ActionSet AuthorizationManager::getAllUserActions() const { ActionSet allActions; allActions.addAllActionsFromSet(readRoleActions); allActions.addAllActionsFromSet(readWriteRoleActions); allActions.addAllActionsFromSet(userAdminRoleActions); allActions.addAllActionsFromSet(dbAdminRoleActions); allActions.addAllActionsFromSet(clusterAdminRoleActions); return allActions; }
ActionSet PrivilegeDocumentParser::getAllUserActions() const { ActionSet allActions; allActions.addAllActionsFromSet(readRoleActions); allActions.addAllActionsFromSet(readWriteRoleActions); allActions.addAllActionsFromSet(userAdminRoleActions); allActions.addAllActionsFromSet(dbAdminRoleActions); allActions.addAllActionsFromSet(clusterAdminRoleActions); return allActions; }
ActionSet AuthorizationManager::getActionsForOldStyleUser(const std::string& dbname, bool readOnly) { ActionSet actions; // Basic actions if (readOnly) { actions.addAllActionsFromSet(readRoleActions); } else { actions.addAllActionsFromSet(readWriteRoleActions); actions.addAllActionsFromSet(dbAdminRoleActions); actions.addAllActionsFromSet(userAdminRoleActions); actions.addAction(ActionType::dropDatabase); actions.addAction(ActionType::repairDatabase); } // Admin actions if (dbname == ADMIN_DBNAME || dbname == LOCAL_DBNAME) { actions.addAllActionsFromSet(serverAdminRoleReadActions); actions.addAllActionsFromSet(clusterAdminRoleReadActions); if (!readOnly) { actions.addAllActionsFromSet(serverAdminRoleWriteActions); actions.addAllActionsFromSet(clusterAdminRoleWriteActions); } } return actions; }
Privilege AuthorizationSession::_modifyPrivilegeForSpecialCases(const Privilege& privilege) { ActionSet newActions; newActions.addAllActionsFromSet(privilege.getActions()); NamespaceString ns( privilege.getResource() ); if (ns.coll() == "system.users") { if (newActions.contains(ActionType::insert) || newActions.contains(ActionType::update) || newActions.contains(ActionType::remove)) { // End users can't modify system.users directly, only the system can. newActions.addAction(ActionType::userAdminV1); } else { newActions.addAction(ActionType::userAdmin); } newActions.removeAction(ActionType::find); newActions.removeAction(ActionType::insert); newActions.removeAction(ActionType::update); newActions.removeAction(ActionType::remove); } else if (ns.coll() == "system.profile") { newActions.removeAction(ActionType::find); newActions.addAction(ActionType::profileRead); } else if (ns.coll() == "system.indexes" && newActions.contains(ActionType::find)) { newActions.removeAction(ActionType::find); newActions.addAction(ActionType::indexRead); } return Privilege(privilege.getResource(), newActions); }
bool AuthorizationSession::isAuthorizedToChangeOwnCustomDataAsUser(const UserName& userName) { User* user = lookupUser(userName); if (!user) { return false; } ResourcePattern resourceSearchList[resourceSearchListCapacity]; const int resourceSearchListLength = buildResourceSearchList(ResourcePattern::forClusterResource(), resourceSearchList); ActionSet actions; for (int i = 0; i < resourceSearchListLength; ++i) { actions.addAllActionsFromSet(user->getActionsForResource(resourceSearchList[i])); } return actions.contains(ActionType::changeOwnCustomData); }
Privilege AuthorizationManager::_modifyPrivilegeForSpecialCases(const Privilege& privilege) { ActionSet newActions; newActions.addAllActionsFromSet(privilege.getActions()); std::string collectionName = NamespaceString(privilege.getResource()).coll; if (collectionName == "system.users") { newActions.removeAction(ActionType::find); newActions.removeAction(ActionType::insert); newActions.removeAction(ActionType::update); newActions.removeAction(ActionType::remove); newActions.addAction(ActionType::userAdmin); } else if (collectionName == "system.profle" && newActions.contains(ActionType::find)) { newActions.removeAction(ActionType::find); newActions.addAction(ActionType::profileRead); } return Privilege(privilege.getResource(), newActions); }
