From 5ff2f41b0dbad9ef4d96b1407b06a044c0b41c48 Mon Sep 17 00:00:00 2001 From: Sara Golemon Date: Mon, 26 Sep 2022 12:16:57 -0500 Subject: SERVER-70146 Migrate checkAuthForCommand to checkAuthForOperation --- src/mongo/db/commands.cpp | 18 +++++++----------- src/mongo/db/commands.h | 14 ++------------ src/mongo/db/commands/apply_ops_cmd.cpp | 4 ++-- src/mongo/db/commands/current_op.cpp | 8 ++++---- src/mongo/db/commands/dbcheck.cpp | 12 ++++++------ src/mongo/db/commands/dbcommands.cpp | 13 +++++++------ src/mongo/db/commands/fsync.cpp | 11 ++++++----- src/mongo/db/commands/index_filter_commands.cpp | 10 +++++----- src/mongo/db/commands/index_filter_commands.h | 6 +++--- src/mongo/db/commands/kill_op_cmd_base.cpp | 9 +++++---- src/mongo/db/commands/kill_op_cmd_base.h | 6 +++--- src/mongo/db/commands/lock_info.cpp | 12 +++++++----- src/mongo/db/commands/oplog_application_checks.cpp | 12 ++++++------ src/mongo/db/commands/oplog_application_checks.h | 11 ++++++----- src/mongo/db/commands/oplog_note.cpp | 11 ++++++----- src/mongo/db/commands/plan_cache_clear_command.cpp | 16 ++++++++-------- src/mongo/db/commands/profile_common.cpp | 12 ++++++------ src/mongo/db/commands/profile_common.h | 6 +++--- src/mongo/db/commands/resize_oplog.cpp | 8 ++++---- .../set_feature_compatibility_version_command.cpp | 13 +++++++------ src/mongo/db/commands/snapshot_management.cpp | 12 ++++++------ src/mongo/db/free_mon/free_mon_commands.cpp | 22 ++++++++++++---------- src/mongo/db/free_mon/free_mon_commands_stub.cpp | 11 ++++++----- src/mongo/db/ftdc/ftdc_commands.cpp | 7 ++++--- src/mongo/db/repl/repl_set_command.cpp | 12 +++++++----- src/mongo/db/repl/repl_set_command.h | 6 +++--- src/mongo/db/repl/repl_set_commands.cpp | 16 +++++++++------- src/mongo/db/s/cleanup_orphaned_cmd.cpp | 11 ++++++----- src/mongo/db/s/clone_catalog_data_command.cpp | 11 ++++++----- .../db/s/config/configsvr_add_shard_command.cpp | 11 ++++++----- .../config/configsvr_add_shard_to_zone_command.cpp | 11 ++++++----- .../config/configsvr_control_balancer_command.cpp | 11 ++++++----- .../db/s/config/configsvr_move_chunk_command.cpp | 11 ++++++----- .../db/s/config/configsvr_remove_shard_command.cpp | 11 ++++++----- .../configsvr_remove_shard_from_zone_command.cpp | 11 ++++++----- ...r_sharded_collection_chunks_history_command.cpp | 11 ++++++----- .../db/s/config/configsvr_run_restore_command.cpp | 11 ++++++----- .../db/s/config/configsvr_split_chunk_command.cpp | 11 ++++++----- .../configsvr_update_zone_key_range_command.cpp | 11 ++++++----- src/mongo/db/s/get_shard_version_command.cpp | 13 +++++++------ src/mongo/db/s/shardsvr_collmod_command.cpp | 9 +++++---- src/mongo/db/s/shardsvr_merge_chunks_command.cpp | 11 ++++++----- src/mongo/db/s/shardsvr_move_primary_command.cpp | 11 ++++++----- src/mongo/db/s/shardsvr_split_chunk_command.cpp | 11 ++++++----- src/mongo/db/s/split_vector_command.cpp | 13 +++++++------ .../s/commands/cluster_add_shard_to_zone_cmd.cpp | 8 ++++---- .../s/commands/cluster_collection_mod_cmd.cpp | 10 +++++----- .../s/commands/cluster_control_balancer_cmd.cpp | 13 +++++++------ src/mongo/s/commands/cluster_current_op.cpp | 11 ++++++----- src/mongo/s/commands/cluster_ftdc_commands.cpp | 21 +++++++++++---------- .../s/commands/cluster_get_shard_version_cmd.cpp | 13 +++++++------ src/mongo/s/commands/cluster_index_filter_cmd.cpp | 10 +++++----- .../s/commands/cluster_list_collections_cmd.cpp | 10 +++++----- src/mongo/s/commands/cluster_merge_chunks_cmd.cpp | 13 +++++++------ src/mongo/s/commands/cluster_move_primary_cmd.cpp | 13 +++++++------ src/mongo/s/commands/cluster_oplog_note_cmd.cpp | 11 ++++++----- .../s/commands/cluster_plan_cache_clear_cmd.cpp | 10 +++++----- .../cluster_remove_shard_from_zone_cmd.cpp | 8 ++++---- ...epair_sharded_collection_chunks_history_cmd.cpp | 13 +++++++------ .../s/commands/cluster_repl_set_get_status_cmd.cpp | 6 +++--- .../s/commands/cluster_set_free_monitoring_cmd.cpp | 11 ++++++----- .../s/commands/cluster_shard_collection_cmd.cpp | 13 +++++++------ src/mongo/s/commands/cluster_split_cmd.cpp | 13 +++++++------ src/mongo/s/commands/cluster_split_vector_cmd.cpp | 13 +++++++------ .../commands/cluster_update_zone_key_range_cmd.cpp | 8 ++++---- 65 files changed, 379 insertions(+), 347 deletions(-) diff --git a/src/mongo/db/commands.cpp b/src/mongo/db/commands.cpp index 52a0a7121ed..24ef5e32b36 100644 --- a/src/mongo/db/commands.cpp +++ b/src/mongo/db/commands.cpp @@ -995,19 +995,15 @@ Status BasicCommandWithReplyBuilderInterface::explain(OperationContext* opCtx, } Status BasicCommandWithReplyBuilderInterface::checkAuthForOperation(OperationContext* opCtx, - const DatabaseName& dbname, + const DatabaseName& dbName, const BSONObj& cmdObj) const { - return checkAuthForCommand(opCtx->getClient(), dbname.db(), cmdObj); -} - -Status BasicCommandWithReplyBuilderInterface::checkAuthForCommand(Client* client, - const std::string& dbname, - const BSONObj& cmdObj) const { std::vector privileges; - this->addRequiredPrivileges(dbname, cmdObj, &privileges); - if (AuthorizationSession::get(client)->isAuthorizedForPrivileges(privileges)) - return Status::OK(); - return Status(ErrorCodes::Unauthorized, "unauthorized"); + this->addRequiredPrivileges(dbName.db(), cmdObj, &privileges); + if (!AuthorizationSession::get(opCtx->getClient())->isAuthorizedForPrivileges(privileges)) { + return {ErrorCodes::Unauthorized, "unauthorized"}; + } + + return Status::OK(); } void Command::generateHelpResponse(OperationContext* opCtx, diff --git a/src/mongo/db/commands.h b/src/mongo/db/commands.h index 83e1d7f2de0..3e5b9d7d4e4 100644 --- a/src/mongo/db/commands.h +++ b/src/mongo/db/commands.h @@ -902,10 +902,10 @@ public: /** * Checks if the client associated with the given OperationContext is authorized to run this - * command. Default implementation defers to checkAuthForCommand. + * command. Default implementation checks via addRequiredPrivileges(). */ virtual Status checkAuthForOperation(OperationContext* opCtx, - const DatabaseName& dbname, + const DatabaseName& dbName, const BSONObj& cmdObj) const; /** @@ -974,16 +974,6 @@ private: // Deprecated virtual methods. // - /** - * Checks if the given client is authorized to run this command on database "dbname" - * with the invocation described by "cmdObj". - * - * NOTE: Implement checkAuthForOperation that takes an OperationContext* instead. - */ - virtual Status checkAuthForCommand(Client* client, - const std::string& dbname, - const BSONObj& cmdObj) const; - /** * Appends to "*out" the privileges required to run this command on database "dbname" with * the invocation described by "cmdObj". New commands shouldn't implement this, they should diff --git a/src/mongo/db/commands/apply_ops_cmd.cpp b/src/mongo/db/commands/apply_ops_cmd.cpp index d114e8396d9..1c69babdd12 100644 --- a/src/mongo/db/commands/apply_ops_cmd.cpp +++ b/src/mongo/db/commands/apply_ops_cmd.cpp @@ -203,10 +203,10 @@ public: } Status checkAuthForOperation(OperationContext* opCtx, - const DatabaseName& dbname, + const DatabaseName& dbName, const BSONObj& cmdObj) const override { OplogApplicationValidity validity = validateApplyOpsCommand(cmdObj); - return OplogApplicationChecks::checkAuthForCommand(opCtx, dbname.db(), cmdObj, validity); + return OplogApplicationChecks::checkAuthForOperation(opCtx, dbName, cmdObj, validity); } bool run(OperationContext* opCtx, diff --git a/src/mongo/db/commands/current_op.cpp b/src/mongo/db/commands/current_op.cpp index 78fec805202..a6e546cf506 100644 --- a/src/mongo/db/commands/current_op.cpp +++ b/src/mongo/db/commands/current_op.cpp @@ -50,10 +50,10 @@ class CurrentOpCommand final : public CurrentOpCommandBase { public: CurrentOpCommand() = default; - Status checkAuthForCommand(Client* client, - const std::string& dbName, - const BSONObj& cmdObj) const final { - AuthorizationSession* authzSession = AuthorizationSession::get(client); + Status checkAuthForOperation(OperationContext* opCtx, + const DatabaseName&, + const BSONObj& cmdObj) const final { + AuthorizationSession* authzSession = AuthorizationSession::get(opCtx->getClient()); if (authzSession->isAuthorizedForActionsOnResource(ResourcePattern::forClusterResource(), ActionType::inprog)) { return Status::OK(); diff --git a/src/mongo/db/commands/dbcheck.cpp b/src/mongo/db/commands/dbcheck.cpp index 9eaa51fe1b6..1b1110abb29 100644 --- a/src/mongo/db/commands/dbcheck.cpp +++ b/src/mongo/db/commands/dbcheck.cpp @@ -668,12 +668,12 @@ public: "Invoke with {dbCheck: 1} to check all collections in the database."; } - virtual Status checkAuthForCommand(Client* client, - const