/** * Copyright (C) 2012 10gen Inc. * * This program is free software: you can redistribute it and/or modify * it under the terms of the GNU Affero General Public License, version 3, * as published by the Free Software Foundation. * * This program is distributed in the hope that it will be useful, * but WITHOUT ANY WARRANTY; without even the implied warranty of * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the * GNU Affero General Public License for more details. * * You should have received a copy of the GNU Affero General Public License * along with this program. If not, see . * * As a special exception, the copyright holders give permission to link the * code of portions of this program with the OpenSSL library under certain * conditions as described in each individual source file and distribute * linked combinations including the program with the OpenSSL library. You * must comply with the GNU Affero General Public License in all respects for * all of the code used other than as permitted herein. If you modify file(s) * with this exception, you may extend this exception to your version of the * file(s), but you are not obligated to do so. If you do not wish to do so, * delete this exception statement from your version. If you delete this * exception statement from all source files in the program, then also delete * it in the license file. */ #define MONGO_LOG_DEFAULT_COMPONENT ::mongo::logger::LogComponent::kAccessControl #include "mongo/platform/basic.h" #include "mongo/db/auth/authz_manager_external_state_s.h" #include #include #include "mongo/db/auth/authorization_manager.h" #include "mongo/db/auth/authorization_manager_global.h" #include "mongo/db/auth/authz_session_external_state_s.h" #include "mongo/db/auth/user_name.h" #include "mongo/db/jsobj.h" #include "mongo/rpc/get_status_from_command_result.h" #include "mongo/s/catalog/catalog_manager.h" #include "mongo/s/grid.h" #include "mongo/stdx/memory.h" #include "mongo/util/mongoutils/str.h" namespace mongo { AuthzManagerExternalStateMongos::AuthzManagerExternalStateMongos() = default; AuthzManagerExternalStateMongos::~AuthzManagerExternalStateMongos() = default; Status AuthzManagerExternalStateMongos::initialize(OperationContext* txn) { return Status::OK(); } std::unique_ptr AuthzManagerExternalStateMongos::makeAuthzSessionExternalState(AuthorizationManager* authzManager) { return stdx::make_unique(authzManager); } Status AuthzManagerExternalStateMongos::getStoredAuthorizationVersion(OperationContext* txn, int* outVersion) { // Note: we are treating // { 'getParameter' : 1, : 1 } // as a user management command since this is the *only* part of mongos // that runs this command BSONObj getParameterCmd = BSON("getParameter" << 1 << authSchemaVersionServerParameter << 1); BSONObjBuilder builder; const bool ok = grid.catalogManager(txn)->runUserManagementReadCommand( txn, "admin", getParameterCmd, &builder); BSONObj cmdResult = builder.obj(); if (!ok) { return getStatusFromCommandResult(cmdResult); } BSONElement versionElement = cmdResult[authSchemaVersionServerParameter]; if (versionElement.eoo()) { return Status(ErrorCodes::UnknownError, "getParameter misbehaved."); } *outVersion = versionElement.numberInt(); return Status::OK(); } Status AuthzManagerExternalStateMongos::getUserDescription(OperationContext* txn, const UserName& userName, BSONObj* result) { BSONObj usersInfoCmd = BSON("usersInfo" << BSON_ARRAY(BSON(AuthorizationManager::USER_NAME_FIELD_NAME << userName.getUser() << AuthorizationManager::USER_DB_FIELD_NAME << userName.getDB())) << "showPrivileges" << true << "showCredentials" << true); BSONObjBuilder builder; const bool ok = grid.catalogManager(txn)->runUserManagementReadCommand( txn, "admin", usersInfoCmd, &builder); BSONObj cmdResult = builder.obj(); if (!ok) { return getStatusFromCommandResult(cmdResult); } std::vector foundUsers = cmdResult["users"].Array(); if (foundUsers.size() == 0) { return Status(ErrorCodes::UserNotFound, "User \"" + userName.toString() + "\" not found"); } if (foundUsers.size() > 1) { return Status(ErrorCodes::UserDataInconsistent, str::stream() << "Found multiple users on the \"" << userName.getDB() << "\" database with name \"" << userName.getUser() << "\""); } *result = foundUsers[0].Obj().getOwned(); return Status::OK(); } Status AuthzManagerExternalStateMongos::getRoleDescription(OperationContext* txn, const RoleName& roleName, bool showPrivileges, BSONObj* result) { BSONObj rolesInfoCmd = BSON("rolesInfo" << BSON_ARRAY(BSON(AuthorizationManager::ROLE_NAME_FIELD_NAME << roleName.getRole() << AuthorizationManager::ROLE_DB_FIELD_NAME << roleName.getDB())) << "showPrivileges" << showPrivileges); BSONObjBuilder builder; const bool ok = grid.catalogManager(txn)->runUserManagementReadCommand( txn, "admin", rolesInfoCmd, &builder); BSONObj cmdResult = builder.obj(); if (!ok) { return getStatusFromCommandResult(cmdResult); } std::vector foundRoles = cmdResult["roles"].Array(); if (foundRoles.size() == 0) { return Status(ErrorCodes::RoleNotFound, "Role \"" + roleName.toString() + "\" not found"); } if (foundRoles.size() > 1) { return Status(ErrorCodes::RoleDataInconsistent, str::stream() << "Found multiple roles on the \"" << roleName.getDB() << "\" database with name \"" << roleName.getRole() << "\""); } *result = foundRoles[0].Obj().getOwned(); return Status::OK(); } Status AuthzManagerExternalStateMongos::getRoleDescriptionsForDB(OperationContext* txn, const std::string dbname, bool showPrivileges, bool showBuiltinRoles, std::vector* result) { BSONObj rolesInfoCmd = BSON("rolesInfo" << 1 << "showPrivileges" << showPrivileges << "showBuiltinRoles" << showBuiltinRoles); BSONObjBuilder builder; const bool ok = grid.catalogManager(txn)->runUserManagementReadCommand(txn, dbname, rolesInfoCmd, &builder); BSONObj cmdResult = builder.obj(); if (!ok) { return getStatusFromCommandResult(cmdResult); } for (BSONObjIterator it(cmdResult["roles"].Obj()); it.more(); it.next()) { result->push_back((*it).Obj().getOwned()); } return Status::OK(); } bool AuthzManagerExternalStateMongos::hasAnyPrivilegeDocuments(OperationContext* txn) { BSONObj usersInfoCmd = BSON("usersInfo" << 1); BSONObjBuilder userBuilder; bool ok = grid.catalogManager(txn)->runUserManagementReadCommand( txn, "admin", usersInfoCmd, &userBuilder); if (!ok) { // If we were unable to complete the query, // it's best to assume that there _are_ privilege documents. This might happen // if the node contaning the users collection becomes transiently unavailable. // See SERVER-12616, for example. return true; } BSONObj cmdResult = userBuilder.obj(); std::vector foundUsers = cmdResult["users"].Array(); if (foundUsers.size() > 0) { return true; } BSONObj rolesInfoCmd = BSON("rolesInfo" << 1); BSONObjBuilder roleBuilder; ok = grid.catalogManager(txn)->runUserManagementReadCommand( txn, "admin", rolesInfoCmd, &roleBuilder); if (!ok) { return true; } cmdResult = roleBuilder.obj(); std::vector foundRoles = cmdResult["roles"].Array(); return foundRoles.size() > 0; } } // namespace mongo