Status AuthorizationManager::_buildPrivilegeSetFromOldStylePrivilegeDocument( const std::string& dbname, Principal* principal, const BSONObj& privilegeDocument, PrivilegeSet* result) { if (!(privilegeDocument.hasField("user") && privilegeDocument.hasField("pwd"))) { return Status(ErrorCodes::UnsupportedFormat, mongoutils::str::stream() << "Invalid old-style privilege document " "received when trying to extract privileges: " << privilegeDocument, 0); } bool readOnly = false; ActionSet actions; if (privilegeDocument.hasField("readOnly") && privilegeDocument["readOnly"].trueValue()) { actions.addAllActionsFromSet(readRoleActions); readOnly = true; } else { actions.addAllActionsFromSet(readWriteRoleActions); actions.addAllActionsFromSet(dbAdminRoleActions); actions.addAllActionsFromSet(userAdminRoleActions); } if (dbname == "admin" || dbname == "local") { // Make all basic actions available on all databases result->grantPrivilege(AcquiredPrivilege(Privilege("*", actions), principal)); // Make server and cluster admin actions available on admin database. if (!readOnly) { actions.addAllActionsFromSet(serverAdminRoleActions); actions.addAllActionsFromSet(clusterAdminRoleActions); } } result->grantPrivilege(AcquiredPrivilege(Privilege(dbname, actions), principal)); return Status::OK(); }
// This sets up the system role ActionSets. This is what determines what actions each role // is authorized to perform MONGO_INITIALIZER(AuthorizationSystemRoles)(InitializerContext* context) { // Read role readRoleActions.addAction(ActionType::cloneCollectionLocalSource); readRoleActions.addAction(ActionType::collStats); readRoleActions.addAction(ActionType::dbHash); readRoleActions.addAction(ActionType::dbStats); readRoleActions.addAction(ActionType::find); // Read-write role readWriteRoleActions.addAllActionsFromSet(readRoleActions); readWriteRoleActions.addAction(ActionType::cloneCollectionTarget); readWriteRoleActions.addAction(ActionType::convertToCapped); readWriteRoleActions.addAction(ActionType::createCollection); // db admin gets this also readWriteRoleActions.addAction(ActionType::dropCollection); readWriteRoleActions.addAction(ActionType::dropIndexes); readWriteRoleActions.addAction(ActionType::emptycapped); readWriteRoleActions.addAction(ActionType::ensureIndex); readWriteRoleActions.addAction(ActionType::insert); readWriteRoleActions.addAction(ActionType::remove); readWriteRoleActions.addAction(ActionType::renameCollectionSameDB); // db admin gets this also readWriteRoleActions.addAction(ActionType::update); // User admin role userAdminRoleActions.addAction(ActionType::userAdmin); // DB admin role dbAdminRoleActions.addAction(ActionType::clean); dbAdminRoleActions.addAction(ActionType::collMod); dbAdminRoleActions.addAction(ActionType::collStats); dbAdminRoleActions.addAction(ActionType::compact); dbAdminRoleActions.addAction(ActionType::convertToCapped); dbAdminRoleActions.addAction(ActionType::createCollection); // read_write gets this also dbAdminRoleActions.addAction(ActionType::dbStats); dbAdminRoleActions.addAction(ActionType::dropCollection); dbAdminRoleActions.addAction(ActionType::dropIndexes); dbAdminRoleActions.addAction(ActionType::ensureIndex); dbAdminRoleActions.addAction(ActionType::indexStats); dbAdminRoleActions.addAction(ActionType::profileEnable); dbAdminRoleActions.addAction(ActionType::profileRead); dbAdminRoleActions.addAction(ActionType::reIndex); dbAdminRoleActions.addAction(ActionType::renameCollectionSameDB); // read_write gets this also dbAdminRoleActions.addAction(ActionType::storageDetails); dbAdminRoleActions.addAction(ActionType::validate); // Server admin role serverAdminRoleReadActions.addAction(ActionType::connPoolStats); serverAdminRoleReadActions.addAction(ActionType::connPoolSync); serverAdminRoleReadActions.addAction(ActionType::getCmdLineOpts); serverAdminRoleReadActions.addAction(ActionType::getLog); serverAdminRoleReadActions.addAction(ActionType::getParameter); serverAdminRoleReadActions.addAction(ActionType::getShardMap); serverAdminRoleReadActions.addAction(ActionType::hostInfo); serverAdminRoleReadActions.addAction(ActionType::listDatabases); serverAdminRoleReadActions.addAction(ActionType::logRotate); serverAdminRoleReadActions.addAction(ActionType::replSetFreeze); serverAdminRoleReadActions.addAction(ActionType::replSetGetStatus); serverAdminRoleReadActions.addAction(ActionType::replSetMaintenance); serverAdminRoleReadActions.addAction(ActionType::replSetStepDown); serverAdminRoleReadActions.addAction(ActionType::replSetSyncFrom); serverAdminRoleReadActions.addAction(ActionType::setParameter); serverAdminRoleReadActions.addAction(ActionType::serverStatus); serverAdminRoleReadActions.addAction(ActionType::shutdown); serverAdminRoleReadActions.addAction(ActionType::top); serverAdminRoleReadActions.addAction(ActionType::touch); serverAdminRoleReadActions.addAction(ActionType::unlock); serverAdminRoleWriteActions.addAction(ActionType::applyOps); serverAdminRoleWriteActions.addAction(ActionType::closeAllDatabases); serverAdminRoleWriteActions.addAction(ActionType::cpuProfiler); serverAdminRoleWriteActions.addAction(ActionType::cursorInfo); serverAdminRoleWriteActions.addAction(ActionType::diagLogging); serverAdminRoleWriteActions.addAction(ActionType::fsync); serverAdminRoleWriteActions.addAction(ActionType::inprog); serverAdminRoleWriteActions.addAction(ActionType::killop); serverAdminRoleWriteActions.addAction(ActionType::repairDatabase); serverAdminRoleWriteActions.addAction(ActionType::replSetInitiate); serverAdminRoleWriteActions.addAction(ActionType::replSetReconfig); serverAdminRoleWriteActions.addAction(ActionType::resync); serverAdminRoleActions.addAllActionsFromSet(serverAdminRoleReadActions); serverAdminRoleActions.addAllActionsFromSet(serverAdminRoleWriteActions); // Cluster admin role clusterAdminRoleReadActions.addAction(ActionType::getShardVersion); clusterAdminRoleReadActions.addAction(ActionType::listShards); clusterAdminRoleReadActions.addAction(ActionType::netstat); clusterAdminRoleReadActions.addAction(ActionType::setShardVersion); // TODO: should this be internal? clusterAdminRoleReadActions.addAction(ActionType::splitVector); clusterAdminRoleReadActions.addAction(ActionType::unsetSharding); clusterAdminRoleWriteActions.addAction(ActionType::addShard); clusterAdminRoleWriteActions.addAction(ActionType::dropDatabase); // TODO: Should there be a CREATE_DATABASE also? clusterAdminRoleWriteActions.addAction(ActionType::enableSharding); clusterAdminRoleWriteActions.addAction(ActionType::flushRouterConfig); clusterAdminRoleWriteActions.addAction(ActionType::moveChunk); clusterAdminRoleWriteActions.addAction(ActionType::movePrimary); clusterAdminRoleWriteActions.addAction(ActionType::removeShard); clusterAdminRoleWriteActions.addAction(ActionType::shardCollection); clusterAdminRoleWriteActions.addAction(ActionType::shardingState); clusterAdminRoleWriteActions.addAction(ActionType::split); clusterAdminRoleWriteActions.addAction(ActionType::splitChunk); clusterAdminRoleActions.addAllActionsFromSet(clusterAdminRoleReadActions); clusterAdminRoleActions.addAllActionsFromSet(clusterAdminRoleWriteActions); // Internal commands internalActions.addAction(ActionType::clone); internalActions.addAction(ActionType::handshake); internalActions.addAction(ActionType::mapReduceShardedFinish); internalActions.addAction(ActionType::replSetElect); internalActions.addAction(ActionType::replSetFresh); internalActions.addAction(ActionType::replSetGetRBID); internalActions.addAction(ActionType::replSetHeartbeat); internalActions.addAction(ActionType::writebacklisten); internalActions.addAction(ActionType::writeBacksQueued); internalActions.addAction(ActionType::_migrateClone); internalActions.addAction(ActionType::_recvChunkAbort); internalActions.addAction(ActionType::_recvChunkCommit); internalActions.addAction(ActionType::_recvChunkStart); internalActions.addAction(ActionType::_recvChunkStatus); internalActions.addAction(ActionType::_transferMods); return Status::OK(); }