std::string& dbname, - const BSONObj& cmdObj) const { - const bool isAuthorized = - AuthorizationSession::get(client)->isAuthorizedForActionsOnResource( - ResourcePattern::forAnyResource(), ActionType::dbCheck); + Status checkAuthForOperation(OperationContext* opCtx, + const DatabaseName&, + const BSONObj&) const override { + const bool isAuthorized = AuthorizationSession::get(opCtx->getClient()) + ->isAuthorizedForActionsOnResource( + ResourcePattern::forAnyResource(), ActionType::dbCheck); return isAuthorized ? Status::OK() : Status(ErrorCodes::Unauthorized, "Unauthorized"); } diff --git a/src/mongo/db/commands/dbcommands.cpp b/src/mongo/db/commands/dbcommands.cpp index c6f8a329fd1..19fd21c513e 100644 --- a/src/mongo/db/commands/dbcommands.cpp +++ b/src/mongo/db/commands/dbcommands.cpp @@ -432,9 +432,9 @@ public: using Request = CollStatsCommand; Status checkAuthForOperation(OperationContext* opCtx, - const DatabaseName& dbname, + const DatabaseName& dbName, const BSONObj& cmdObj) const final { - const auto nss = CommandHelpers::parseNsCollectionRequired(dbname, cmdObj); + const auto nss = CommandHelpers::parseNsCollectionRequired(dbName, cmdObj); auto as = AuthorizationSession::get(opCtx->getClient()); if (!as->isAuthorizedForActionsOnResource(ResourcePattern::forExactNamespace(nss), ActionType::collStats)) { @@ -513,10 +513,11 @@ public: "Example: { collMod: 'foo', index: {name: 'bar', expireAfterSeconds: 600} }\n"; } - virtual Status checkAuthForCommand(Client* client, - const std::string& dbname, - const BSONObj& cmdObj) const { - const NamespaceString nss(parseNs({boost::none, dbname}, cmdObj)); + Status checkAuthForOperation(OperationContext* opCtx, + const DatabaseName& dbName, + const BSONObj& cmdObj) const override { + auto client = opCtx->getClient(); + auto nss = parseNs(dbName, cmdObj); return auth::checkAuthForCollMod( client->getOperationContext(), AuthorizationSession::get(client), nss, cmdObj, false); } diff --git a/src/mongo/db/commands/fsync.cpp b/src/mongo/db/commands/fsync.cpp index c968bb51882..f84b77bff5c 100644 --- a/src/mongo/db/commands/fsync.cpp +++ b/src/mongo/db/commands/fsync.cpp @@ -290,11 +290,12 @@ public: return true; } - Status checkAuthForCommand(Client* client, - const std::string& dbname, - const BSONObj& cmdObj) const override { - bool isAuthorized = AuthorizationSession::get(client)->isAuthorizedForActionsOnResource( - ResourcePattern::forClusterResource(), ActionType::unlock); + Status checkAuthForOperation(OperationContext* opCtx, + const DatabaseName&, + const BSONObj&) const override { + bool isAuthorized = AuthorizationSession::get(opCtx->getClient()) + ->isAuthorizedForActionsOnResource( + ResourcePattern::forClusterResource(), ActionType::unlock); return isAuthorized ? Status::OK() : Status(ErrorCodes::Unauthorized, "Unauthorized"); } diff --git a/src/mongo/db/commands/index_filter_commands.cpp b/src/mongo/db/commands/index_filter_commands.cpp index 1497e7ae763..423014c0c04 100644 --- a/src/mongo/db/commands/index_filter_commands.cpp +++ b/src/mongo/db/commands/index_filter_commands.cpp @@ -109,11 +109,11 @@ std::string IndexFilterCommand::help() const { return helpText; } -Status IndexFilterCommand::checkAuthForCommand(Client* client, - const std::string& dbname, - const BSONObj& cmdObj) const { - AuthorizationSession* authzSession = AuthorizationSession::get(client); - ResourcePattern pattern = parseResourcePattern(dbname, cmdObj); +Status IndexFilterCommand::checkAuthForOperation(OperationContext* opCtx, + const DatabaseName& dbName, + const BSONObj& cmdObj) const { + AuthorizationSession* authzSession = AuthorizationSession::get(opCtx->getClient()); + ResourcePattern pattern = parseResourcePattern(dbName.db(), cmdObj); if (authzSession->isAuthorizedForActionsOnResource(pattern, ActionType::planCacheIndexFilter)) { return Status::OK(); diff --git a/src/mongo/db/commands/index_filter_commands.h b/src/mongo/db/commands/index_filter_commands.h index 462fc9c8df2..5f7561af73c 100644 --- a/src/mongo/db/commands/index_filter_commands.h +++ b/src/mongo/db/commands/index_filter_commands.h @@ -80,9 +80,9 @@ public: * One action type defined for index filter commands: * - planCacheIndexFilter */ - Status checkAuthForCommand(Client* client, - const std::string& dbname, - const BSONObj& cmdObj) const override; + Status checkAuthForOperation(OperationContext* opCtx, + const DatabaseName& dbName, + const BSONObj& cmdObj) const override; virtual Status runIndexFilterCommand(OperationContext* opCtx, const CollectionPtr& collection, diff --git a/src/mongo/db/commands/kill_op_cmd_base.cpp b/src/mongo/db/commands/kill_op_cmd_base.cpp index c8595618488..49e277ae925 100644 --- a/src/mongo/db/commands/kill_op_cmd_base.cpp +++ b/src/mongo/db/commands/kill_op_cmd_base.cpp @@ -76,9 +76,10 @@ void KillOpCmdBase::reportSuccessfulCompletion(OperationContext* opCtx, } -Status KillOpCmdBase::checkAuthForCommand(Client* worker, - const std::string& dbname, - const BSONObj& cmdObj) const { +Status KillOpCmdBase::checkAuthForOperation(OperationContext* workerOpCtx, + const DatabaseName&, + const BSONObj& cmdObj) const { + auto* worker = workerOpCtx->getClient(); auto opKiller = OperationKiller(worker); if (opKiller.isGenerallyAuthorizedToKill()) { @@ -87,7 +88,7 @@ Status KillOpCmdBase::checkAuthForCommand(Client* worker, if (isKillingLocalOp(cmdObj.getField("op"))) { // Look up the OperationContext and see if we have permission to kill it. This is done once - // here and again in the command body. The check here in the checkAuthForCommand() function + // here and again in the command body. The check here in the checkAuthForOperation function // is necessary because if the check fails, it will be picked up by the auditing system. long long opId = parseOpId(cmdObj); auto target = worker->getServiceContext()->getLockedClient(opId); diff --git a/src/mongo/db/commands/kill_op_cmd_base.h b/src/mongo/db/commands/kill_op_cmd_base.h index 7439daddeeb..8a48d623ff6 100644 --- a/src/mongo/db/commands/kill_op_cmd_base.h +++ b/src/mongo/db/commands/kill_op_cmd_base.h @@ -54,9 +54,9 @@ public: return true; } - Status checkAuthForCommand(Client* client, - const std::string& dbname, - const BSONObj& cmdObj) const final; + Status checkAuthForOperation(OperationContext* opCtx, + const DatabaseName& dbName, + const BSONObj& cmdObj) const final; protected: /** diff --git a/src/mongo/db/commands/lock_info.cpp b/src/mongo/db/commands/lock_info.cpp index 525c0a31671..d7e77df6453 100644 --- a/src/mongo/db/commands/lock_info.cpp +++ b/src/mongo/db/commands/lock_info.cpp @@ -64,11 +64,13 @@ public: return "show all lock info on the server"; } - Status checkAuthForCommand(Client* client, - const std::string& dbname, - const BSONObj& cmdObj) const final { - bool isAuthorized = AuthorizationSession::get(client)->isAuthorizedForActionsOnResource( - ResourcePattern::forClusterResource(), ActionType::serverStatus); + Status checkAuthForOperation(OperationContext* opCtx, + const DatabaseName&, + const BSONObj&) const final { + bool isAuthorized = + AuthorizationSession::get(opCtx->getClient()) + ->isAuthorizedForActionsOnResource(ResourcePattern::forClusterResource(), + ActionType::serverStatus); return isAuthorized ? Status::OK() : Status(ErrorCodes::Unauthorized, "Unauthorized"); } diff --git a/src/mongo/db/commands/oplog_application_checks.cpp b/src/mongo/db/commands/oplog_application_checks.cpp index 02cc6e51366..c4f65bb478b 100644 --- a/src/mongo/db/commands/oplog_application_checks.cpp +++ b/src/mongo/db/commands/oplog_application_checks.cpp @@ -43,7 +43,7 @@ UUID OplogApplicationChecks::getUUIDFromOplogEntry(const BSONObj& oplogEntry) { }; Status OplogApplicationChecks::checkOperationAuthorization(OperationContext* opCtx, - const std::string& dbname, + const DatabaseName&, const BSONObj& oplogEntry, AuthorizationSession* authSession, bool alwaysUpsert) { @@ -206,10 +206,10 @@ Status OplogApplicationChecks::checkOperation(const BSONElement& e) { return Status::OK(); } -Status OplogApplicationChecks::checkAuthForCommand(OperationContext* opCtx, - const std::string& dbname, - const BSONObj& cmdObj, - OplogApplicationValidity validity) { +Status OplogApplicationChecks::checkAuthForOperation(OperationContext* opCtx, + const DatabaseName& dbName, + const BSONObj& cmdObj, + OplogApplicationValidity validity) { AuthorizationSession* authSession = AuthorizationSession::get(opCtx->getClient()); if (!authSession->isAuthorizedForActionsOnResource(ResourcePattern::forClusterResource(), ActionType::applyOps)) { @@ -252,7 +252,7 @@ Status