& errmsg, BSONObjBuilder& result, bool) {
ScopedDbConnection conn(configServer.getPrimary().getConnString(), 30);
@@ -1118,7 +1118,7 @@ namespace mongo {
std::vector<Privilege>* out) {
ActionSet actions;
actions.addAction(ActionType::addShard);
- out->push_back(Privilege(AuthorizationManager::CLUSTER_RESOURCE_NAME, actions));
+ out->push_back(Privilege(ResourcePattern::forClusterResource(), actions));
}
bool run(const string& , BSONObj& cmdObj, int, string& errmsg, BSONObjBuilder& result, bool) {
errmsg.clear();
@@ -1186,7 +1186,7 @@ namespace mongo {
std::vector<Privilege>* out) {
ActionSet actions;
actions.addAction(ActionType::removeShard);
- out->push_back(Privilege(AuthorizationManager::CLUSTER_RESOURCE_NAME, actions));
+ out->push_back(Privilege(ResourcePattern::forClusterResource(), actions));
}
bool run(const string& , BSONObj& cmdObj, int, string& errmsg, BSONObjBuilder& result, bool) {
string target = cmdObj.firstElement().valuestrsafe();
@@ -1504,7 +1504,7 @@ namespace mongo {
std::vector<Privilege>* out) {
ActionSet actions;
actions.addAction(ActionType::listDatabases);
- out->push_back(Privilege(AuthorizationManager::SERVER_RESOURCE_NAME, actions));
+ out->push_back(Privilege(ResourcePattern::forClusterResource(), actions));
}
bool run(const string& , BSONObj& jsobj, int, string& errmsg, BSONObjBuilder& result, bool /*fromRepl*/) {
@@ -1632,7 +1632,7 @@ namespace mongo {
std::vector<Privilege>* out) {
ActionSet actions;
actions.addAction(ActionType::closeAllDatabases);
- out->push_back(Privilege(AuthorizationManager::SERVER_RESOURCE_NAME, actions));
+ out->push_back(Privilege(ResourcePattern::forClusterResource(), actions));
}
bool run(const string& , BSONObj& jsobj, int, string& errmsg, BSONObjBuilder& /*result*/, bool /*fromRepl*/) {
@@ -1656,7 +1656,7 @@ namespace mongo {
// TODO: Should this require no auth since it's not supported in mongos anyway?
ActionSet actions;
actions.addAction(ActionType::replSetGetStatus);
- out->push_back(Privilege(AuthorizationManager::SERVER_RESOURCE_NAME, actions));
+ out->push_back(Privilege(ResourcePattern::forClusterResource(), actions));
}
bool run(const string& , BSONObj& jsobj, int, string& errmsg, BSONObjBuilder& result, bool /*fromRepl*/) {
if ( jsobj["forShell"].trueValue() ) {
diff --git a/src/mongo/s/commands_public.cpp b/src/mongo/s/commands_public.cpp
index 9f8054304c7..0ffa5398f04 100644
--- a/src/mongo/s/commands_public.cpp
+++ b/src/mongo/s/commands_public.cpp
@@ -231,7 +231,7 @@ namespace mongo {
std::vector<Privilege>* out) {
ActionSet actions;
actions.addAction(ActionType::dropIndexes);
- out->push_back(Privilege(parseNs(dbname, cmdObj), actions));
+ out->push_back(Privilege(parseResourcePattern(dbname, cmdObj), actions));
}
} dropIndexesCmd;
@@ -243,7 +243,7 @@ namespace mongo {
std::vector<Privilege>* out) {
ActionSet actions;
actions.addAction(ActionType::reIndex);
- out->push_back(Privilege(parseNs(dbname, cmdObj), actions));
+ out->push_back(Privilege(parseResourcePattern(dbname, cmdObj), actions));
}
} reIndexCmd;
@@ -255,7 +255,7 @@ namespace mongo {
std::vector<Privilege>* out) {
ActionSet actions;
actions.addAction(ActionType::collMod);
- out->push_back(Privilege(parseNs(dbname, cmdObj), actions));
+ out->push_back(Privilege(parseResourcePattern(dbname, cmdObj), actions));
}
} collectionModCmd;
@@ -271,7 +271,7 @@ namespace mongo {
std::vector<Privilege>* out) {
ActionSet actions;
actions.addAction(ActionType::profileEnable);
- out->push_back(Privilege(dbname, actions));
+ out->push_back(Privilege(ResourcePattern::forDatabaseName(dbname), actions));
}
} profileCmd;
@@ -284,8 +284,7 @@ namespace mongo {
std::vector<Privilege>* out) {
ActionSet actions;
actions.addAction(ActionType::validate);
- // TODO: should the resource needed be the collection name instead of the db name?
