bool run(const string& dbname,
BSONObj& cmdObj,
int options,
string& errmsg,
BSONObjBuilder& result,
bool fromRepl) {
AuthorizationManager* authzManager = getGlobalAuthorizationManager();
AuthzDocumentsUpdateGuard updateGuard(authzManager);
if (!updateGuard.tryLock("Grant role delegation to user")) {
addStatus(Status(ErrorCodes::LockBusy, "Could not lock auth data update lock."),
result);
return false;
}
UserName userName;
std::vector<RoleName> roles;
BSONObj writeConcern;
Status status = auth::parseUserRoleManipulationCommand(cmdObj,
"grantDelegateRolesToUser",
dbname,
authzManager,
&userName,
&roles,
&writeConcern);
if (!status.isOK()) {
addStatus(status, result);
return false;
}
User::RoleDataMap userRoles;
status = getCurrentUserRoles(authzManager, userName, &userRoles);
if (!status.isOK()) {
addStatus(status, result);
return false;
}
for (vector<RoleName>::iterator it = roles.begin(); it != roles.end(); ++it) {
RoleName& roleName = *it;
User::RoleData& role = userRoles[roleName];
if (role.name.empty()) {
role.name = roleName;
}
role.canDelegate = true;
}
BSONArray newRolesBSONArray = rolesToBSONArray(userRoles);
status = authzManager->updatePrivilegeDocument(
userName, BSON("$set" << BSON("roles" << newRolesBSONArray)), writeConcern);
// Must invalidate even on bad status - what if the write succeeded but the GLE failed?
authzManager->invalidateUserByName(userName);
if (!status.isOK()) {
addStatus(status, result);
return false;
}
return true;
}
bool run(const string& dbname,
BSONObj& cmdObj,
int options,
string& errmsg,
BSONObjBuilder& result,
bool fromRepl) {
AuthorizationManager* authzManager = getGlobalAuthorizationManager();
AuthzDocumentsUpdateGuard updateGuard(authzManager);
if (!updateGuard.tryLock("Remove user")) {
addStatus(Status(ErrorCodes::LockBusy, "Could not lock auth data update lock."),
result);
return false;
}
UserName userName;
BSONObj writeConcern;
Status status = auth::parseAndValidateRemoveUserCommand(cmdObj,
dbname,
&userName,
&writeConcern);
if (!status.isOK()) {
addStatus(status, result);
return false;
}
int numUpdated;
status = authzManager->removePrivilegeDocuments(
BSON(AuthorizationManager::USER_NAME_FIELD_NAME << userName.getUser() <<
AuthorizationManager::USER_SOURCE_FIELD_NAME << userName.getDB()),
writeConcern,
&numUpdated);
// Must invalidate even on bad status - what if the write succeeded but the GLE failed?
authzManager->invalidateUserByName(userName);
if (!status.isOK()) {
addStatus(status, result);
return false;
}
if (numUpdated == 0) {
addStatus(Status(ErrorCodes::UserNotFound,
mongoutils::str::stream() << "User '" << userName.getFullName() <<
"' not found"),
result);
return false;
}
return true;
}
bool run(OperationContext* txn,
const string& dbname,
BSONObj& cmdObj,
int options,
string& errmsg,
BSONObjBuilder& result) {
auth::CreateOrUpdateUserArgs args;
Status status = auth::parseCreateOrUpdateUserCommands(cmdObj, this->name, dbname, &args);
if (!status.isOK()) {
return appendCommandStatus(result, status);
}
const bool ok = grid.catalogManager(txn)->runUserManagementWriteCommand(
txn, this->name, dbname, cmdObj, &result);
AuthorizationManager* authzManager = getGlobalAuthorizationManager();
invariant(authzManager);
authzManager->invalidateUserByName(args.userName);
return ok;
}
bool run(OperationContext* txn,
const string& dbname,
BSONObj& cmdObj,
int options,
string& errmsg,
BSONObjBuilder& result) {
UserName userName;
BSONObj unusedWriteConcern;
Status status =
auth::parseAndValidateDropUserCommand(cmdObj, dbname, &userName, &unusedWriteConcern);
if (!status.isOK()) {
return appendCommandStatus(result, status);
}
const bool ok = grid.catalogManager(txn)->runUserManagementWriteCommand(
txn, this->name, dbname, cmdObj, &result);
AuthorizationManager* authzManager = getGlobalAuthorizationManager();
invariant(authzManager);
authzManager->invalidateUserByName(userName);
return ok;
}
bool run(const string& dbname,
BSONObj& cmdObj,
int options,
string& errmsg,
BSONObjBuilder& result,
bool fromRepl) {
AuthorizationManager* authzManager = getGlobalAuthorizationManager();
AuthzDocumentsUpdateGuard updateGuard(authzManager);
if (!updateGuard.tryLock("Update user")) {
addStatus(Status(ErrorCodes::LockBusy, "Could not lock auth data update lock."),
result);
return false;
}
BSONObj updateObj;
UserName userName;
BSONObj writeConcern;
Status status = auth::parseAndValidateUpdateUserCommand(cmdObj,
dbname,
authzManager,
&updateObj,
&userName,
&writeConcern);
if (!status.isOK()) {
addStatus(status, result);
return false;
}
status = authzManager->updatePrivilegeDocument(userName, updateObj, writeConcern);
// Must invalidate even on bad status - what if the write succeeded but the GLE failed?