OplogApplicationChecks::checkAuthForCommand(OperationContext* opCtx, for (const BSONElement& e : cmdObj.firstElement().Array()) { checkBSONType(BSONType::Object, e); Status status = OplogApplicationChecks::checkOperationAuthorization( - opCtx, dbname, e.Obj(), authSession, alwaysUpsert); + opCtx, dbName, e.Obj(), authSession, alwaysUpsert); if (!status.isOK()) { return status; } diff --git a/src/mongo/db/commands/oplog_application_checks.h b/src/mongo/db/commands/oplog_application_checks.h index 3537dc716ab..3152510a66b 100644 --- a/src/mongo/db/commands/oplog_application_checks.h +++ b/src/mongo/db/commands/oplog_application_checks.h @@ -35,6 +35,7 @@ namespace mongo { class BSONElement; class BSONObj; +class DatabaseName; class OperationContext; // OplogApplicationValidity represents special conditions relevant to authorization for @@ -58,10 +59,10 @@ public: /** * Checks the authorization for an entire oplog application command. */ - static Status checkAuthForCommand(OperationContext* opCtx, - const std::string& dbname, - const BSONObj& cmdObj, - OplogApplicationValidity validity); + static Status checkAuthForOperation(OperationContext* opCtx, + const DatabaseName& dbName, + const BSONObj& cmdObj, + OplogApplicationValidity validity); /** * Checks that 'opsElement' is an array and all elements of the array are valid operations. @@ -76,7 +77,7 @@ private: * command. */ static Status checkOperationAuthorization(OperationContext* opCtx, - const std::string& dbname, + const DatabaseName& dbName, const BSONObj& oplogEntry, AuthorizationSession* authSession, bool alwaysUpsert); diff --git a/src/mongo/db/commands/oplog_note.cpp b/src/mongo/db/commands/oplog_note.cpp index c7017f99b2d..74c7a73accd 100644 --- a/src/mongo/db/commands/oplog_note.cpp +++ b/src/mongo/db/commands/oplog_note.cpp @@ -107,11 +107,12 @@ public: return "Adds a no-op entry to the oplog"; } - virtual Status checkAuthForCommand(Client* client, - const std::string& dbname, - const BSONObj& cmdObj) const { - if (!AuthorizationSession::get(client)->isAuthorizedForActionsOnResource( - ResourcePattern::forClusterResource(), ActionType::appendOplogNote)) { + Status checkAuthForOperation(OperationContext* opCtx, + const DatabaseName&, + const BSONObj&) const override { + if (!AuthorizationSession::get(opCtx->getClient()) + ->isAuthorizedForActionsOnResource(ResourcePattern::forClusterResource(), + ActionType::appendOplogNote)) { return Status(ErrorCodes::Unauthorized, "Unauthorized"); } return Status::OK(); diff --git a/src/mongo/db/commands/plan_cache_clear_command.cpp b/src/mongo/db/commands/plan_cache_clear_command.cpp index 05107ba795f..09115ee17bd 100644 --- a/src/mongo/db/commands/plan_cache_clear_command.cpp +++ b/src/mongo/db/commands/plan_cache_clear_command.cpp @@ -154,20 +154,20 @@ public: return AllowedOnSecondary::kOptIn; } - Status checkAuthForCommand(Client* client, - const std::string& dbname, - const BSONObj& cmdObj) const override; + Status checkAuthForOperation(OperationContext* opCtx, + const DatabaseName& dbName, + const BSONObj& cmdObj) const override; std::string help() const override { return "Drops one or all plan cache entries in a collection."; } } planCacheClearCommand; -Status PlanCacheClearCommand::checkAuthForCommand(Client* client, - const std::string& dbname, - const BSONObj& cmdObj) const { - AuthorizationSession* authzSession = AuthorizationSession::get(client); - ResourcePattern pattern = parseResourcePattern(dbname, cmdObj); +Status PlanCacheClearCommand::checkAuthForOperation(OperationContext* opCtx, + const DatabaseName& dbName, + const BSONObj& cmdObj) const { + AuthorizationSession* authzSession = AuthorizationSession::get(opCtx->getClient()); + ResourcePattern pattern = parseResourcePattern(dbName.db(), cmdObj); if (authzSession->isAuthorizedForActionsOnResource(pattern, ActionType::planCacheWrite)) { return Status::OK(); diff --git a/src/mongo/db/commands/profile_common.cpp b/src/mongo/db/commands/profile_common.cpp index a35e9e7bf3e..a2d42f3480c 100644 --- a/src/mongo/db/commands/profile_common.cpp +++ b/src/mongo/db/commands/profile_common.cpp @@ -44,10 +44,10 @@ namespace mongo { -Status ProfileCmdBase::checkAuthForCommand(Client* client, - const std::string& dbName, - const BSONObj& cmdObj) const { - AuthorizationSession* authzSession = AuthorizationSession::get(client); +Status ProfileCmdBase::checkAuthForOperation(OperationContext* opCtx, + const DatabaseName& dbName, + const BSONObj& cmdObj) const { + AuthorizationSession* authzSession = AuthorizationSession::get(opCtx->getClient()); auto request = ProfileCmdRequest::parse(IDLParserContext("profile"), cmdObj); const auto profilingLevel = request.getCommandParameter(); @@ -61,8 +61,8 @@ Status ProfileCmdBase::checkAuthForCommand(Client* client, } } - return authzSession->isAuthorizedForActionsOnResource(ResourcePattern::forDatabaseName(dbName), - ActionType::enableProfiler) + return authzSession->isAuthorizedForActionsOnResource( + ResourcePattern::forDatabaseName(dbName.db()), ActionType::enableProfiler) ? Status::OK() : Status(ErrorCodes::Unauthorized, "unauthorized"); } diff --git a/src/mongo/db/commands/profile_common.h b/src/mongo/db/commands/profile_common.h index e691636bf8b..f09bce4e993 100644 --- a/src/mongo/db/commands/profile_common.h +++ b/src/mongo/db/commands/profile_common.h @@ -64,9 +64,9 @@ public: return false; } - Status checkAuthForCommand(Client* client, - const std::string& dbname, - const BSONObj& cmdObj) const final; + Status checkAuthForOperation(OperationContext*, + const DatabaseName&, + const BSONObj&) const final; bool run(OperationContext* opCtx, const DatabaseName& dbName, diff --git a/src/mongo/db/commands/resize_oplog.cpp b/src/mongo/db/commands/resize_oplog.cpp index 5aa3c693dab..0c96a36e5d4 100644 --- a/src/mongo/db/commands/resize_oplog.cpp +++ b/src/mongo/db/commands/resize_oplog.cpp @@ -67,10 +67,10 @@ public: return "Resize oplog using size (in MBs) and optionally, retention (in terms of hours)"; } - Status checkAuthForCommand(Client* client, - const std::string& dbname, - const BSONObj& cmdObj) const final { - AuthorizationSession* authzSession = AuthorizationSession::get(client); + Status checkAuthForOperation(OperationContext* opCtx, + const DatabaseName&, + const BSONObj&) const final { + AuthorizationSession* authzSession = AuthorizationSession::get(opCtx->getClient()); if (authzSession->isAuthorizedForActionsOnResource(ResourcePattern::forClusterResource(), ActionType::replSetResizeOplog)) { return Status::OK(); diff --git a/src/mongo/db/commands/set_feature_compatibility_version_command.cpp b/src/mongo/db/commands/set_feature_compatibility_version_command.cpp index f598459ac0d..d73102619d2 100644 --- a/src/mongo/db/commands/set_feature_compatibility_version_command.cpp +++ b/src/mongo/db/commands/set_feature_compatibility_version_command.cpp @@ -251,14 +251,15 @@ public: return h.str(); } - Status checkAuthForCommand(Client* client, - const std::string& dbname, - const BSONObj& cmdObj) const override { - if (!AuthorizationSession::get(client)->isAuthorizedForActionsOnResource( - ResourcePattern::forClusterResource(), - ActionType::setFeatureCompatibilityVersion)) { + Status checkAuthForOperation(OperationContext* opCtx, + const DatabaseName&, + const BSONObj&) const override { + if (!AuthorizationSession::get(opCtx->getClient()) + ->isAuthorizedForActionsOnResource(ResourcePattern::forClusterResource(), + ActionType::setFeatureCompatibilityVersion)) { return Status(ErrorCodes::Unauthorized, "Unauthorized"); } + return Status::OK(); } diff --git a/src/mongo/db/commands/snapshot_management.cpp b/src/mongo/db/commands/snapshot_management.cpp index 5dfcab27983..d84e94c3254 100644 --- a/src/mongo/db/commands/snapshot_management.cpp +++ b/src/mongo/db/commands/snapshot_management.cpp @@ -56,9 +56,9 @@ public: } // No auth needed because it only works when enabled via command line. - virtual Status checkAuthForCommand(Client* client, - const std::string& dbname, - const BSONObj& cmdObj) const { + Status checkAuthForOperation(OperationContext*, + const DatabaseName&, + const BSONObj&) const override { return Status::OK(); } @@ -101,9 +101,9 @@ public: } // No auth needed because it only works when enabled via command line. - virtual Status checkAuthForCommand(Client* client, - const std::string& dbname, - const BSONObj& cmdObj) const { + Status checkAuthForOperation(OperationContext*, + const DatabaseName&, + const BSONObj&) const override { return Status::OK(); } diff --git a/src/mongo/db/free_mon/free_mon_commands.cpp b/src/mongo/db/free_mon/free_mon_commands.cpp index d1fa55285f1..5d639d03558 