- out->push_back(Privilege(dbname, actions));
+ out->push_back(Privilege(parseResourcePattern(dbname, cmdObj), actions));
}
virtual void aggregateResults(const vector<BSONObj>& results, BSONObjBuilder& output) {
for (vector<BSONObj>::const_iterator it(results.begin()), end(results.end()); it!=end; it++){
@@ -319,7 +318,7 @@ namespace mongo {
std::vector<Privilege>* out) {
ActionSet actions;
actions.addAction(ActionType::repairDatabase);
- out->push_back(Privilege(dbname, actions));
+ out->push_back(Privilege(ResourcePattern::forDatabaseName(dbname), actions));
}
} repairDatabaseCmd;
@@ -331,7 +330,7 @@ namespace mongo {
std::vector<Privilege>* out) {
ActionSet actions;
actions.addAction(ActionType::dbStats);
- out->push_back(Privilege(dbname, actions));
+ out->push_back(Privilege(ResourcePattern::forDatabaseName(dbname), actions));
}
virtual void aggregateResults(const vector<BSONObj>& results, BSONObjBuilder& output) {
@@ -379,7 +378,7 @@ namespace mongo {
std::vector<Privilege>* out) {
ActionSet actions;
actions.addAction(ActionType::createCollection);
- out->push_back(Privilege(dbname, actions));
+ out->push_back(Privilege(parseResourcePattern(dbname, cmdObj), actions));
}
bool run(const string& dbName,
BSONObj& cmdObj,
@@ -400,7 +399,7 @@ namespace mongo {
std::vector<Privilege>* out) {
ActionSet actions;
actions.addAction(ActionType::dropCollection);
- out->push_back(Privilege(parseNs(dbname, cmdObj), actions));
+ out->push_back(Privilege(parseResourcePattern(dbname, cmdObj), actions));
}
bool run(const string& dbName , BSONObj& cmdObj, int, string& errmsg, BSONObjBuilder& result, bool) {
string collection = cmdObj.firstElement().valuestrsafe();
@@ -448,7 +447,7 @@ namespace mongo {
std::vector<Privilege>* out) {
ActionSet actions;
actions.addAction(ActionType::dropDatabase);
- out->push_back(Privilege(dbname, actions));
+ out->push_back(Privilege(ResourcePattern::forDatabaseName(dbname), actions));
}
bool run(const string& dbName , BSONObj& cmdObj, int, string& errmsg, BSONObjBuilder& result, bool) {
// disallow dropping the config database from mongos
@@ -552,7 +551,8 @@ namespace mongo {
// read from the source DB.
ActionSet actions;
actions.addAction(ActionType::copyDBTarget);
- out->push_back(Privilege(dbname, actions)); // NOTE: dbname is always admin
+ out->push_back(Privilege(ResourcePattern::forDatabaseName(cmdObj["todb"].str()),
+ actions));
}
bool run(const string& dbName, BSONObj& cmdObj, int, string& errmsg, BSONObjBuilder& result, bool) {
string todb = cmdObj.getStringField("todb");
@@ -602,7 +602,7 @@ namespace mongo {
std::vector<Privilege>* out) {
ActionSet actions;
actions.addAction(ActionType::find);
- out->push_back(Privilege(parseNs(dbname, cmdObj), actions));
+ out->push_back(Privilege(parseResourcePattern(dbname, cmdObj), actions));
}
bool run( const string& dbName,
BSONObj& cmdObj,
@@ -699,7 +699,7 @@ namespace mongo {
std::vector<Privilege>* out) {
ActionSet actions;
actions.addAction(ActionType::collStats);
- out->push_back(Privilege(parseNs(dbname, cmdObj), actions));
+ out->push_back(Privilege(parseResourcePattern(dbname, cmdObj), actions));
}
bool run(const string& dbName , BSONObj& cmdObj, int, string& errmsg, BSONObjBuilder& result, bool) {
string collection = cmdObj.firstElement().valuestrsafe();
@@ -831,7 +831,7 @@ namespace mongo {
virtual void addRequiredPrivileges(const std::string& dbname,
const BSONObj& cmdObj,
std::vector<Privilege>* out) {
- find_and_modify::addPrivilegesRequiredForFindAndModify(dbname, cmdObj, out);
+ find_and_modify::addPrivilegesRequiredForFindAndModify(this, dbname, cmdObj, out);
}
bool run(const string& dbName, BSONObj& cmdObj, int, string& errmsg, BSONObjBuilder& result, bool) {
string collection = cmdObj.firstElement().valuestrsafe();
@@ -882,7 +882,7 @@ namespace mongo {
std::vector<Privilege>* out) {
ActionSet actions;
actions.addAction(ActionType::find);
- out->push_back(Privilege(parseNs(dbname, cmdObj), actions));
+ out->push_back(Privilege(parseResourcePattern(dbname, cmdObj), actions));
}