authzManager->invalidateUserByName(userName);
if (!status.isOK()) {
addStatus(status, result);
return false;
}
return true;
}
bool run(OperationContext* txn,
const string& dbname,
BSONObj& cmdObj,
int options,
string& errmsg,
BSONObjBuilder& result) {
string userNameString;
vector<RoleName> unusedRoles;
BSONObj unusedWriteConcern;
Status status = auth::parseRolePossessionManipulationCommands(
cmdObj, this->name, dbname, &userNameString, &unusedRoles, &unusedWriteConcern);
if (!status.isOK()) {
return appendCommandStatus(result, status);
}
const bool ok = grid.catalogManager(txn)->runUserManagementWriteCommand(
txn, this->name, dbname, cmdObj, &result);
AuthorizationManager* authzManager = getGlobalAuthorizationManager();
invariant(authzManager);
authzManager->invalidateUserByName(UserName(userNameString, dbname));
return ok;
}
bool run(const string& dbname,
BSONObj& cmdObj,
int options,
string& errmsg,
BSONObjBuilder& result,
bool fromRepl) {
AuthorizationManager* authzManager = getGlobalAuthorizationManager();
AuthzDocumentsUpdateGuard updateGuard(authzManager);
if (!updateGuard.tryLock("Revoke role delegation from user")) {
addStatus(Status(ErrorCodes::LockBusy, "Could not lock auth data update lock."),
result);
return false;
}
UserName userName;
std::vector<RoleName> roles;
BSONObj writeConcern;
Status status = auth::parseUserRoleManipulationCommand(cmdObj,
"revokeDelegateRolesFromUser",
dbname,
authzManager,
&userName,
&roles,
&writeConcern);
if (!status.isOK()) {
addStatus(status, result);
return false;
}
User::RoleDataMap userRoles;
status = getCurrentUserRoles(authzManager, userName, &userRoles);
if (!status.isOK()) {
addStatus(status, result);
return false;
}
for (vector<RoleName>::iterator it = roles.begin(); it != roles.end(); ++it) {
RoleName& roleName = *it;
User::RoleDataMap::iterator roleDataIt = userRoles.find(roleName);
if (roleDataIt == userRoles.end()) {
continue; // User already doesn't have the role, nothing to do
}
User::RoleData& role = roleDataIt->second;
if (role.hasRole) {
// If the user still has the role, need to leave it in the roles array
role.canDelegate = false;
} else {
// If the user doesn't have the role, and now can't delegate it either, remove
// the role from that user's roles array entirely
userRoles.erase(roleDataIt);
}
}
BSONArray newRolesBSONArray = rolesToBSONArray(userRoles);
status = authzManager->updatePrivilegeDocument(
userName, BSON("$set" << BSON("roles" << newRolesBSONArray)), writeConcern);
// Must invalidate even on bad status - what if the write succeeded but the GLE failed?
authzManager->invalidateUserByName(userName);
if (!status.isOK()) {
addStatus(status, result);
return false;
}
return true;
}