100644 --- a/src/mongo/db/free_mon/free_mon_commands.cpp +++ b/src/mongo/db/free_mon/free_mon_commands.cpp @@ -65,11 +65,12 @@ public: return "Indicates free monitoring status"; } - Status checkAuthForCommand(Client* client, - const std::string& dbname, - const BSONObj& cmdObj) const final { - if (!AuthorizationSession::get(client)->isAuthorizedForActionsOnResource( - ResourcePattern::forClusterResource(), ActionType::checkFreeMonitoringStatus)) { + Status checkAuthForOperation(OperationContext* opCtx, + const DatabaseName&, + const BSONObj&) const final { + if (!AuthorizationSession::get(opCtx->getClient()) + ->isAuthorizedForActionsOnResource(ResourcePattern::forClusterResource(), + ActionType::checkFreeMonitoringStatus)) { return Status(ErrorCodes::Unauthorized, "Unauthorized"); } return Status::OK(); @@ -121,11 +122,12 @@ public: return "enable or disable Free Monitoring"; } - Status checkAuthForCommand(Client* client, - const std::string& dbname, - const BSONObj& cmdObj) const final { - if (!AuthorizationSession::get(client)->isAuthorizedForActionsOnResource( - ResourcePattern::forClusterResource(), ActionType::setFreeMonitoring)) { + Status checkAuthForOperation(OperationContext* opCtx, + const DatabaseName&, + const BSONObj&) const final { + if (!AuthorizationSession::get(opCtx->getClient()) + ->isAuthorizedForActionsOnResource(ResourcePattern::forClusterResource(), + ActionType::setFreeMonitoring)) { return Status(ErrorCodes::Unauthorized, "Unauthorized"); } return Status::OK(); diff --git a/src/mongo/db/free_mon/free_mon_commands_stub.cpp b/src/mongo/db/free_mon/free_mon_commands_stub.cpp index 7a9942ccee2..6249c21f679 100644 --- a/src/mongo/db/free_mon/free_mon_commands_stub.cpp +++ b/src/mongo/db/free_mon/free_mon_commands_stub.cpp @@ -63,11 +63,12 @@ public: return "Indicates free monitoring status"; } - Status checkAuthForCommand(Client* client, - const std::string& dbname, - const BSONObj& cmdObj) const final { - if (!AuthorizationSession::get(client)->isAuthorizedForActionsOnResource( - ResourcePattern::forClusterResource(), ActionType::checkFreeMonitoringStatus)) { + Status checkAuthForOperation(OperationContext* opCtx, + const DatabaseName&, + const BSONObj&) const final { + if (!AuthorizationSession::get(opCtx->getClient()) + ->isAuthorizedForActionsOnResource(ResourcePattern::forClusterResource(), + ActionType::checkFreeMonitoringStatus)) { return Status(ErrorCodes::Unauthorized, "Unauthorized"); } return Status::OK(); diff --git a/src/mongo/db/ftdc/ftdc_commands.cpp b/src/mongo/db/ftdc/ftdc_commands.cpp index 12b604ce9cf..27315a51440 100644 --- a/src/mongo/db/ftdc/ftdc_commands.cpp +++ b/src/mongo/db/ftdc/ftdc_commands.cpp @@ -66,9 +66,10 @@ public: return false; } - Status checkAuthForCommand(Client* client, - const std::string& dbname, - const BSONObj& cmdObj) const override { + Status checkAuthForOperation(OperationContext* opCtx, + const DatabaseName& dbName, + const BSONObj& cmdObj) const override { + auto* client = opCtx->getClient(); if (!AuthorizationSession::get(client)->isAuthorizedForActionsOnResource( ResourcePattern::forClusterResource(), ActionType::serverStatus)) { diff --git a/src/mongo/db/repl/repl_set_command.cpp b/src/mongo/db/repl/repl_set_command.cpp index c157b066fe9..510d75d2c0a 100644 --- a/src/mongo/db/repl/repl_set_command.cpp +++ b/src/mongo/db/repl/repl_set_command.cpp @@ -36,13 +36,15 @@ namespace mongo { namespace repl { -Status ReplSetCommand::checkAuthForCommand(Client* client, - const std::string& dbname, - const BSONObj& cmdObj) const { - if (!AuthorizationSession::get(client)->isAuthorizedForActionsOnResource( - ResourcePattern::forClusterResource(), getAuthActionSet())) { +Status ReplSetCommand::checkAuthForOperation(OperationContext* opCtx, + const DatabaseName&, + const BSONObj&) const { + if (!AuthorizationSession::get(opCtx->getClient()) + ->isAuthorizedForActionsOnResource(ResourcePattern::forClusterResource(), + getAuthActionSet())) { return {ErrorCodes::Unauthorized, "Unauthorized"}; } + return Status::OK(); } diff --git a/src/mongo/db/repl/repl_set_command.h b/src/mongo/db/repl/repl_set_command.h index 4946ea86c11..b18a3538c69 100644 --- a/src/mongo/db/repl/repl_set_command.h +++ b/src/mongo/db/repl/repl_set_command.h @@ -60,9 +60,9 @@ protected: return false; } - Status checkAuthForCommand(Client* client, - const std::string& dbname, - const BSONObj& cmdObj) const override; + Status checkAuthForOperation(OperationContext*, + const DatabaseName&, + const BSONObj&) const override; virtual ActionSet getAuthActionSet() const { return ActionSet{ActionType::internal}; diff --git a/src/mongo/db/repl/repl_set_commands.cpp b/src/mongo/db/repl/repl_set_commands.cpp index cd17527bbf2..31112fa06c7 100644 --- a/src/mongo/db/repl/repl_set_commands.cpp +++ b/src/mongo/db/repl/repl_set_commands.cpp @@ -93,17 +93,19 @@ public: std::string help() const override { return "Just for tests.\n"; } + // No auth needed because it only works when enabled via command line. - virtual Status checkAuthForCommand(Client* client, - const std::string& dbname, - const BSONObj& cmdObj) const { + Status checkAuthForOperation(OperationContext*, + const DatabaseName&, + const BSONObj&) const override { return Status::OK(); } + CmdReplSetTest() : ReplSetCommand("replSetTest") {} - virtual bool run(OperationContext* opCtx, - const DatabaseName&, - const BSONObj& cmdObj, - BSONObjBuilder& result) { + bool run(OperationContext* opCtx, + const DatabaseName&, + const BSONObj& cmdObj, + BSONObjBuilder& result) override { LOGV2(21573, "replSetTest command received: {cmdObj}", "replSetTest command received", diff --git a/src/mongo/db/s/cleanup_orphaned_cmd.cpp b/src/mongo/db/s/cleanup_orphaned_cmd.cpp index e3f2e4779e0..2e6ab879782 100644 --- a/src/mongo/db/s/cleanup_orphaned_cmd.cpp +++ b/src/mongo/db/s/cleanup_orphaned_cmd.cpp @@ -160,11 +160,12 @@ public: return true; } - Status checkAuthForCommand(Client* client, - const std::string& dbname, - const BSONObj& cmdObj) const override { - if (!AuthorizationSession::get(client)->isAuthorizedForActionsOnResource( - ResourcePattern::forClusterResource(), ActionType::cleanupOrphaned)) { + Status checkAuthForOperation(OperationContext* opCtx, + const DatabaseName&, + const BSONObj&) const override { + if (!AuthorizationSession::get(opCtx->getClient()) + ->isAuthorizedForActionsOnResource(ResourcePattern::forClusterResource(), + ActionType::cleanupOrphaned)) { return Status(ErrorCodes::Unauthorized, "Not authorized for cleanupOrphaned command."); } return Status::OK(); diff --git a/src/mongo/db/s/clone_catalog_data_command.cpp b/src/mongo/db/s/clone_catalog_data_command.cpp index b996368e454..fe92765e3b2 100644 --- a/src/mongo/db/s/clone_catalog_data_command.cpp +++ b/src/mongo/db/s/clone_catalog_data_command.cpp @@ -74,11 +74,12 @@ public: return true; } - Status checkAuthForCommand(Client* client, - const std::string& dbname, - const BSONObj& cmdObj) const override { - if (!AuthorizationSession::get(client)->isAuthorizedForActionsOnResource( - ResourcePattern::forClusterResource(), ActionType::internal)) { + Status checkAuthForOperation(OperationContext* opCtx, + const DatabaseName&, + const BSONObj&) const override { + if (!AuthorizationSession::get(opCtx->getClient()) + ->isAuthorizedForActionsOnResource(ResourcePattern::forClusterResource(), + ActionType::internal)) { return Status(ErrorCodes::Unauthorized, "Unauthorized"); } diff --git a/src/mongo/db/s/config/configsvr_add_shard_command.cpp b/src/mongo/db/s/config/configsvr_add_shard_command.cpp index 9ea14319405..d08669474fc 100644 --- a/src/mongo/db/s/config/configsvr_add_shard_command.cpp +++ b/src/mongo/db/s/config/configsvr_add_shard_command.cpp @@ -81,11 +81,12 @@ public: return true; } - Status checkAuthForCommand(Client* client, - const std::string& dbname, - const BSONObj& cmdObj) const override { - if (!AuthorizationSession::get(client)->isAuthorizedForActionsOnResource( - ResourcePattern::forClusterResource(), ActionType::internal)) { + Status checkAuthForOperation(OperationContext* opCtx, + const DatabaseName&, + const BSONObj&) const override { + if (!AuthorizationSession::get(opCtx->getClient()) + ->isAuthorizedForActionsOnResource(ResourcePattern::forClusterResource(), + ActionType::internal)) { return Status(ErrorCodes::Unauthorized, "Unauthorized"); } return Status::OK(); diff --git a/src/mongo/db/s/config/configsvr_add_shard_to_zone_command.cpp b/src/mongo/db/s/config/configsvr_add_shard_to_zone_command.cpp index 141fe3d9ddb..697ba004878 100644 --- a/src/mongo/db/s/config/configsvr_add_shard_to_zone_command.cpp +++ b/src/mongo/db/s/config/configsvr_add_shard_to_zone_command.cpp @@ -82,11 +82,12 @@ public: return true; } - Status checkAuthForCommand(Client* client, - const std::string& dbname, - const BSONObj& cmdObj) const override { - if (!AuthorizationSession::get(client)->isAuthorizedForActionsOnResource( - ResourcePattern::forClusterResource(), ActionType::internal)) { + Status checkAuthForOperation(OperationContext* opCtx, + const DatabaseName&, + const BSONObj&) const override { + if (!AuthorizationSession::get(opCtx->getClient()) + ->isAuthorizedForActionsOnResource(ResourcePattern::forClusterResource(), + ActionType::internal)) { return Status(ErrorCodes::Unauthorized, "Unauthorized"); } return Status::OK(); diff --git a/src/mongo/db/s/config/configsvr_control_balancer_command.cpp b/src/mongo/db/s/config/configsvr_control_balancer_command.cpp index b02a6b1a266..522c81ef245 100644 --- a/src/mongo/db/s/config/configsvr_control_balancer_command.cpp +++ b/src/mongo/db/s/config/configsvr_control_balancer_command.cpp @@ -70,11 +70,12 @@ public: return false; } - Status checkAuthForCommand(Client* client, - const std::string& dbname, - const BSONObj& cmdObj) const override { - if (!AuthorizationSession::get(client)->isAuthorizedForActionsOnResource( - ResourcePattern::forClusterResource(), ActionType::internal)) { + Status checkAuthForOperation(OperationContext* opCtx, + const DatabaseName&, + const BSONObj&) const override { + if (!AuthorizationSession::get(opCtx->getClient()) + ->isAuthorizedForActionsOnResource(ResourcePattern::forClusterResource(), + ActionType::internal)) { return Status(ErrorCodes::Unauthorized, "Unauthorized"); } return Status::OK(); diff --git a/src/mongo/db/s/config/configsvr_move_chunk_command.cpp b/src/mongo/db/s/config/configsvr_move_chunk_command.cpp index 10c19ab53d8..ccbec5e98b2 100644 --- a/src/mongo/db/s/config/configsvr_move_chunk_command.cpp +++ b/src/mongo/db/s/config/configsvr_move_chunk_command.cpp @@ -72,11 +72,12 @@ public: return true; } - Status checkAuthForCommand(Client* client, - const std::string& dbname, - const BSONObj& cmdObj) const override { - if (!AuthorizationSession::get(client)->isAuthorizedForActionsOnResource( - ResourcePattern::forClusterResource(), ActionType::internal)) { + Status checkAuthForOperation(OperationContext* opCtx, + const DatabaseName&, + const BSONObj&) const override { + if (!AuthorizationSession::get(opCtx->getClient()) + ->isAuthorizedForActionsOnResource(ResourcePattern::forClusterResource(), + ActionType::internal)) { return Status(ErrorCodes::Unauthorized, "Unauthorized"); } return Status::OK(); diff --git a/src/mongo/db/s/config/configsvr_remove_shard_command.cpp b/src/mongo/db/s/config/configsvr_remove_shard_command.cpp index a17fb730363..efebf6f1cf9 100644 --- a/src/mongo/db/s/config/configsvr_remove_shard_command.cpp +++ b/src/mongo/db/s/config/configsvr_remove_shard_command.cpp @@ -83,11 +83,12 @@ public: return true; } - Status checkAuthForCommand(Client* client, - const std::string& dbname, - const BSONObj& cmdObj) const override { - if (!AuthorizationSession::get(client)->isAuthorizedForActionsOnResource( - ResourcePattern::forClusterResource(), ActionType::internal)) { + Status checkAuthForOperation(OperationContext* opCtx, + const DatabaseName&, + const BSONObj&) const override { + if (!AuthorizationSession::get(opCtx->getClient()) + ->isAuthorizedForActionsOnResource(ResourcePattern::forClusterResource(), + ActionType::internal)) { return Status(ErrorCodes::Unauthorized, "Unauthorized"); } return Status::OK(); diff --git a/src/mongo/db/s/config/configsvr_remove_shard_from_zone_command.cpp b/src/mongo/db/s/config/configsvr_remove_shard_from_zone_command.cpp index 1be2824081e..69a50eae5a0 100644 --- a/src/mongo/db/s/config/configsvr_remove_shard_from_zone_command.cpp +++ b/src/mongo/db/s/config/configsvr_remove_shard_from_zone_command.cpp @@ -85,11 +85,12 @@ public: return true; } - Status checkAuthForCommand(Client* client, - const std::string& dbname, - const BSONObj& cmdObj) const override { - if (!AuthorizationSession::get(client)->isAuthorizedForActionsOnResource( - ResourcePattern::forClusterResource(), ActionType::internal)) { + Status checkAuthForOperation(OperationContext* opCtx, + const DatabaseName&, + const BSONObj&) const override { + if (!AuthorizationSession::get(opCtx->getClient()) + ->isAuthorizedForActionsOnResource(ResourcePattern::forClusterResource(), + ActionType::internal)) { return Status(ErrorCodes::Unauthorized, "Unauthorized"); } return Status::OK(); diff --git a/src/mongo/db/s/config/configsvr_repair_sharded_collection_chunks_history_command.cpp b/src/mongo/db/s/config/configsvr_repair_sharded_collection_chunks_history_command.cpp index a91151f12f7..2017fc4e8f9 100644 --- a/src/mongo/db/s/config/configsvr_repair_sharded_collection_chunks_history_command.cpp +++ b/src/mongo/db/s/config/configsvr_repair_sharded_collection_chunks_history_command.cpp @@ -72,11 +72,12 @@ public: return NamespaceString(dbName.tenantId(), CommandHelpers::parseNsFullyQualified(cmdObj)); } - Status checkAuthForCommand(Client* client, - const std::string& dbname, - const BSONObj& cmdObj) const override { - if (!AuthorizationSession::get(client)->isAuthorizedForActionsOnResource( - ResourcePattern::forClusterResource(), ActionType::internal)) { + Status checkAuthForOperation(OperationContext* opCtx, + const DatabaseName&, + const BSONObj&) const override { + if (!AuthorizationSession::get(opCtx->getClient()) + ->isAuthorizedForActionsOnResource(ResourcePattern::forClusterResource(), + ActionType::internal)) { return Status(ErrorCodes::Unauthorized, "Unauthorized"); } return Status::OK(); diff --git a/src/mongo/db/s/config/configsvr_run_restore_command.cpp b/src/mongo/db/s/config/configsvr_run_restore_command.cpp index ef9de4c5231..f5cbddd0dfc 100644 --- a/src/mongo/db/s/config/configsvr_run_restore_command.cpp +++ b/src/mongo/db/s/config/configsvr_run_restore_command.cpp @@ -152,11 +152,12 @@ public: return false; } - Status checkAuthForCommand(Client* client, - const std::string& dbname, - const BSONObj& cmdObj) const override { - if (!AuthorizationSession::get(client)->isAuthorizedForActionsOnResource( - ResourcePattern::forClusterResource(), ActionType::internal)) { + Status checkAuthForOperation(OperationContext* opCtx, + const DatabaseName&, + const BSONObj&) const override { + if (!AuthorizationSession::get(opCtx->getClient()) + ->isAuthorizedForActionsOnResource(ResourcePattern::forClusterResource(), + ActionType::internal)) { return Status(ErrorCodes::Unauthorized, "Unauthorized"); } return Status::OK(); diff --git a/src/mongo/db/s/config/configsvr_split_chunk_command.cpp b/src/mongo/db/s/config/configsvr_split_chunk_command.cpp index 37ac4d023b6..4aa73b27c5c 100644 --- a/src/mongo/db/s/config/configsvr_split_chunk_command.cpp +++ b/src/mongo/db/s/config/configsvr_split_chunk_command.cpp @@ -94,11 +94,12 @@ public: return true; } - Status checkAuthForCommand(Client* client, - const std::string& dbname, - const BSONObj& cmdObj) const override { - if (!AuthorizationSession::get(client)->isAuthorizedForActionsOnResource( - ResourcePattern::forClusterResource(), ActionType::internal)) { + Status checkAuthForOperation(OperationContext* opCtx, + const DatabaseName&, + const BSONObj&) const override { + if (!AuthorizationSession::get(opCtx->getClient()) + ->isAuthorizedForActionsOnResource(ResourcePattern::forClusterResource(), + ActionType::internal)) { return Status(ErrorCodes::Unauthorized, "Unauthorized"); } return Status::OK(); diff --git a/src/mongo/db/s/config/configsvr_update_zone_key_range_command.cpp b/src/mongo/db/s/config/configsvr_update_zone_key_range_command.cpp index fa562f8b04c..11e8ebf7ed9 100644 --- a/src/mongo/db/s/config/configsvr_update_zone_key_range_command.cpp +++ b/src/mongo/db/s/config/configsvr_update_zone_key_range_command.cpp @@ -87,11 +87,12 @@ public: return true; } - Status checkAuthForCommand(Client* client, - const std::string& dbname, - const BSONObj& cmdObj) const override { - if (!AuthorizationSession::get(client)->isAuthorizedForActionsOnResource( - ResourcePattern::forClusterResource(), ActionType::internal)) { + Status checkAuthForOperation(OperationContext* opCtx, + const DatabaseName&, + const BSONObj&) const override { + if (!AuthorizationSession::get(opCtx->getClient()) + ->isAuthorizedForActionsOnResource(ResourcePattern::forClusterResource(), + ActionType::internal)) { return Status(ErrorCodes::Unauthorized, "Unauthorized"); } return Status::OK(); diff --git a/src/mongo/db/s/get_shard_version_command.cpp