void AuthorizationSession::addAuthorizedPrincipal(Principal* principal) {
// Log out any already-logged-in user on the same database as "principal".
logoutDatabase(principal->getName().getDB().toString()); // See SERVER-8144.
_authenticatedPrincipals.add(principal);
if (!principal->isImplicitPrivilegeAcquisitionEnabled())
return;
const std::string dbname = principal->getName().getDB().toString();
if (dbname == StringData("local", StringData::LiteralTag()) &&
principal->getName().getUser() == internalSecurity.user) {
// Grant full access to internal user
ActionSet allActions;
allActions.addAllActions();
acquirePrivilege(Privilege(PrivilegeSet::WILDCARD_RESOURCE, allActions),
principal->getName());
return;
}
_acquirePrivilegesForPrincipalFromDatabase(ADMIN_DBNAME, principal->getName());
principal->markDatabaseAsProbed(ADMIN_DBNAME);
_acquirePrivilegesForPrincipalFromDatabase(dbname, principal->getName());
principal->markDatabaseAsProbed(dbname);
_externalState->onAddAuthorizedPrincipal(principal);
}
void AuthorizationManager::grantInternalAuthorization(const std::string& principalName) {
Principal* principal = new Principal(PrincipalName(principalName, "local"));
ActionSet actions;
actions.addAllActions();
addAuthorizedPrincipal(principal);
fassert(16581, acquirePrivilege(Privilege(PrivilegeSet::WILDCARD_RESOURCE, actions),
principal->getName()).isOK());
}
void AuthorizationSession::grantInternalAuthorization(const UserName& userName) {
Principal* principal = new Principal(userName);
ActionSet actions;
actions.addAllActions();
addAuthorizedPrincipal(principal);
fassert(16581, acquirePrivilege(Privilege(PrivilegeSet::WILDCARD_RESOURCE, actions),
principal->getName()).isOK());
}
void AuthorizationManager::grantInternalAuthorization() {
Principal* internalPrincipal = new Principal("__system");
_authenticatedPrincipals.add(internalPrincipal);
ActionSet allActions;
allActions.addAllActions();
AcquiredPrivilege privilege(Privilege("*", allActions), internalPrincipal);
Status status = acquirePrivilege(privilege);
verify (status == Status::OK());
}
Status AuthorizationManager::acquirePrivilegesFromPrivilegeDocument(
const std::string& dbname, const PrincipalName& principal, const BSONObj& privilegeDocument) {
if (!_authenticatedPrincipals.lookup(principal)) {
return Status(ErrorCodes::UserNotFound,
mongoutils::str::stream()
<< "No authenticated principle found with name: "
<< principal.getUser()
<< " from database "
<< principal.getDB(),
0);
}
if (principal.getUser() == internalSecurity.user) {
// Grant full access to internal user
ActionSet allActions;
allActions.addAllActions();
return acquirePrivilege(Privilege(PrivilegeSet::WILDCARD_RESOURCE, allActions),
principal);
}
return buildPrivilegeSet(dbname, principal, privilegeDocument, &_acquiredPrivileges);
}