bool run(const string& dbName, BSONObj& cmdObj, int, string& errmsg, BSONObjBuilder& result, bool) {
string fullns = cmdObj.firstElement().String();
@@ -947,7 +947,7 @@ namespace mongo {
std::vector<Privilege>* out) {
ActionSet actions;
actions.addAction(ActionType::convertToCapped);
- out->push_back(Privilege(parseNs(dbname, cmdObj), actions));
+ out->push_back(Privilege(parseResourcePattern(dbname, cmdObj), actions));
}
virtual string getFullNS( const string& dbName , const BSONObj& cmdObj ) {
@@ -965,7 +965,7 @@ namespace mongo {
std::vector<Privilege>* out) {
ActionSet actions;
actions.addAction(ActionType::find);
- out->push_back(Privilege(parseNs(dbname, cmdObj), actions));
+ out->push_back(Privilege(parseResourcePattern(dbname, cmdObj), actions));
}
virtual bool passOptions() const { return true; }
virtual string getFullNS( const string& dbName , const BSONObj& cmdObj ) {
@@ -983,7 +983,7 @@ namespace mongo {
std::vector<Privilege>* out) {
ActionSet actions;
actions.addAction(ActionType::splitVector);
- out->push_back(Privilege(AuthorizationManager::CLUSTER_RESOURCE_NAME, actions));
+ out->push_back(Privilege(ResourcePattern::forClusterResource(), actions));
}
virtual bool run(const string& dbName , BSONObj& cmdObj, int options, string& errmsg, BSONObjBuilder& result, bool) {
string x = cmdObj.firstElement().valuestrsafe();
@@ -1012,7 +1012,7 @@ namespace mongo {
std::vector<Privilege>* out) {
ActionSet actions;
actions.addAction(ActionType::find);
- out->push_back(Privilege(parseNs(dbname, cmdObj), actions));
+ out->push_back(Privilege(parseResourcePattern(dbname, cmdObj), actions));
}
bool run(const string& dbName , BSONObj& cmdObj, int options, string& errmsg, BSONObjBuilder& result, bool) {
string collection = cmdObj.firstElement().valuestrsafe();
@@ -1072,24 +1072,23 @@ namespace mongo {
virtual void help( stringstream &help ) const {
help << " example: { filemd5 : ObjectId(aaaaaaa) , root : \"fs\" }";
}
+
+ virtual std::string parseNs(const std::string& dbname, const BSONObj& cmdObj) const {
+ std::string collectionName = cmdObj.getStringField("root");
+ if (collectionName.empty())
+ collectionName = "fs";
+ collectionName += ".chunks";
+ return NamespaceString(dbname, collectionName).ns();
+ }
+
virtual void addRequiredPrivileges(const std::string& dbname,
const BSONObj& cmdObj,
std::vector<Privilege>* out) {
- ActionSet actions;
- actions.addAction(ActionType::find);
- out->push_back(Privilege(parseNs(dbname, cmdObj), actions));
+ out->push_back(Privilege(parseResourcePattern(dbname, cmdObj), ActionType::find));
}
- bool run(const string& dbName , BSONObj& cmdObj, int, string& errmsg, BSONObjBuilder& result, bool) {
- string fullns = dbName;
- fullns += ".";
- {
- string root = cmdObj.getStringField( "root" );
- if ( root.size() == 0 )
- root = "fs";
- fullns += root;
- }
- fullns += ".chunks";
+ bool run(const string& dbName , BSONObj& cmdObj, int, string& errmsg, BSONObjBuilder& result, bool) {
+ const std::string fullns = parseNs(dbName, cmdObj);
DBConfigPtr conf = grid.getDBConfig( dbName , false );
if ( ! conf || ! conf->isShardingEnabled() || ! conf->isSharded( fullns ) ) {
@@ -1199,7 +1198,7 @@ namespace mongo {
std::vector<Privilege>* out) {
ActionSet actions;
actions.addAction(ActionType::find);
- out->push_back(Privilege(parseNs(dbname, cmdObj), actions));
+ out->push_back(Privilege(parseResourcePattern(dbname, cmdObj), actions));
}
bool run(const string& dbName , BSONObj& cmdObj, int options, string& errmsg, BSONObjBuilder& result, bool) {
string collection = cmdObj.firstElement().valuestrsafe();
@@ -1305,7 +1304,7 @@ namespace mongo {
virtual void addRequiredPrivileges(const std::string& dbname,
const BSONObj& cmdObj,
std::vector<Privilege>* out) {
- mr::addPrivilegesRequiredForMapReduce(dbname, cmdObj, out);
+ mr::addPrivilegesRequiredForMapReduce(this, dbname, cmdObj, out);
}
string getTmpName( const string& coll ) {
@@ -1725,7 +1724,7 @@ namespace mongo {
const BSONObj& cmdObj,
std::vector<Privilege>* out) {
// applyOps can do pretty much anything, so require all privileges.
