ActionSet AuthorizationManager::getAllUserActions() const {
ActionSet allActions;
allActions.addAllActionsFromSet(readRoleActions);
allActions.addAllActionsFromSet(readWriteRoleActions);
allActions.addAllActionsFromSet(userAdminRoleActions);
allActions.addAllActionsFromSet(dbAdminRoleActions);
allActions.addAllActionsFromSet(clusterAdminRoleActions);
return allActions;
}
ActionSet PrivilegeDocumentParser::getAllUserActions() const {
ActionSet allActions;
allActions.addAllActionsFromSet(readRoleActions);
allActions.addAllActionsFromSet(readWriteRoleActions);
allActions.addAllActionsFromSet(userAdminRoleActions);
allActions.addAllActionsFromSet(dbAdminRoleActions);
allActions.addAllActionsFromSet(clusterAdminRoleActions);
return allActions;
}
ActionSet AuthorizationManager::getActionsForOldStyleUser(const std::string& dbname,
bool readOnly) {
ActionSet actions;
// Basic actions
if (readOnly) {
actions.addAllActionsFromSet(readRoleActions);
}
else {
actions.addAllActionsFromSet(readWriteRoleActions);
actions.addAllActionsFromSet(dbAdminRoleActions);
actions.addAllActionsFromSet(userAdminRoleActions);
actions.addAction(ActionType::dropDatabase);
actions.addAction(ActionType::repairDatabase);
}
// Admin actions
if (dbname == ADMIN_DBNAME || dbname == LOCAL_DBNAME) {
actions.addAllActionsFromSet(serverAdminRoleReadActions);
actions.addAllActionsFromSet(clusterAdminRoleReadActions);
if (!readOnly) {
actions.addAllActionsFromSet(serverAdminRoleWriteActions);
actions.addAllActionsFromSet(clusterAdminRoleWriteActions);
}
}
return actions;
}
Privilege AuthorizationSession::_modifyPrivilegeForSpecialCases(const Privilege& privilege) {
ActionSet newActions;
newActions.addAllActionsFromSet(privilege.getActions());
NamespaceString ns( privilege.getResource() );
if (ns.coll() == "system.users") {
if (newActions.contains(ActionType::insert) ||
newActions.contains(ActionType::update) ||
newActions.contains(ActionType::remove)) {
// End users can't modify system.users directly, only the system can.
newActions.addAction(ActionType::userAdminV1);
} else {
newActions.addAction(ActionType::userAdmin);
}
newActions.removeAction(ActionType::find);
newActions.removeAction(ActionType::insert);
newActions.removeAction(ActionType::update);
newActions.removeAction(ActionType::remove);
} else if (ns.coll() == "system.profile") {
newActions.removeAction(ActionType::find);
newActions.addAction(ActionType::profileRead);
} else if (ns.coll() == "system.indexes" && newActions.contains(ActionType::find)) {
newActions.removeAction(ActionType::find);
newActions.addAction(ActionType::indexRead);
}
return Privilege(privilege.getResource(), newActions);
}
bool AuthorizationSession::isAuthorizedToChangeOwnCustomDataAsUser(const UserName& userName) {
User* user = lookupUser(userName);
if (!user) {
return false;
}
ResourcePattern resourceSearchList[resourceSearchListCapacity];
const int resourceSearchListLength =
buildResourceSearchList(ResourcePattern::forClusterResource(), resourceSearchList);
ActionSet actions;
for (int i = 0; i < resourceSearchListLength; ++i) {
actions.addAllActionsFromSet(user->getActionsForResource(resourceSearchList[i]));
}
return actions.contains(ActionType::changeOwnCustomData);
}
Privilege AuthorizationManager::_modifyPrivilegeForSpecialCases(const Privilege& privilege) {
ActionSet newActions;
newActions.addAllActionsFromSet(privilege.getActions());
std::string collectionName = NamespaceString(privilege.getResource()).coll;
if (collectionName == "system.users") {
newActions.removeAction(ActionType::find);
newActions.removeAction(ActionType::insert);
newActions.removeAction(ActionType::update);
newActions.removeAction(ActionType::remove);
newActions.addAction(ActionType::userAdmin);
} else if (collectionName == "system.profle" && newActions.contains(ActionType::find)) {
newActions.removeAction(ActionType::find);
newActions.addAction(ActionType::profileRead);
}
return Privilege(privilege.getResource(), newActions);
}
Status AuthorizationManager::_buildPrivilegeSetFromOldStylePrivilegeDocument(
const std::string& dbname,
Principal* principal,
const BSONObj& privilegeDocument,
PrivilegeSet* result) {
if (!(privilegeDocument.hasField("user") && privilegeDocument.hasField("pwd"))) {
return Status(ErrorCodes::UnsupportedFormat,
mongoutils::str::stream() << "Invalid old-style privilege document "
"received when trying to extract privileges: "
<< privilegeDocument,
0);
}
bool readOnly = false;
ActionSet actions;
if (privilegeDocument.hasField("readOnly") && privilegeDocument["readOnly"].trueValue()) {
actions.addAllActionsFromSet(readRoleActions);
readOnly = true;
}
else {
actions.addAllActionsFromSet(readWriteRoleActions);
actions.addAllActionsFromSet(dbAdminRoleActions);
actions.addAllActionsFromSet(userAdminRoleActions);
}
if (dbname == "admin" || dbname == "local") {
// Make all basic actions available on all databases
result->grantPrivilege(AcquiredPrivilege(Privilege("*", actions), principal));
// Make server and cluster admin actions available on admin database.