b/src/mongo/db/s/get_shard_version_command.cpp index 391d9d2ca71..e5a940af46b 100644 --- a/src/mongo/db/s/get_shard_version_command.cpp +++ b/src/mongo/db/s/get_shard_version_command.cpp @@ -65,12 +65,13 @@ public: return true; } - Status checkAuthForCommand(Client* client, - const std::string& dbname, - const BSONObj& cmdObj) const override { - if (!AuthorizationSession::get(client)->isAuthorizedForActionsOnResource( - ResourcePattern::forExactNamespace(parseNs({boost::none, dbname}, cmdObj)), - ActionType::getShardVersion)) { + Status checkAuthForOperation(OperationContext* opCtx, + const DatabaseName& dbName, + const BSONObj& cmdObj) const override { + if (!AuthorizationSession::get(opCtx->getClient()) + ->isAuthorizedForActionsOnResource( + ResourcePattern::forExactNamespace(parseNs(dbName, cmdObj)), + ActionType::getShardVersion)) { return Status(ErrorCodes::Unauthorized, "Unauthorized"); } return Status::OK(); diff --git a/src/mongo/db/s/shardsvr_collmod_command.cpp b/src/mongo/db/s/shardsvr_collmod_command.cpp index 76851922697..b924c43cfdf 100644 --- a/src/mongo/db/s/shardsvr_collmod_command.cpp +++ b/src/mongo/db/s/shardsvr_collmod_command.cpp @@ -69,10 +69,11 @@ public: "directly. Modifies collection."; } - Status checkAuthForCommand(Client* client, - const std::string& dbname, - const BSONObj& cmdObj) const override { - const NamespaceString nss(parseNs({boost::none, dbname}, cmdObj)); + Status checkAuthForOperation(OperationContext* opCtx, + const DatabaseName& dbName, + const BSONObj& cmdObj) const override { + auto* client = opCtx->getClient(); + const NamespaceString nss(parseNs(dbName, cmdObj)); return auth::checkAuthForCollMod( client->getOperationContext(), AuthorizationSession::get(client), nss, cmdObj, false); } diff --git a/src/mongo/db/s/shardsvr_merge_chunks_command.cpp b/src/mongo/db/s/shardsvr_merge_chunks_command.cpp index 22f20b9135b..de7bf83bc26 100644 --- a/src/mongo/db/s/shardsvr_merge_chunks_command.cpp +++ b/src/mongo/db/s/shardsvr_merge_chunks_command.cpp @@ -135,11 +135,12 @@ public: "Usage: { mergeChunks: , epoch: , bounds: [, ] }"; } - Status checkAuthForCommand(Client* client, - const std::string& dbname, - const BSONObj& cmdObj) const override { - if (!AuthorizationSession::get(client)->isAuthorizedForActionsOnResource( - ResourcePattern::forClusterResource(), ActionType::internal)) { + Status checkAuthForOperation(OperationContext* opCtx, + const DatabaseName&, + const BSONObj&) const override { + if (!AuthorizationSession::get(opCtx->getClient()) + ->isAuthorizedForActionsOnResource(ResourcePattern::forClusterResource(), + ActionType::internal)) { return Status(ErrorCodes::Unauthorized, "Unauthorized"); } return Status::OK(); diff --git a/src/mongo/db/s/shardsvr_move_primary_command.cpp b/src/mongo/db/s/shardsvr_move_primary_command.cpp index 3f08102515d..7ce0578789c 100644 --- a/src/mongo/db/s/shardsvr_move_primary_command.cpp +++ b/src/mongo/db/s/shardsvr_move_primary_command.cpp @@ -68,11 +68,12 @@ public: return true; } - Status checkAuthForCommand(Client* client, - const std::string& dbname, - const BSONObj& cmdObj) const override { - if (!AuthorizationSession::get(client)->isAuthorizedForActionsOnResource( - ResourcePattern::forClusterResource(), ActionType::internal)) { + Status checkAuthForOperation(OperationContext* opCtx, + const DatabaseName&, + const BSONObj&) const override { + if (!AuthorizationSession::get(opCtx->getClient()) + ->isAuthorizedForActionsOnResource(ResourcePattern::forClusterResource(), + ActionType::internal)) { return Status(ErrorCodes::Unauthorized, "Unauthorized"); } return Status::OK(); diff --git a/src/mongo/db/s/shardsvr_split_chunk_command.cpp b/src/mongo/db/s/shardsvr_split_chunk_command.cpp index 3d11f8990fc..c62a3d07c27 100644 --- a/src/mongo/db/s/shardsvr_split_chunk_command.cpp +++ b/src/mongo/db/s/shardsvr_split_chunk_command.cpp @@ -76,11 +76,12 @@ public: return true; } - Status checkAuthForCommand(Client* client, - const std::string& dbname, - const BSONObj& cmdObj) const override { - if (!AuthorizationSession::get(client)->isAuthorizedForActionsOnResource( - ResourcePattern::forClusterResource(), ActionType::internal)) { + Status checkAuthForOperation(OperationContext* opCtx, + const DatabaseName&, + const BSONObj&) const override { + if (!AuthorizationSession::get(opCtx->getClient()) + ->isAuthorizedForActionsOnResource(ResourcePattern::forClusterResource(), + ActionType::internal)) { return Status(ErrorCodes::Unauthorized, "Unauthorized"); } return Status::OK(); diff --git a/src/mongo/db/s/split_vector_command.cpp b/src/mongo/db/s/split_vector_command.cpp index 9b2812af619..511d9ff52f0 100644 --- a/src/mongo/db/s/split_vector_command.cpp +++ b/src/mongo/db/s/split_vector_command.cpp @@ -69,12 +69,13 @@ public: "NOTE: This command may take a while to run"; } - Status checkAuthForCommand(Client* client, - const std::string& dbname, - const BSONObj& cmdObj) const override { - if (!AuthorizationSession::get(client)->isAuthorizedForActionsOnResource( - ResourcePattern::forExactNamespace(parseNs({boost::none, dbname}, cmdObj)), - ActionType::splitVector)) { + Status checkAuthForOperation(OperationContext* opCtx, + const DatabaseName& dbName, + const BSONObj& cmdObj) const override { + if (!AuthorizationSession::get(opCtx->getClient()) + ->isAuthorizedForActionsOnResource( + ResourcePattern::forExactNamespace(parseNs(dbName, cmdObj)), + ActionType::splitVector)) { return Status(ErrorCodes::Unauthorized, "Unauthorized"); } return Status::OK(); diff --git a/src/mongo/s/commands/cluster_add_shard_to_zone_cmd.cpp b/src/mongo/s/commands/cluster_add_shard_to_zone_cmd.cpp index 4c6dc7e762b..83628cd10f9 100644 --- a/src/mongo/s/commands/cluster_add_shard_to_zone_cmd.cpp +++ b/src/mongo/s/commands/cluster_add_shard_to_zone_cmd.cpp @@ -80,10 +80,10 @@ public: return "adds a shard to zone"; } - Status checkAuthForCommand(Client* client, - const std::string& dbname, - const BSONObj& cmdObj) const final { - auto* as = AuthorizationSession::get(client); + Status checkAuthForOperation(OperationContext* opCtx, + const DatabaseName&, + const BSONObj&) const final { + auto* as = AuthorizationSession::get(opCtx->getClient()); if (as->isAuthorizedForActionsOnResource(ResourcePattern::forClusterResource(), ActionType::enableSharding)) { diff --git a/src/mongo/s/commands/cluster_collection_mod_cmd.cpp b/src/mongo/s/commands/cluster_collection_mod_cmd.cpp index 146778efdc0..777f30bf5f9 100644 --- a/src/mongo/s/commands/cluster_collection_mod_cmd.cpp +++ b/src/mongo/s/commands/cluster_collection_mod_cmd.cpp @@ -71,11 +71,11 @@ public: return false; } - Status checkAuthForCommand(Client* client, - const std::string& dbname, - const BSONObj& cmdObj) const override { - const NamespaceString nss( - CommandHelpers::parseNsCollectionRequired({boost::none, dbname}, cmdObj)); + Status checkAuthForOperation(OperationContext* opCtx, + const DatabaseName& dbName, + const BSONObj& cmdObj) const override { + auto* client = opCtx->getClient(); + const NamespaceString nss(CommandHelpers::parseNsCollectionRequired(dbName, cmdObj)); return auth::checkAuthForCollMod( client->getOperationContext(), AuthorizationSession::get(client), nss, cmdObj, true); } diff --git a/src/mongo/s/commands/cluster_control_balancer_cmd.cpp b/src/mongo/s/commands/cluster_control_balancer_cmd.cpp index 2cf2bfd5eef..97bc5fbcbb8 100644 --- a/src/mongo/s/commands/cluster_control_balancer_cmd.cpp +++ b/src/mongo/s/commands/cluster_control_balancer_cmd.cpp @@ -74,12 +74,13 @@ public: return "Starts or stops the sharding balancer."; } - Status checkAuthForCommand(Client* client, - const std::string& dbname, - const BSONObj& cmdObj) const override { - if (!AuthorizationSession::get(client)->isAuthorizedForActionsOnResource( - ResourcePattern::forExactNamespace(NamespaceString("config", "settings")), - _authorizationAction)) { + Status checkAuthForOperation(OperationContext* opCtx, + const DatabaseName&, + const BSONObj&) const override { + if (!AuthorizationSession::get(opCtx->getClient()) + ->isAuthorizedForActionsOnResource( + ResourcePattern::forExactNamespace(NamespaceString("config", "settings")), + _authorizationAction)) { return Status(ErrorCodes::Unauthorized, "Unauthorized"); } return Status::OK(); diff --git a/src/mongo/s/commands/cluster_current_op.cpp b/src/mongo/s/commands/cluster_current_op.cpp index 5f4f2187b49..040c43bfb5d 100644 --- a/src/mongo/s/commands/cluster_current_op.cpp +++ b/src/mongo/s/commands/cluster_current_op.cpp @@ -50,11 +50,12 @@ class ClusterCurrentOpCommand final : public CurrentOpCommandBase { public: ClusterCurrentOpCommand() = default; - Status checkAuthForCommand(Client* client, - const std::string& dbName, - const BSONObj& cmdObj) const final { - bool isAuthorized = AuthorizationSession::get(client)->isAuthorizedForActionsOnResource( - ResourcePattern::forClusterResource(), ActionType::inprog); + Status checkAuthForOperation(OperationContext* opCtx, + const DatabaseName&, + const BSONObj&) const final { + bool isAuthorized = AuthorizationSession::get(opCtx->getClient()) + ->isAuthorizedForActionsOnResource( + ResourcePattern::forClusterResource(), ActionType::inprog); return isAuthorized ? Status::OK() : Status(ErrorCodes::Unauthorized, "Unauthorized"); } diff --git a/src/mongo/s/commands/cluster_ftdc_commands.cpp b/src/mongo/s/commands/cluster_ftdc_commands.cpp index 3b2ac9e0a16..0b41c12fee6 100644 --- a/src/mongo/s/commands/cluster_ftdc_commands.cpp +++ b/src/mongo/s/commands/cluster_ftdc_commands.cpp @@ -65,26 +65,27 @@ public: return false; } - Status checkAuthForCommand(Client* client, - const std::string& dbname, - const BSONObj& cmdObj) const override { + Status checkAuthForOperation(OperationContext* opCtx, + const DatabaseName&, + const BSONObj&) const override { + auto* as = AuthorizationSession::get(opCtx->getClient()); - if (!AuthorizationSession::get(client)->isAuthorizedForActionsOnResource( - ResourcePattern::forClusterResource(), ActionType::serverStatus)) { + if (!as->isAuthorizedForActionsOnResource(ResourcePattern::forClusterResource(), + ActionType::serverStatus)) { return Status(ErrorCodes::Unauthorized, "Unauthorized"); } - if (!AuthorizationSession::get(client)->isAuthorizedForActionsOnResource( - ResourcePattern::forClusterResource(), ActionType::replSetGetStatus)) { + if (!as->isAuthorizedForActionsOnResource(ResourcePattern::forClusterResource(), + ActionType::replSetGetStatus)) { return Status(ErrorCodes::Unauthorized, "Unauthorized"); } - if (!AuthorizationSession::get(client)->isAuthorizedForActionsOnResource( - ResourcePattern::forClusterResource(), ActionType::connPoolStats)) { + if (!as->isAuthorizedForActionsOnResource(ResourcePattern::forClusterResource(), + ActionType::connPoolStats)) { return Status(ErrorCodes::Unauthorized, "Unauthorized"); } - if (!AuthorizationSession::get(client)->isAuthorizedForActionsOnResource( + if (!as->isAuthorizedForActionsOnResource( ResourcePattern::forExactNamespace(NamespaceString("local", "oplog.rs")), ActionType::collStats)) { return Status(ErrorCodes::Unauthorized, "Unauthorized"); diff --git a/src/mongo/s/commands/cluster_get_shard_version_cmd.cpp b/src/mongo/s/commands/cluster_get_shard_version_cmd.cpp index 5b4eebb96b8..8062c712298 100644 --- a/src/mongo/s/commands/cluster_get_shard_version_cmd.cpp +++ b/src/mongo/s/commands/cluster_get_shard_version_cmd.cpp @@ -64,12 +64,13 @@ public: return " example: { getShardVersion : 'alleyinsider.foo' } "; } - Status checkAuthForCommand(Client* client, - const std::string& dbname, - const BSONObj& cmdObj) const override { - if (!AuthorizationSession::get(client)->isAuthorizedForActionsOnResource( - ResourcePattern::forExactNamespace(parseNs({boost::none, dbname}, cmdObj)), - ActionType::getShardVersion)) { + Status checkAuthForOperation(OperationContext* opCtx, + const DatabaseName& dbName, + const BSONObj& cmdObj) const override { + if (!AuthorizationSession::get(opCtx->getClient()) + ->isAuthorizedForActionsOnResource( + ResourcePattern::forExactNamespace(parseNs(dbName, cmdObj)), + ActionType::getShardVersion)) { return Status(ErrorCodes::Unauthorized, "Unauthorized"); } diff --git a/src/mongo/s/commands/cluster_index_filter_cmd.cpp b/src/mongo/s/commands/cluster_index_filter_cmd.cpp index f58433fbf2e..976508dbd4c 100644 --- a/src/mongo/s/commands/cluster_index_filter_cmd.cpp +++ b/src/mongo/s/commands/cluster_index_filter_cmd.cpp @@ -68,11 +68,11 @@ public: return false; } - Status checkAuthForCommand(Client* client, - const std::string& dbname, - const BSONObj& cmdObj) const { - AuthorizationSession* authzSession = AuthorizationSession::get(client); - ResourcePattern pattern = parseResourcePattern(dbname, cmdObj); + Status checkAuthForOperation(OperationContext* opCtx, + const DatabaseName& dbName, + const BSONObj& cmdObj) const { + auto* authzSession = AuthorizationSession::get(opCtx->getClient()); + ResourcePattern pattern = parseResourcePattern(dbName.db(), cmdObj); if (authzSession->isAuthorizedForActionsOnResource(pattern, ActionType::planCacheIndexFilter)) { diff --git a/src/mongo/s/commands/cluster_list_collections_cmd.cpp b/src/mongo/s/commands/cluster_list_collections_cmd.cpp index f1be781cf9d..d033660ca5d 100644 --- a/src/mongo/s/commands/cluster_list_collections_cmd.cpp +++ b/src/mongo/s/commands/cluster_list_collections_cmd.cpp @@ -209,11 +209,11 @@ public: return false; } - Status checkAuthForCommand(Client* client, - const std::string& dbname, - const BSONObj& cmdObj) const final { - AuthorizationSession* authzSession = AuthorizationSession::get(client); - return authzSession->checkAuthorizedToListCollections(dbname, cmdObj).getStatus(); + Status checkAuthForOperation(OperationContext* opCtx, + const DatabaseName& dbName, + const BSONObj& cmdObj) const final { + auto* authzSession = AuthorizationSession::get(opCtx->getClient()); + return authzSession->checkAuthorizedToListCollections(dbName.db(), cmdObj).getStatus(); } bool runWithRequestParser(OperationContext* opCtx, diff --git a/src/mongo/s/commands/cluster_merge_chunks_cmd.cpp b/src/mongo/s/commands/cluster_merge_chunks_cmd.cpp index 70052f94d45..b318b2e2bd0 100644 --- a/src/mongo/s/commands/cluster_merge_chunks_cmd.cpp +++ b/src/mongo/s/commands/cluster_merge_chunks_cmd.cpp @@ -60,12 +60,13 @@ public: "usage: { mergeChunks : , bounds : [ , ] }"; } - Status checkAuthForCommand(Client* client, - const std::string& dbname, - const BSONObj& cmdObj) const override { - if (!AuthorizationSession::get(client)->isAuthorizedForActionsOnResource( - ResourcePattern::forExactNamespace(parseNs({boost::none, dbname}, cmdObj)), - ActionType::splitChunk)) { + Status checkAuthForOperation(OperationContext* opCtx, + const DatabaseName& dbName, + const BSONObj& cmdObj) const override { + if (!AuthorizationSession::get(opCtx->getClient()) + ->isAuthorizedForActionsOnResource( + ResourcePattern::forExactNamespace(parseNs(dbName, cmdObj)), + ActionType::splitChunk)) { return Status(ErrorCodes::Unauthorized, "Unauthorized"); } return Status::OK(); diff --git a/src/mongo/s/commands/cluster_move_primary_cmd.cpp b/src/mongo/s/commands/cluster_move_primary_cmd.cpp index b39a3f7f23d..661f0821698 100644 --- a/src/mongo/s/commands/cluster_move_primary_cmd.cpp +++ b/src/mongo/s/commands/cluster_move_primary_cmd.cpp @@ -70,12 +70,13 @@ public: return " example: { moveprimary : 'foo' , to : 'localhost:9999' }"; } - virtual Status checkAuthForCommand(Client* client, - const std::string& dbname, - const BSONObj& cmdObj) const { - if (!AuthorizationSession::get(client)->isAuthorizedForActionsOnResource( - ResourcePattern::forDatabaseName(parseNs({boost::none, dbname}, cmdObj).db()), - ActionType::moveChunk)) { + Status checkAuthForOperation(OperationContext* opCtx, + const DatabaseName& dbName, + const BSONObj& cmdObj) const { + if (!AuthorizationSession::get(opCtx->getClient()) + ->isAuthorizedForActionsOnResource( + ResourcePattern::forDatabaseName(parseNs(dbName, cmdObj).db()), + ActionType::moveChunk)) { return Status(ErrorCodes::Unauthorized, "Unauthorized"); } diff --git a/src/mongo/s/commands/cluster_oplog_note_cmd.cpp b/src/mongo/s/commands/cluster_oplog_note_cmd.cpp index 12c16f58ffc..4ba10bd0dca 100644 --- a/src/mongo/s/commands/cluster_oplog_note_cmd.cpp +++ b/src/mongo/s/commands/cluster_oplog_note_cmd.cpp @@ -72,11 +72,12 @@ public: return "Performs a no-op entry on the oplog on each shard"; } - virtual Status checkAuthForCommand(Client* client, - const std::string& dbname, - const BSONObj& cmdObj) const { - if (!AuthorizationSession::get(client)->isAuthorizedForActionsOnResource( - ResourcePattern::forClusterResource(), ActionType::appendOplogNote)) { + Status checkAuthForOperation(OperationContext* opCtx, + const DatabaseName&, + const BSONObj&) const override { + if (!AuthorizationSession::get(opCtx->getClient()) + ->isAuthorizedForActionsOnResource(ResourcePattern::forClusterResource(), + ActionType::appendOplogNote)) { return Status(ErrorCodes::Unauthorized, "Unauthorized"); } return Status::OK(); diff --git a/src/mongo/s/commands/cluster_plan_cache_clear_cmd.cpp b/src/mongo/s/commands/cluster_plan_cache_clear_cmd.cpp index 35602bae6d4..338014024c4 100644 --- a/src/mongo/s/commands/cluster_plan_cache_clear_cmd.cpp +++ b/src/mongo/s/commands/cluster_plan_cache_clear_cmd.cpp @@ -68,11 +68,11 @@ public: return CommandHelpers::parseNsCollectionRequired(dbName, cmdObj); } - Status checkAuthForCommand(Client* client, - const std::string& dbname, - const BSONObj& cmdObj) const { - AuthorizationSession* authzSession = AuthorizationSession::get(client); - ResourcePattern pattern = parseResourcePattern(dbname, cmdObj); + Status checkAuthForOperation(OperationContext* opCtx, + const DatabaseName& dbName, + const BSONObj& cmdObj) const { + AuthorizationSession* authzSession = AuthorizationSession::get(opCtx->getClient()); + ResourcePattern pattern = parseResourcePattern(dbName.db(), cmdObj); if (authzSession->isAuthorizedForActionsOnResource(pattern, ActionType::planCacheWrite)) { return Status::OK(); diff --git a/src/mongo/s/commands/cluster_remove_shard_from_zone_cmd.cpp b/src/mongo/s/commands/cluster_remove_shard_from_zone_cmd.cpp index 4b63870523a..9fa3038eaf7 100644 --- a/src/mongo/s/commands/cluster_remove_shard_from_zone_cmd.cpp +++ b/src/mongo/s/commands/cluster_remove_shard_from_zone_cmd.cpp @@ -87,10 +87,10 @@ public: return "removes a shard from the zone"; } - Status checkAuthForCommand(Client* client, - const std::string& dbname, - const BSONObj& cmdObj) const final { - auto* as = AuthorizationSession::get(client); + Status checkAuthForOperation(OperationContext* opCtx, + const DatabaseName&, + const BSONObj&) const final { + auto* as = AuthorizationSession::get(opCtx->getClient()); if (as->isAuthorizedForActionsOnResource(ResourcePattern::forClusterResource(), ActionType::enableSharding)) { diff --git a/src/mongo/s/commands/cluster_repair_sharded_collection_chunks_history_cmd.cpp b/src/mongo/s/commands/cluster_repair_sharded_collection_chunks_history_cmd.cpp index a3b154f0a1c..94483788136 100644 --- a/src/mongo/s/commands/cluster_repair_sharded_collection_chunks_history_cmd.cpp +++ b/src/mongo/s/commands/cluster_repair_sharded_collection_chunks_history_cmd.cpp @@ -74,12 +74,13 @@ public: // The command intentionally uses the permission control of split/mergeChunks since it only // modifies the contents of chunk entries and increments the collection/shard versions without // causing any data placement changes - Status checkAuthForCommand(Client* client, - const std::string& dbname, - const BSONObj& cmdObj) const override { - if (!AuthorizationSession::get(client)->isAuthorizedForActionsOnResource( - ResourcePattern::forExactNamespace(parseNs({boost::none, dbname}, cmdObj)), - ActionType::splitChunk)) { + Status checkAuthForOperation(OperationContext* opCtx, + const DatabaseName& dbName, + const BSONObj& cmdObj) const override { + if (!AuthorizationSession::get(opCtx->getClient()) + ->isAuthorizedForActionsOnResource( + ResourcePattern::forExactNamespace(parseNs(dbName, cmdObj)), + ActionType::splitChunk)) { return Status(ErrorCodes::Unauthorized, "Unauthorized"); } return Status::OK(); diff --git a/src/mongo/s/commands/cluster_repl_set_get_status_cmd.cpp b/src/mongo/s/commands/cluster_repl_set_get_status_cmd.cpp index 4618c8d6116..96c9d4e73f3 100644 --- a/src/mongo/s/commands/cluster_repl_set_get_status_cmd.cpp +++ b/src/mongo/s/commands/cluster_repl_set_get_status_cmd.cpp @@ -57,9 +57,9 @@ public: return "Not supported through mongos"; } - virtual Status checkAuthForCommand(Client* client, - const std::string& dbname, - const BSONObj& cmdObj) const { + Status checkAuthForOperation(OperationContext*, + const DatabaseName&, + const BSONObj&) const override { // Require no auth since this command isn't supported in mongos return Status::OK(); } diff --git a/src/mongo/s/commands/cluster_set_free_monitoring_cmd.cpp b/src/mongo/s/commands/cluster_set_free_monitoring_cmd.cpp index f6f8b03b61a..0e5853aa42b 100644 --- a/src/mongo/s/commands/cluster_set_free_monitoring_cmd.cpp +++ b/src/mongo/s/commands/cluster_set_free_monitoring_cmd.cpp @@ -51,11 +51,12 @@ public: return "setFreeMonitoring command must be run against mongod instances"; } - Status checkAuthForCommand(Client* client, - const std::string& dbname, - const BSONObj& cmdObj) const final { - if (!AuthorizationSession::get(client)->isAuthorizedForActionsOnResource( - ResourcePattern::forClusterResource(), ActionType::setFreeMonitoring)) { + Status checkAuthForOperation(OperationContext* opCtx, + const DatabaseName&, + const BSONObj&) const final { + if (!AuthorizationSession::get(opCtx->getClient()) + ->isAuthorizedForActionsOnResource(ResourcePattern::forClusterResource(), + ActionType::setFreeMonitoring)) { return Status(ErrorCodes::Unauthorized, "Unauthorized"); } return Status::OK(); diff --git a/src/mongo/s/commands/cluster_shard_collection_cmd.cpp b/src/mongo/s/commands/cluster_shard_collection_cmd.cpp index 86ccca809e8..9d7b8c22353 100644 --- a/src/mongo/s/commands/cluster_shard_collection_cmd.cpp +++ b/src/mongo/s/commands/cluster_shard_collection_cmd.cpp @@ -66,12 +66,13 @@ public: return "Shard a collection. Requires key. Optional unique."; } - Status checkAuthForCommand(Client* client, - const std::string& dbname, - const BSONObj& cmdObj) const override { - if (!AuthorizationSession::get(client)->isAuthorizedForActionsOnResource( - ResourcePattern::forExactNamespace(parseNs({boost::none, dbname}, cmdObj)), - ActionType::enableSharding)) { + Status checkAuthForOperation(OperationContext* opCtx, + const DatabaseName& dbName, + const BSONObj& cmdObj) const override { + if (!AuthorizationSession::get(opCtx->getClient()) + ->isAuthorizedForActionsOnResource( + ResourcePattern::forExactNamespace(parseNs(dbName, cmdObj)), + ActionType::enableSharding)) { return Status(ErrorCodes::Unauthorized, "Unauthorized"); } diff --git a/src/mongo/s/commands/cluster_split_cmd.cpp b/src/mongo/s/commands/cluster_split_cmd.cpp index 2b8cf4a8171..dbd4ef0ddfb 100644 --- a/src/mongo/s/commands/cluster_split_cmd.cpp +++ b/src/mongo/s/commands/cluster_split_cmd.cpp @@ -112,12 +112,13 @@ public: " NOTE: this does not move the chunks, it just creates a logical separation."; } - Status checkAuthForCommand(Client* client, - const std::string& dbname, - const BSONObj& cmdObj) const override { - if (!AuthorizationSession::get(client)->isAuthorizedForActionsOnResource( - ResourcePattern::forExactNamespace(parseNs({boost::none, dbname}, cmdObj)), - ActionType::splitChunk)) { + Status checkAuthForOperation(OperationContext* opCtx, + const DatabaseName& dbName, + const BSONObj& cmdObj) const override { + if (!AuthorizationSession::get(opCtx->getClient()) + ->isAuthorizedForActionsOnResource( + ResourcePattern::forExactNamespace(parseNs(dbName, cmdObj)), + ActionType::splitChunk)) { return Status(ErrorCodes::Unauthorized, "Unauthorized"); } return Status::OK(); diff --git a/src/mongo/s/commands/cluster_split_vector_cmd.cpp b/src/mongo/s/commands/cluster_split_vector_cmd.cpp index 54eb9b6a1fa..7bd4c4eb900 100644 --- a/src/mongo/s/commands/cluster_split_vector_cmd.cpp +++ b/src/mongo/s/commands/cluster_split_vector_cmd.cpp @@ -57,12 +57,13 @@ public: return false; } - Status checkAuthForCommand(Client* client, - const std::string& dbname, - const BSONObj& cmdObj) const override { - if (!AuthorizationSession::get(client)->isAuthorizedForActionsOnResource( - ResourcePattern::forExactNamespace(parseNs({boost::none, dbname}, cmdObj)), - ActionType::splitVector)) { + Status checkAuthForOperation(OperationContext* opCtx, + const DatabaseName& dbName, + const BSONObj& cmdObj) const override { + if (!AuthorizationSession::get(opCtx->getClient()) + ->isAuthorizedForActionsOnResource( + ResourcePattern::forExactNamespace(parseNs(dbName, cmdObj)), + ActionType::splitVector)) { return Status(ErrorCodes::Unauthorized, "Unauthorized"); } return Status::OK(); diff --git a/src/mongo/s/commands/cluster_update_zone_key_range_cmd.cpp b/src/mongo/s/commands/cluster_update_zone_key_range_cmd.cpp index 197363e9173..eaf3fc21739 100644 --- a/src/mongo/s/commands/cluster_update_zone_key_range_cmd.cpp +++ b/src/mongo/s/commands/cluster_update_zone_key_range_cmd.cpp @@ -90,10 +90,10 @@ public: return "assigns/remove a range of a sharded collection to a zone"; } - Status checkAuthForCommand(Client* client, - const std::string& dbname, - const BSONObj& cmdObj) const final { - auto* as = AuthorizationSession::get(client); + Status checkAuthForOperation(OperationContext* opCtx, + const DatabaseName&, + const BSONObj&) const final { + auto* as = AuthorizationSession::get(opCtx->getClient()); if (as->isAuthorizedForActionsOnResource(ResourcePattern::forClusterResource(), ActionType::enableSharding)) { -- cgit v1.2.1