- out->push_back(Privilege(AuthorizationManager::WILDCARD_RESOURCE_NAME,
+ out->push_back(Privilege(ResourcePattern::forAnyResource(),
getGlobalAuthorizationManager()->getAllUserActions()));
}
virtual bool run(const string& dbName , BSONObj& cmdObj, int, string& errmsg, BSONObjBuilder& result, bool) {
@@ -1743,7 +1742,7 @@ namespace mongo {
std::vector<Privilege>* out) {
ActionSet actions;
actions.addAction(ActionType::compact);
- out->push_back(Privilege(parseNs(dbname, cmdObj), actions));
+ out->push_back(Privilege(parseResourcePattern(dbname, cmdObj), actions));
}
virtual bool run(const string& dbName , BSONObj& cmdObj, int, string& errmsg, BSONObjBuilder& result, bool) {
errmsg = "compact not allowed through mongos";
@@ -1758,7 +1757,7 @@ namespace mongo {
const BSONObj& cmdObj,
std::vector<Privilege>* out) {
// $eval can do pretty much anything, so require all privileges.
- out->push_back(Privilege(AuthorizationManager::WILDCARD_RESOURCE_NAME,
+ out->push_back(Privilege(ResourcePattern::forAnyResource(),
getGlobalAuthorizationManager()->getAllUserActions()));
}
virtual bool run(const string& dbName,
@@ -1837,7 +1836,7 @@ namespace mongo {
void PipelineCommand::addRequiredPrivileges(const std::string& dbname,
const BSONObj& cmdObj,
std::vector<Privilege>* out) {
- Pipeline::addRequiredPrivileges(dbname, cmdObj, out);
+ Pipeline::addRequiredPrivileges(this, dbname, cmdObj, out);
}
bool PipelineCommand::run(const string &dbName , BSONObj &cmdObj,
diff --git a/src/mongo/s/cursors.cpp b/src/mongo/s/cursors.cpp
index 178e1e5ac41..f38feba9048 100644
--- a/src/mongo/s/cursors.cpp
+++ b/src/mongo/s/cursors.cpp
@@ -314,8 +314,8 @@ namespace mongo {
MapSharded::iterator i = _cursors.find( id );
if ( i != _cursors.end() ) {
- const bool isAuthorized = authSession->checkAuthorization(
- i->second->getNS(), ActionType::killCursors);
+ const bool isAuthorized = authSession->isAuthorizedForActionsOnNamespace(
+ NamespaceString(i->second->getNS()), ActionType::killCursors);
audit::logKillCursorsAuthzCheck(
client,
NamespaceString(i->second->getNS()),
@@ -334,8 +334,8 @@ namespace mongo {
continue;
}
verify(refsNSIt != _refsNS.end());
- const bool isAuthorized = authSession->checkAuthorization(
- refsNSIt->second, ActionType::killCursors);
+ const bool isAuthorized = authSession->isAuthorizedForActionsOnNamespace(
+ NamespaceString(refsNSIt->second), ActionType::killCursors);
audit::logKillCursorsAuthzCheck(
client,
NamespaceString(refsNSIt->second),
@@ -411,7 +411,7 @@ namespace mongo {
std::vector<Privilege>* out) {
ActionSet actions;
actions.addAction(ActionType::cursorInfo);
- out->push_back(Privilege(AuthorizationManager::SERVER_RESOURCE_NAME, actions));
+ out->push_back(Privilege(ResourcePattern::forClusterResource(), actions));
}
virtual LockType locktype() const { return NONE; }
bool run(const string&, BSONObj& jsobj, int, string& errmsg, BSONObjBuilder& result, bool fromRepl ) {
diff --git a/src/mongo/s/d_migrate.cpp b/src/mongo/s/d_migrate.cpp
index e18a805be0d..77274df9d77 100644
--- a/src/mongo/s/d_migrate.cpp
+++ b/src/mongo/s/d_migrate.cpp
@@ -672,7 +672,7 @@ namespace mongo {
std::vector<Privilege>* out) {
ActionSet actions;
actions.addAction(ActionType::_transferMods);
- out->push_back(Privilege(AuthorizationManager::SERVER_RESOURCE_NAME, actions));