if (!readOnly) {
actions.addAllActionsFromSet(serverAdminRoleActions);
actions.addAllActionsFromSet(clusterAdminRoleActions);
}
}
result->grantPrivilege(AcquiredPrivilege(Privilege(dbname, actions), principal));
return Status::OK();
}
// This sets up the system role ActionSets. This is what determines what actions each role
// is authorized to perform
MONGO_INITIALIZER(AuthorizationSystemRoles)(InitializerContext* context) {
// Read role
readRoleActions.addAction(ActionType::cloneCollectionLocalSource);
readRoleActions.addAction(ActionType::collStats);
readRoleActions.addAction(ActionType::dbHash);
readRoleActions.addAction(ActionType::dbStats);
readRoleActions.addAction(ActionType::find);
// Read-write role
readWriteRoleActions.addAllActionsFromSet(readRoleActions);
readWriteRoleActions.addAction(ActionType::cloneCollectionTarget);
readWriteRoleActions.addAction(ActionType::convertToCapped);
readWriteRoleActions.addAction(ActionType::createCollection); // db admin gets this also
readWriteRoleActions.addAction(ActionType::dropCollection);
readWriteRoleActions.addAction(ActionType::dropIndexes);
readWriteRoleActions.addAction(ActionType::emptycapped);
readWriteRoleActions.addAction(ActionType::ensureIndex);
readWriteRoleActions.addAction(ActionType::insert);
readWriteRoleActions.addAction(ActionType::remove);
readWriteRoleActions.addAction(ActionType::renameCollectionSameDB); // db admin gets this also
readWriteRoleActions.addAction(ActionType::update);
// User admin role
userAdminRoleActions.addAction(ActionType::userAdmin);
// DB admin role
dbAdminRoleActions.addAction(ActionType::clean);
dbAdminRoleActions.addAction(ActionType::collMod);
dbAdminRoleActions.addAction(ActionType::collStats);
dbAdminRoleActions.addAction(ActionType::compact);
dbAdminRoleActions.addAction(ActionType::convertToCapped);
dbAdminRoleActions.addAction(ActionType::createCollection); // read_write gets this also
dbAdminRoleActions.addAction(ActionType::dbStats);
dbAdminRoleActions.addAction(ActionType::dropCollection);
dbAdminRoleActions.addAction(ActionType::dropIndexes);
dbAdminRoleActions.addAction(ActionType::ensureIndex);
dbAdminRoleActions.addAction(ActionType::indexStats);
dbAdminRoleActions.addAction(ActionType::profileEnable);
dbAdminRoleActions.addAction(ActionType::profileRead);
dbAdminRoleActions.addAction(ActionType::reIndex);
dbAdminRoleActions.addAction(ActionType::renameCollectionSameDB); // read_write gets this also
dbAdminRoleActions.addAction(ActionType::storageDetails);
dbAdminRoleActions.addAction(ActionType::validate);
// Server admin role
serverAdminRoleReadActions.addAction(ActionType::connPoolStats);
serverAdminRoleReadActions.addAction(ActionType::connPoolSync);
serverAdminRoleReadActions.addAction(ActionType::getCmdLineOpts);
serverAdminRoleReadActions.addAction(ActionType::getLog);
serverAdminRoleReadActions.addAction(ActionType::getParameter);
serverAdminRoleReadActions.addAction(ActionType::getShardMap);
serverAdminRoleReadActions.addAction(ActionType::hostInfo);
serverAdminRoleReadActions.addAction(ActionType::listDatabases);
serverAdminRoleReadActions.addAction(ActionType::logRotate);
serverAdminRoleReadActions.addAction(ActionType::replSetFreeze);
serverAdminRoleReadActions.addAction(ActionType::replSetGetStatus);
serverAdminRoleReadActions.addAction(ActionType::replSetMaintenance);
serverAdminRoleReadActions.addAction(ActionType::replSetStepDown);
serverAdminRoleReadActions.addAction(ActionType::replSetSyncFrom);
serverAdminRoleReadActions.addAction(ActionType::setParameter);
serverAdminRoleReadActions.addAction(ActionType::serverStatus);
serverAdminRoleReadActions.addAction(ActionType::shutdown);
serverAdminRoleReadActions.addAction(ActionType::top);
serverAdminRoleReadActions.addAction(ActionType::touch);
serverAdminRoleReadActions.addAction(ActionType::unlock);
serverAdminRoleWriteActions.addAction(ActionType::applyOps);
