void AuthorizationSession::addAuthorizedPrincipal(Principal* principal) {
// Log out any already-logged-in user on the same database as "principal".
logoutDatabase(principal->getName().getDB().toString()); // See SERVER-8144.
_authenticatedPrincipals.add(principal);
if (!principal->isImplicitPrivilegeAcquisitionEnabled())
return;
const std::string dbname = principal->getName().getDB().toString();
if (dbname == StringData("local", StringData::LiteralTag()) &&
principal->getName().getUser() == internalSecurity.user) {
// Grant full access to internal user
ActionSet allActions;
allActions.addAllActions();
acquirePrivilege(Privilege(PrivilegeSet::WILDCARD_RESOURCE, allActions),
principal->getName());
return;
}
_acquirePrivilegesForPrincipalFromDatabase(ADMIN_DBNAME, principal->getName());
principal->markDatabaseAsProbed(ADMIN_DBNAME);
_acquirePrivilegesForPrincipalFromDatabase(dbname, principal->getName());
principal->markDatabaseAsProbed(dbname);
_externalState->onAddAuthorizedPrincipal(principal);
}
void AuthorizationManager::grantInternalAuthorization(const std::string& principalName) {
Principal* principal = new Principal(PrincipalName(principalName, "local"));
ActionSet actions;
actions.addAllActions();
addAuthorizedPrincipal(principal);
fassert(16581, acquirePrivilege(Privilege(PrivilegeSet::WILDCARD_RESOURCE, actions),
principal->getName()).isOK());
}
void AuthorizationSession::grantInternalAuthorization(const UserName& userName) {
Principal* principal = new Principal(userName);
ActionSet actions;
actions.addAllActions();
addAuthorizedPrincipal(principal);
fassert(16581, acquirePrivilege(Privilege(PrivilegeSet::WILDCARD_RESOURCE, actions),
principal->getName()).isOK());
}
void AuthorizationManager::grantInternalAuthorization() {
Principal* internalPrincipal = new Principal("__system");
_authenticatedPrincipals.add(internalPrincipal);
ActionSet allActions;
allActions.addAllActions();
AcquiredPrivilege privilege(Privilege("*", allActions), internalPrincipal);
Status status = acquirePrivilege(privilege);
verify (status == Status::OK());
}
MONGO_INITIALIZER_WITH_PREREQUISITES(SetupInternalSecurityUser, MONGO_NO_PREREQUISITES)(
InitializerContext* context) {
User* user = new User(UserName("__system", "local"));
user->incrementRefCount(); // Pin this user so the ref count never drops below 1.
ActionSet allActions;
allActions.addAllActions();
PrivilegeVector privileges;
RoleGraph::generateUniversalPrivileges(&privileges);
user->addPrivileges(privileges);
internalSecurity.user = user;
return Status::OK();
}
Status AuthorizationManager::acquirePrivilegesFromPrivilegeDocument(
const std::string& dbname, const PrincipalName& principal, const BSONObj& privilegeDocument) {
if (!_authenticatedPrincipals.lookup(principal)) {
return Status(ErrorCodes::UserNotFound,
mongoutils::str::stream()
<< "No authenticated principle found with name: "
<< principal.getUser()
<< " from database "
<< principal.getDB(),
0);
}
if (principal.getUser() == internalSecurity.user) {
// Grant full access to internal user
ActionSet allActions;
allActions.addAllActions();
return acquirePrivilege(Privilege(PrivilegeSet::WILDCARD_RESOURCE, allActions),
principal);
}
return buildPrivilegeSet(dbname, principal, privilegeDocument, &_acquiredPrivileges);
}
Status ActionSet::parseActionSetFromStringVector(const std::vector<std::string>& actionsVector,
ActionSet* result) {
ActionSet actions;
for (size_t i = 0; i < actionsVector.size(); i++) {
ActionType action;
Status status = ActionType::parseActionFromString(actionsVector[i], &action);
if (status != Status::OK()) {
ActionSet empty;
*result = empty;
return status;
}
if (action == ActionType::anyAction) {
actions.addAllActions();
break;
}
actions.addAction(action);
}
*result = actions;
return Status::OK();
}
bool AuthorizationManager::hasInternalAuthorization() {
ActionSet allActions;
allActions.addAllActions();
return _acquiredPrivileges.hasPrivilege(Privilege(PrivilegeSet::WILDCARD_RESOURCE,
allActions));
}
void RoleGraph::generateUniversalPrivileges(PrivilegeVector* privileges) {
ActionSet allActions;
allActions.addAllActions();
privileges->push_back(Privilege(ResourcePattern::forAnyResource(), allActions));
}
bool AuthorizationSession::hasInternalAuthorization() {
ActionSet allActions;
allActions.addAllActions();
return _checkAuthForPrivilegeHelper(
Privilege(AuthorizationManager::WILDCARD_RESOURCE_NAME, allActions)).isOK();
}