+ out->push_back(Privilege(ResourcePattern::forClusterResource(), actions));
}
bool run(const string& , BSONObj& cmdObj, int, string& errmsg, BSONObjBuilder& result, bool) {
return migrateFromStatus.transferMods( errmsg, result );
@@ -688,7 +688,7 @@ namespace mongo {
std::vector<Privilege>* out) {
ActionSet actions;
actions.addAction(ActionType::_migrateClone);
- out->push_back(Privilege(AuthorizationManager::SERVER_RESOURCE_NAME, actions));
+ out->push_back(Privilege(ResourcePattern::forClusterResource(), actions));
}
bool run(const string& , BSONObj& cmdObj, int, string& errmsg, BSONObjBuilder& result, bool) {
return migrateFromStatus.clone( errmsg, result );
@@ -717,7 +717,7 @@ namespace mongo {
std::vector<Privilege>* out) {
ActionSet actions;
actions.addAction(ActionType::moveChunk);
- out->push_back(Privilege(AuthorizationManager::CLUSTER_RESOURCE_NAME, actions));
+ out->push_back(Privilege(ResourcePattern::forClusterResource(), actions));
}
bool run(const string& , BSONObj& cmdObj, int, string& errmsg, BSONObjBuilder& result, bool) {
@@ -2036,7 +2036,7 @@ namespace mongo {
std::vector<Privilege>* out) {
ActionSet actions;
actions.addAction(ActionType::_recvChunkStart);
- out->push_back(Privilege(AuthorizationManager::SERVER_RESOURCE_NAME, actions));
+ out->push_back(Privilege(ResourcePattern::forClusterResource(), actions));
}
bool run(const string& , BSONObj& cmdObj, int, string& errmsg, BSONObjBuilder& result, bool) {
@@ -2129,7 +2129,7 @@ namespace mongo {
std::vector<Privilege>* out) {
ActionSet actions;
actions.addAction(ActionType::_recvChunkStatus);
- out->push_back(Privilege(AuthorizationManager::SERVER_RESOURCE_NAME, actions));
+ out->push_back(Privilege(ResourcePattern::forClusterResource(), actions));
}
bool run(const string& , BSONObj& cmdObj, int, string& errmsg, BSONObjBuilder& result, bool) {
migrateStatus.status( result );
@@ -2146,7 +2146,7 @@ namespace mongo {
std::vector<Privilege>* out) {
ActionSet actions;
actions.addAction(ActionType::_recvChunkCommit);
- out->push_back(Privilege(AuthorizationManager::SERVER_RESOURCE_NAME, actions));
+ out->push_back(Privilege(ResourcePattern::forClusterResource(), actions));
}
bool run(const string& , BSONObj& cmdObj, int, string& errmsg, BSONObjBuilder& result, bool) {
bool ok = migrateStatus.startCommit();
@@ -2164,7 +2164,7 @@ namespace mongo {
std::vector<Privilege>* out) {
ActionSet actions;
actions.addAction(ActionType::_recvChunkAbort);
- out->push_back(Privilege(AuthorizationManager::SERVER_RESOURCE_NAME, actions));
+ out->push_back(Privilege(ResourcePattern::forClusterResource(), actions));
}
bool run(const string& , BSONObj& cmdObj, int, string& errmsg, BSONObjBuilder& result, bool) {
migrateStatus.abort();
diff --git a/src/mongo/s/d_split.cpp b/src/mongo/s/d_split.cpp
index ae72c795b9b..da7a99eddfc 100644
--- a/src/mongo/s/d_split.cpp
+++ b/src/mongo/s/d_split.cpp
@@ -88,7 +88,7 @@ namespace mongo {
std::vector<Privilege>* out) {
ActionSet actions;
actions.addAction(ActionType::find);
- out->push_back(Privilege(parseNs(dbname, cmdObj), actions));
+ out->push_back(Privilege(parseResourcePattern(dbname, cmdObj), actions));
}
bool run(const string& dbname, BSONObj& jsobj, int, string& errmsg, BSONObjBuilder& result, bool fromRepl ) {
@@ -222,7 +222,7 @@ namespace mongo {
std::vector<Privilege>* out) {
ActionSet actions;