serverAdminRoleWriteActions.addAction(ActionType::closeAllDatabases);
serverAdminRoleWriteActions.addAction(ActionType::cpuProfiler);
serverAdminRoleWriteActions.addAction(ActionType::cursorInfo);
serverAdminRoleWriteActions.addAction(ActionType::diagLogging);
serverAdminRoleWriteActions.addAction(ActionType::fsync);
serverAdminRoleWriteActions.addAction(ActionType::inprog);
serverAdminRoleWriteActions.addAction(ActionType::killop);
serverAdminRoleWriteActions.addAction(ActionType::repairDatabase);
serverAdminRoleWriteActions.addAction(ActionType::replSetInitiate);
serverAdminRoleWriteActions.addAction(ActionType::replSetReconfig);
serverAdminRoleWriteActions.addAction(ActionType::resync);
serverAdminRoleActions.addAllActionsFromSet(serverAdminRoleReadActions);
serverAdminRoleActions.addAllActionsFromSet(serverAdminRoleWriteActions);
// Cluster admin role
clusterAdminRoleReadActions.addAction(ActionType::getShardVersion);
clusterAdminRoleReadActions.addAction(ActionType::listShards);
clusterAdminRoleReadActions.addAction(ActionType::netstat);
clusterAdminRoleReadActions.addAction(ActionType::setShardVersion); // TODO: should this be internal?
clusterAdminRoleReadActions.addAction(ActionType::splitVector);
clusterAdminRoleReadActions.addAction(ActionType::unsetSharding);
clusterAdminRoleWriteActions.addAction(ActionType::addShard);
clusterAdminRoleWriteActions.addAction(ActionType::dropDatabase); // TODO: Should there be a CREATE_DATABASE also?
clusterAdminRoleWriteActions.addAction(ActionType::enableSharding);
clusterAdminRoleWriteActions.addAction(ActionType::flushRouterConfig);
clusterAdminRoleWriteActions.addAction(ActionType::moveChunk);
clusterAdminRoleWriteActions.addAction(ActionType::movePrimary);
clusterAdminRoleWriteActions.addAction(ActionType::removeShard);
clusterAdminRoleWriteActions.addAction(ActionType::shardCollection);
clusterAdminRoleWriteActions.addAction(ActionType::shardingState);
clusterAdminRoleWriteActions.addAction(ActionType::split);
clusterAdminRoleWriteActions.addAction(ActionType::splitChunk);
clusterAdminRoleActions.addAllActionsFromSet(clusterAdminRoleReadActions);
clusterAdminRoleActions.addAllActionsFromSet(clusterAdminRoleWriteActions);
// Internal commands
internalActions.addAction(ActionType::clone);
internalActions.addAction(ActionType::handshake);
internalActions.addAction(ActionType::mapReduceShardedFinish);
internalActions.addAction(ActionType::replSetElect);
internalActions.addAction(ActionType::replSetFresh);
internalActions.addAction(ActionType::replSetGetRBID);
internalActions.addAction(ActionType::replSetHeartbeat);
internalActions.addAction(ActionType::writebacklisten);
internalActions.addAction(ActionType::writeBacksQueued);
internalActions.addAction(ActionType::_migrateClone);
internalActions.addAction(ActionType::_recvChunkAbort);
internalActions.addAction(ActionType::_recvChunkCommit);
internalActions.addAction(ActionType::_recvChunkStart);
internalActions.addAction(ActionType::_recvChunkStatus);
internalActions.addAction(ActionType::_transferMods);
return Status::OK();
}
// This sets up the system role ActionSets. This is what determines what actions each role
// is authorized to perform
MONGO_INITIALIZER(AuthorizationSystemRoles)(InitializerContext* context) {
// Read role
// TODO: Remove OLD_READ once commands require the proper actions
readRoleActions.addAction(ActionType::oldRead);
readRoleActions.addAction(ActionType::collStats);
readRoleActions.addAction(ActionType::dbStats);
readRoleActions.addAction(ActionType::find);
// Read-write role
readWriteRoleActions.addAllActionsFromSet(readRoleActions);
// TODO: Remove OLD_WRITE once commands require the proper actions
readWriteRoleActions.addAction(ActionType::oldWrite);
readWriteRoleActions.addAction(ActionType::convertToCapped);
readWriteRoleActions.addAction(ActionType::createCollection); // TODO: should db admin get this also?
