void AuthorizationSession::addAuthorizedPrincipal(Principal* principal) {

        // Log out any already-logged-in user on the same database as "principal".
        logoutDatabase(principal->getName().getDB().toString());  // See SERVER-8144.

        _authenticatedPrincipals.add(principal);
        if (!principal->isImplicitPrivilegeAcquisitionEnabled())
            return;

        const std::string dbname = principal->getName().getDB().toString();
        if (dbname == StringData("local", StringData::LiteralTag()) &&
            principal->getName().getUser() == internalSecurity.user) {

            // Grant full access to internal user
            ActionSet allActions;
            allActions.addAllActions();
            acquirePrivilege(Privilege(PrivilegeSet::WILDCARD_RESOURCE, allActions),
                             principal->getName());
            return;
        }

        _acquirePrivilegesForPrincipalFromDatabase(ADMIN_DBNAME, principal->getName());
        principal->markDatabaseAsProbed(ADMIN_DBNAME);
        _acquirePrivilegesForPrincipalFromDatabase(dbname, principal->getName());
        principal->markDatabaseAsProbed(dbname);
        _externalState->onAddAuthorizedPrincipal(principal);
    }
    void AuthorizationManager::grantInternalAuthorization(const std::string& principalName) {
        Principal* principal = new Principal(PrincipalName(principalName, "local"));
        ActionSet actions;
        actions.addAllActions();

        addAuthorizedPrincipal(principal);
        fassert(16581, acquirePrivilege(Privilege(PrivilegeSet::WILDCARD_RESOURCE, actions),
                                    principal->getName()).isOK());
    }
    void AuthorizationSession::grantInternalAuthorization(const UserName& userName) {
        Principal* principal = new Principal(userName);
        ActionSet actions;
        actions.addAllActions();

        addAuthorizedPrincipal(principal);
        fassert(16581, acquirePrivilege(Privilege(PrivilegeSet::WILDCARD_RESOURCE, actions),
                                    principal->getName()).isOK());
    }
 void AuthorizationManager::grantInternalAuthorization() {
     Principal* internalPrincipal = new Principal("__system");
     _authenticatedPrincipals.add(internalPrincipal);
     ActionSet allActions;
     allActions.addAllActions();
     AcquiredPrivilege privilege(Privilege("*", allActions), internalPrincipal);
     Status status = acquirePrivilege(privilege);
     verify (status == Status::OK());
 }
    MONGO_INITIALIZER_WITH_PREREQUISITES(SetupInternalSecurityUser, MONGO_NO_PREREQUISITES)(
            InitializerContext* context) {

        User* user = new User(UserName("__system", "local"));

        user->incrementRefCount(); // Pin this user so the ref count never drops below 1.
        ActionSet allActions;
        allActions.addAllActions();
        PrivilegeVector privileges;
        RoleGraph::generateUniversalPrivileges(&privileges);
        user->addPrivileges(privileges);
        internalSecurity.user = user;

        return Status::OK();
    }
 Status AuthorizationManager::acquirePrivilegesFromPrivilegeDocument(
         const std::string& dbname, const PrincipalName& principal, const BSONObj& privilegeDocument) {
     if (!_authenticatedPrincipals.lookup(principal)) {
         return Status(ErrorCodes::UserNotFound,
                       mongoutils::str::stream()
                               << "No authenticated principle found with name: "
                               << principal.getUser()
                               << " from database "
                               << principal.getDB(),
                       0);
     }
     if (principal.getUser() == internalSecurity.user) {
         // Grant full access to internal user
         ActionSet allActions;
         allActions.addAllActions();
         return acquirePrivilege(Privilege(PrivilegeSet::WILDCARD_RESOURCE, allActions),
                                 principal);
     }
     return buildPrivilegeSet(dbname, principal, privilegeDocument, &_acquiredPrivileges);
 }
Beispiel #7
0
 Status ActionSet::parseActionSetFromStringVector(const std::vector<std::string>& actionsVector,
                                                  ActionSet* result) {
     ActionSet actions;
     for (size_t i = 0; i < actionsVector.size(); i++) {
         ActionType action;
         Status status = ActionType::parseActionFromString(actionsVector[i], &action);
         if (status != Status::OK()) {
             ActionSet empty;
             *result = empty;
             return status;
         }
         if (action == ActionType::anyAction) {
             actions.addAllActions();
             break;
         }
         actions.addAction(action);
     }
     *result = actions;
     return Status::OK();
 }
 bool AuthorizationManager::hasInternalAuthorization() {
     ActionSet allActions;
     allActions.addAllActions();
     return _acquiredPrivileges.hasPrivilege(Privilege(PrivilegeSet::WILDCARD_RESOURCE,
                                                       allActions));
 }
 void RoleGraph::generateUniversalPrivileges(PrivilegeVector* privileges) {
     ActionSet allActions;
     allActions.addAllActions();
     privileges->push_back(Privilege(ResourcePattern::forAnyResource(), allActions));
 }
Beispiel #10
0
bool AuthorizationSession::hasInternalAuthorization() {
    ActionSet allActions;
    allActions.addAllActions();
    return _checkAuthForPrivilegeHelper(
               Privilege(AuthorizationManager::WILDCARD_RESOURCE_NAME, allActions)).isOK();
}