actions.addAction(ActionType::splitVector);
- out->push_back(Privilege(AuthorizationManager::CLUSTER_RESOURCE_NAME, actions));
+ out->push_back(Privilege(ResourcePattern::forClusterResource(), actions));
}
bool run(const string& dbname, BSONObj& jsobj, int, string& errmsg, BSONObjBuilder& result, bool fromRepl ) {
@@ -507,7 +507,7 @@ namespace mongo {
std::vector<Privilege>* out) {
ActionSet actions;
actions.addAction(ActionType::splitChunk);
- out->push_back(Privilege(AuthorizationManager::CLUSTER_RESOURCE_NAME, actions));
+ out->push_back(Privilege(ResourcePattern::forClusterResource(), actions));
}
bool run(const string& dbname, BSONObj& cmdObj, int, string& errmsg, BSONObjBuilder& result, bool fromRepl ) {
diff --git a/src/mongo/s/d_state.cpp b/src/mongo/s/d_state.cpp
index d84c00f3b1a..e41af37165e 100644
--- a/src/mongo/s/d_state.cpp
+++ b/src/mongo/s/d_state.cpp
@@ -786,7 +786,7 @@ namespace mongo {
std::vector<Privilege>* out) {
ActionSet actions;
actions.addAction(ActionType::unsetSharding);
- out->push_back(Privilege(AuthorizationManager::CLUSTER_RESOURCE_NAME, actions));
+ out->push_back(Privilege(ResourcePattern::forClusterResource(), actions));
}
bool run(const string& , BSONObj& cmdObj, int, string& errmsg, BSONObjBuilder& result, bool) {
@@ -812,7 +812,7 @@ namespace mongo {
std::vector<Privilege>* out) {
ActionSet actions;
actions.addAction(ActionType::setShardVersion);
- out->push_back(Privilege(AuthorizationManager::CLUSTER_RESOURCE_NAME, actions));
+ out->push_back(Privilege(ResourcePattern::forClusterResource(), actions));
}
bool checkConfigOrInit( const string& configdb , bool authoritative , string& errmsg , BSONObjBuilder& result , bool locked=false ) const {
@@ -1120,7 +1120,7 @@ namespace mongo {
std::vector<Privilege>* out) {
ActionSet actions;
actions.addAction(ActionType::getShardVersion);
- out->push_back(Privilege(AuthorizationManager::CLUSTER_RESOURCE_NAME, actions));
+ out->push_back(Privilege(ResourcePattern::forClusterResource(), actions));
}
bool run(const string& , BSONObj& cmdObj, int, string& errmsg, BSONObjBuilder& result, bool) {
@@ -1163,7 +1163,7 @@ namespace mongo {
std::vector<Privilege>* out) {
ActionSet actions;
actions.addAction(ActionType::shardingState);
- out->push_back(Privilege(AuthorizationManager::CLUSTER_RESOURCE_NAME, actions));
+ out->push_back(Privilege(ResourcePattern::forClusterResource(), actions));
}
bool run(const string& , BSONObj& cmdObj, int, string& errmsg, BSONObjBuilder& result, bool) {
diff --git a/src/mongo/s/d_writeback.cpp b/src/mongo/s/d_writeback.cpp
index f8b7db8c60b..33da7dc3d55 100644
--- a/src/mongo/s/d_writeback.cpp
+++ b/src/mongo/s/d_writeback.cpp
@@ -168,7 +168,7 @@ namespace mongo {
std::vector<Privilege>* out) {
ActionSet actions;
actions.addAction(ActionType::writebacklisten);
- out->push_back(Privilege(AuthorizationManager::CLUSTER_RESOURCE_NAME, actions));
+ out->push_back(Privilege(ResourcePattern::forClusterResource(), actions));
}
bool run(const string& , BSONObj& cmdObj, int, string& errmsg, BSONObjBuilder& result, bool) {
@@ -220,7 +220,7 @@ namespace mongo {
std::vector<Privilege>* out) {
ActionSet actions;
actions.addAction(ActionType::writeBacksQueued);
- out->push_back(Privilege(AuthorizationManager::CLUSTER_RESOURCE_NAME, actions));
+ out->push_back(Privilege(ResourcePattern::forClusterResource(), actions));