// This sets up the system role ActionSets. This is what determines what actions each role // is authorized to perform MONGO_INITIALIZER(AuthorizationSystemRoles)(InitializerContext* context) { // Read role // TODO: Remove OLD_READ once commands require the proper actions readRoleActions.addAction(ActionType::oldRead); readRoleActions.addAction(ActionType::collStats); readRoleActions.addAction(ActionType::dbStats); readRoleActions.addAction(ActionType::find); // Read-write role readWriteRoleActions.addAllActionsFromSet(readRoleActions); // TODO: Remove OLD_WRITE once commands require the proper actions readWriteRoleActions.addAction(ActionType::oldWrite); readWriteRoleActions.addAction(ActionType::convertToCapped); readWriteRoleActions.addAction(ActionType::createCollection); // TODO: should db admin get this also? readWriteRoleActions.addAction(ActionType::dropCollection); readWriteRoleActions.addAction(ActionType::dropIndexes); readWriteRoleActions.addAction(ActionType::emptycapped); readWriteRoleActions.addAction(ActionType::ensureIndex); readWriteRoleActions.addAction(ActionType::insert); readWriteRoleActions.addAction(ActionType::remove); readWriteRoleActions.addAction(ActionType::update); // User admin role userAdminRoleActions.addAction(ActionType::userAdmin); // DB admin role dbAdminRoleActions.addAction(ActionType::clean); dbAdminRoleActions.addAction(ActionType::collMod); dbAdminRoleActions.addAction(ActionType::collStats); dbAdminRoleActions.addAction(ActionType::compact); dbAdminRoleActions.addAction(ActionType::convertToCapped); dbAdminRoleActions.addAction(ActionType::dbStats); dbAdminRoleActions.addAction(ActionType::dropCollection); dbAdminRoleActions.addAction(ActionType::reIndex); // TODO: Should readWrite have this also? This isn't consistent with ENSURE_INDEX and DROP_INDEXES dbAdminRoleActions.addAction(ActionType::renameCollection); dbAdminRoleActions.addAction(ActionType::validate); // Server admin role serverAdminRoleActions.addAction(ActionType::closeAllDatabases); serverAdminRoleActions.addAction(ActionType::connPoolStats); serverAdminRoleActions.addAction(ActionType::connPoolSync); serverAdminRoleActions.addAction(ActionType::cpuProfiler); serverAdminRoleActions.addAction(ActionType::cursorInfo); serverAdminRoleActions.addAction(ActionType::diagLogging); serverAdminRoleActions.addAction(ActionType::fsync); serverAdminRoleActions.addAction(ActionType::getCmdLineOpts); serverAdminRoleActions.addAction(ActionType::getLog); serverAdminRoleActions.addAction(ActionType::getParameter); serverAdminRoleActions.addAction(ActionType::getShardMap); serverAdminRoleActions.addAction(ActionType::getShardVersion); serverAdminRoleActions.addAction(ActionType::hostInfo); serverAdminRoleActions.addAction(ActionType::listDatabases); serverAdminRoleActions.addAction(ActionType::logRotate); serverAdminRoleActions.addAction(ActionType::profile); serverAdminRoleActions.addAction(ActionType::repairDatabase); serverAdminRoleActions.addAction(ActionType::replSetFreeze); serverAdminRoleActions.addAction(ActionType::replSetGetStatus); serverAdminRoleActions.addAction(ActionType::replSetInitiate); serverAdminRoleActions.addAction(ActionType::replSetMaintenance); serverAdminRoleActions.addAction(ActionType::replSetReconfig); serverAdminRoleActions.addAction(ActionType::replSetStepDown); serverAdminRoleActions.addAction(ActionType::replSetSyncFrom); serverAdminRoleActions.addAction(ActionType::resync); serverAdminRoleActions.addAction(ActionType::setParameter); serverAdminRoleActions.addAction(ActionType::shutdown); serverAdminRoleActions.addAction(ActionType::top); serverAdminRoleActions.addAction(ActionType::touch); // Cluster admin role clusterAdminRoleActions.addAction(ActionType::addShard); clusterAdminRoleActions.addAction(ActionType::dropDatabase); // TODO: Should there be a CREATE_DATABASE also? clusterAdminRoleActions.addAction(ActionType::enableSharding); clusterAdminRoleActions.addAction(ActionType::flushRouterConfig); clusterAdminRoleActions.addAction(ActionType::listShards); clusterAdminRoleActions.addAction(ActionType::moveChunk); clusterAdminRoleActions.addAction(ActionType::movePrimary); clusterAdminRoleActions.addAction(ActionType::netstat); clusterAdminRoleActions.addAction(ActionType::removeShard); clusterAdminRoleActions.addAction(ActionType::setShardVersion); // TODO: should this be internal? clusterAdminRoleActions.addAction(ActionType::shardCollection); clusterAdminRoleActions.addAction(ActionType::shardingState); clusterAdminRoleActions.addAction(ActionType::split); clusterAdminRoleActions.addAction(ActionType::splitChunk); clusterAdminRoleActions.addAction(ActionType::splitVector); clusterAdminRoleActions.addAction(ActionType::unsetSharding); return Status::OK(); }