readWriteRoleActions.addAction(ActionType::dropCollection);
readWriteRoleActions.addAction(ActionType::dropIndexes);
readWriteRoleActions.addAction(ActionType::emptycapped);
readWriteRoleActions.addAction(ActionType::ensureIndex);
readWriteRoleActions.addAction(ActionType::insert);
readWriteRoleActions.addAction(ActionType::remove);
readWriteRoleActions.addAction(ActionType::update);
// User admin role
userAdminRoleActions.addAction(ActionType::userAdmin);
// DB admin role
dbAdminRoleActions.addAction(ActionType::clean);
dbAdminRoleActions.addAction(ActionType::collMod);
dbAdminRoleActions.addAction(ActionType::collStats);
dbAdminRoleActions.addAction(ActionType::compact);
dbAdminRoleActions.addAction(ActionType::convertToCapped);
dbAdminRoleActions.addAction(ActionType::dbStats);
dbAdminRoleActions.addAction(ActionType::dropCollection);
dbAdminRoleActions.addAction(ActionType::reIndex); // TODO: Should readWrite have this also? This isn't consistent with ENSURE_INDEX and DROP_INDEXES
dbAdminRoleActions.addAction(ActionType::renameCollection);
dbAdminRoleActions.addAction(ActionType::validate);
// Server admin role
serverAdminRoleActions.addAction(ActionType::closeAllDatabases);
serverAdminRoleActions.addAction(ActionType::connPoolStats);
serverAdminRoleActions.addAction(ActionType::connPoolSync);
serverAdminRoleActions.addAction(ActionType::cpuProfiler);
serverAdminRoleActions.addAction(ActionType::cursorInfo);
serverAdminRoleActions.addAction(ActionType::diagLogging);
serverAdminRoleActions.addAction(ActionType::fsync);
serverAdminRoleActions.addAction(ActionType::getCmdLineOpts);
serverAdminRoleActions.addAction(ActionType::getLog);
serverAdminRoleActions.addAction(ActionType::getParameter);
serverAdminRoleActions.addAction(ActionType::getShardMap);
serverAdminRoleActions.addAction(ActionType::getShardVersion);
serverAdminRoleActions.addAction(ActionType::hostInfo);
serverAdminRoleActions.addAction(ActionType::listDatabases);
serverAdminRoleActions.addAction(ActionType::logRotate);
serverAdminRoleActions.addAction(ActionType::profile);
serverAdminRoleActions.addAction(ActionType::repairDatabase);
serverAdminRoleActions.addAction(ActionType::replSetFreeze);
serverAdminRoleActions.addAction(ActionType::replSetGetStatus);
serverAdminRoleActions.addAction(ActionType::replSetInitiate);
serverAdminRoleActions.addAction(ActionType::replSetMaintenance);
serverAdminRoleActions.addAction(ActionType::replSetReconfig);
serverAdminRoleActions.addAction(ActionType::replSetStepDown);
serverAdminRoleActions.addAction(ActionType::replSetSyncFrom);
serverAdminRoleActions.addAction(ActionType::resync);
serverAdminRoleActions.addAction(ActionType::setParameter);
serverAdminRoleActions.addAction(ActionType::shutdown);
serverAdminRoleActions.addAction(ActionType::top);
serverAdminRoleActions.addAction(ActionType::touch);
// Cluster admin role
clusterAdminRoleActions.addAction(ActionType::addShard);
clusterAdminRoleActions.addAction(ActionType::dropDatabase); // TODO: Should there be a CREATE_DATABASE also?
clusterAdminRoleActions.addAction(ActionType::enableSharding);
clusterAdminRoleActions.addAction(ActionType::flushRouterConfig);
clusterAdminRoleActions.addAction(ActionType::listShards);
clusterAdminRoleActions.addAction(ActionType::moveChunk);
clusterAdminRoleActions.addAction(ActionType::movePrimary);
clusterAdminRoleActions.addAction(ActionType::netstat);
clusterAdminRoleActions.addAction(ActionType::removeShard);
clusterAdminRoleActions.addAction(ActionType::setShardVersion); // TODO: should this be internal?
clusterAdminRoleActions.addAction(ActionType::shardCollection);
clusterAdminRoleActions.addAction(ActionType::shardingState);
clusterAdminRoleActions.addAction(ActionType::split);
clusterAdminRoleActions.addAction(ActionType::splitChunk);
clusterAdminRoleActions.addAction(ActionType::splitVector);
clusterAdminRoleActions.addAction(ActionType::unsetSharding);
return Status::OK();
}