}
WriteBacksQueuedCommand() : Command( "writeBacksQueued" ) {}
diff --git a/src/mongo/s/merge_chunks_cmd.cpp b/src/mongo/s/merge_chunks_cmd.cpp
index 742bad635dc..bb76b561843 100644
--- a/src/mongo/s/merge_chunks_cmd.cpp
+++ b/src/mongo/s/merge_chunks_cmd.cpp
@@ -55,9 +55,11 @@ namespace mongo {
virtual Status checkAuthForCommand( ClientBasic* client,
const std::string& dbname,
const BSONObj& cmdObj ) {
- return client->getAuthorizationSession()->checkAuthForPrivilege(
- Privilege( AuthorizationManager::CLUSTER_RESOURCE_NAME,
- ActionType::mergeChunks ) );
+ if (!client->getAuthorizationSession()->isAuthorizedForActionsOnResource(
+ ResourcePattern::forClusterResource(), ActionType::mergeChunks)) {
+ return Status(ErrorCodes::Unauthorized, "Not authorized for mergeChunks.");
+ }
+ return Status::OK();
}
virtual bool slaveOk() const { return false; }
diff --git a/src/mongo/s/shard.cpp b/src/mongo/s/shard.cpp
index 00c8c3405e4..371acfe8af4 100644
--- a/src/mongo/s/shard.cpp
+++ b/src/mongo/s/shard.cpp
@@ -288,7 +288,7 @@ namespace mongo {
std::vector<Privilege>* out) {
ActionSet actions;
actions.addAction(ActionType::getShardMap);
- out->push_back(Privilege(AuthorizationManager::CLUSTER_RESOURCE_NAME, actions));
+ out->push_back(Privilege(ResourcePattern::forClusterResource(), actions));
}
virtual bool run(const string&, mongo::BSONObj&, int, std::string& errmsg , mongo::BSONObjBuilder& result, bool) {
return staticShardInfo.getShardMap( result , errmsg );
diff --git a/src/mongo/s/shardconnection.cpp b/src/mongo/s/shardconnection.cpp
index 07e1c465f32..f6f057f6ab8 100644
--- a/src/mongo/s/shardconnection.cpp
+++ b/src/mongo/s/shardconnection.cpp
@@ -99,7 +99,7 @@ namespace mongo {
{
ActionSet actions;
actions.addAction( ActionType::connPoolStats );
- out->push_back( Privilege( AuthorizationManager::SERVER_RESOURCE_NAME, actions ) );
+ out->push_back( Privilege( ResourcePattern::forClusterResource(), actions ) );
}
virtual bool run ( const string&, mongo::BSONObj&, int, std::string&, mongo::BSONObjBuilder& result, bool ) {
diff --git a/src/mongo/s/strategy_shard.cpp b/src/mongo/s/strategy_shard.cpp
index 4cbfe290373..de5899cbb2b 100644
--- a/src/mongo/s/strategy_shard.cpp
+++ b/src/mongo/s/strategy_shard.cpp
@@ -67,10 +67,11 @@ namespace mongo {
QueryMessage q( r.d() );
+ NamespaceString ns(q.ns);
ClientBasic* client = ClientBasic::getCurrent();
AuthorizationSession* authSession = client->getAuthorizationSession();
- Status status = authSession->checkAuthForQuery(q.ns, q.query);
- audit::logQueryAuthzCheck(client, NamespaceString(q.ns), q.query, status.code());
+ Status status = authSession->checkAuthForQuery(ns, q.query);
+ audit::logQueryAuthzCheck(client, ns, q.query, status.code());
uassertStatusOK(status);
LOG(3) << "shard query: " << q.ns << " " << q.query << endl;
@@ -215,9 +216,10 @@ namespace mongo {
NULL == cursorCache.get( id ).get() || host.empty() );
ClientBasic* client = ClientBasic::getCurrent();
+ NamespaceString nsString(ns);
AuthorizationSession* authSession = client->getAuthorizationSession();
- Status status = authSession->checkAuthForGetMore( ns, id );
- audit::logGetMoreAuthzCheck( client, NamespaceString(ns), id, status.code() );
+ Status status = authSession->checkAuthForGetMore( nsString, id );
+ audit::logGetMoreAuthzCheck( client, nsString, id, status.code() );
uassertStatusOK(status);
if( !host.empty() ){
@@ -577,12 +579,13 @@ namespace mongo {
// We should always have a shard if we have any inserts
verify(group.inserts.size() == 0 || group.shard.get());
+ NamespaceString nsString(ns);
for (vector<BSONObj>::iterator it = group.inserts.begin();
it != group.inserts.end(); ++it) {
ClientBasic* client = ClientBasic::getCurrent();
AuthorizationSession* authSession = client->getAuthorizationSession();
- Status status = authSession->checkAuthForInsert(ns, *it);
- audit::logInsertAuthzCheck(client, NamespaceString(ns), *it, status.code());
+ Status status = authSession->checkAuthForInsert(nsString, *it);
+ audit::logInsertAuthzCheck(client, nsString, *it, status.code());
uassertStatusOK(status);
}
@@ -1033,12 +1036,13 @@ namespace mongo {
const BSONObj toUpdate = d.nextJsObj();
+ NamespaceString nsString(ns);
ClientBasic* client = ClientBasic::getCurrent();
AuthorizationSession* authzSession = client->getAuthorizationSession();
- Status status = authzSession->checkAuthForUpdate(ns, query, toUpdate, upsert);
+ Status status = authzSession->checkAuthForUpdate(nsString, query, toUpdate, upsert);
audit::logUpdateAuthzCheck(
client,
- NamespaceString(ns),
+ nsString,
query,
toUpdate,
upsert,
@@ -1202,10 +1206,11 @@ namespace mongo {
const BSONObj query = d.nextJsObj();
+ NamespaceString nsString(ns);
ClientBasic* client = ClientBasic::getCurrent();
AuthorizationSession* authSession = client->getAuthorizationSession();
- Status status = authSession->checkAuthForDelete(ns, query);
- audit::logDeleteAuthzCheck(client, NamespaceString(ns), query, status.code());
+ Status status = authSession->checkAuthForDelete(nsString, query);
+ audit::logDeleteAuthzCheck(client, nsString, query, status.code());
uassertStatusOK(status);
if( d.reservedField() & Reserved_FromWriteback ){
@@ -1275,7 +1280,7 @@ namespace mongo {
while (d.moreJSObjs()) {
BSONObj toInsert = d.nextJsObj();
Status status = authSession->checkAuthForInsert(
- ns,
+ nsAsNs,
toInsert);
audit::logInsertAuthzCheck(
client,
diff --git a/src/mongo/s/strategy_single.cpp b/src/mongo/s/strategy_single.cpp
index 89e4a97f3f9..08f95856a01 100644
--- a/src/mongo/s/strategy_single.cpp
+++ b/src/mongo/s/strategy_single.cpp
@@ -145,8 +145,8 @@ namespace mongo {
ClientBasic* client = ClientBasic::getCurrent();
AuthorizationSession* authSession = client->getAuthorizationSession();
if ( strcmp( ns , "inprog" ) == 0 ) {
- const bool isAuthorized = authSession->checkAuthorization(
- AuthorizationManager::SERVER_RESOURCE_NAME, ActionType::inprog);
+ const bool isAuthorized = authSession->isAuthorizedForActionsOnResource(
+ ResourcePattern::forClusterResource(), ActionType::inprog);
audit::logInProgAuthzCheck(
client, q.query, isAuthorized ? ErrorCodes::OK : ErrorCodes::Unauthorized);
uassert(ErrorCodes::Unauthorized, "not authorized to run inprog", isAuthorized);
@@ -188,8 +188,8 @@ namespace mongo {
arr.done();
}
else if ( strcmp( ns , "killop" ) == 0 ) {
- const bool isAuthorized = authSession->checkAuthorization(
- AuthorizationManager::SERVER_RESOURCE_NAME, ActionType::killop);
+ const bool isAuthorized = authSession->isAuthorizedForActionsOnResource(
+ ResourcePattern::forClusterResource(), ActionType::killop);
audit::logKillOpAuthzCheck(
client,
q.query,
View Lorry Controller Status