Status V2UserDocumentParser::initializeUserPrivilegesFromUserDocument(const BSONObj& doc, User* user) const { BSONElement privilegesElement = doc[PRIVILEGES_FIELD_NAME]; if (privilegesElement.eoo()) return Status::OK(); if (privilegesElement.type() != Array) { return Status(ErrorCodes::UnsupportedFormat, "User document 'inheritedPrivileges' element must be Array if present."); } PrivilegeVector privileges; std::string errmsg; for (BSONObjIterator it(privilegesElement.Obj()); it.more(); it.next()) { if ((*it).type() != Object) { warning() << "Wrong type of element in inheritedPrivileges array for " << user->getName() << ": " << *it; continue; } Privilege privilege; ParsedPrivilege pp; if (!pp.parseBSON((*it).Obj(), &errmsg) || !ParsedPrivilege::parsedPrivilegeToPrivilege(pp, &privilege, &errmsg)) { warning() << "Could not parse privilege element in user document for " << user->getName() << ": " << errmsg; continue; } privileges.push_back(privilege); } user->setPrivileges(privileges); return Status::OK(); }
Status checkAuthorizedToGrantPrivileges(AuthorizationSession* authzSession, const PrivilegeVector& privileges) { for (PrivilegeVector::const_iterator it = privileges.begin(); it != privileges.end(); ++it) { Status status = authzSession->checkAuthorizedToGrantPrivilege(*it); if (!status.isOK()) { return status; } } return Status::OK(); }
Status RoleGraph::removePrivilegesFromRole(const RoleName& role, const PrivilegeVector& privilegesToRemove) { for (PrivilegeVector::const_iterator it = privilegesToRemove.begin(); it != privilegesToRemove.end(); ++it) { Status status = removePrivilegeFromRole(role, *it); if (!status.isOK()) { return status; } } return Status::OK(); }
Status AuthorizationManager::getBSONForPrivileges(const PrivilegeVector& privileges, mutablebson::Element resultArray) { for (PrivilegeVector::const_iterator it = privileges.begin(); it != privileges.end(); ++it) { std::string errmsg; ParsedPrivilege privilege; if (!ParsedPrivilege::privilegeToParsedPrivilege(*it, &privilege, &errmsg)) { return Status(ErrorCodes::BadValue, errmsg); } resultArray.appendObject("privileges", privilege.toBSON()); } return Status::OK(); }
void RoleGraph::_createBuiltinRoleIfNeeded(const RoleName& role) { if (!isBuiltinRole(role) || _roleExistsDontCreateBuiltin(role)) { return; } _createRoleDontCheckIfRoleExists(role); PrivilegeVector privileges; fassert(17145, addPrivilegesForBuiltinRole(role, &privileges)); for (size_t i = 0; i < privileges.size(); ++i) { _addPrivilegeToRoleNoChecks(role, privileges[i]); _allPrivilegesForRole[role].push_back(privileges[i]); } }
void User::setPrivileges(const PrivilegeVector& privileges) { _privileges.clear(); for (size_t i = 0; i < privileges.size(); ++i) { const Privilege& privilege = privileges[i]; _privileges[privilege.getResourcePattern()] = privilege; } }
Status V2UserDocumentParser::initializeUserPrivilegesFromUserDocument(const BSONObj& doc, User* user) const { BSONElement privilegesElement = doc[PRIVILEGES_FIELD_NAME]; if (privilegesElement.eoo()) return Status::OK(); if (privilegesElement.type() != Array) { return Status(ErrorCodes::UnsupportedFormat, "User document 'inheritedPrivileges' element must be Array if present."); } PrivilegeVector privileges; std::string errmsg; for (BSONObjIterator it(privilegesElement.Obj()); it.more(); it.next()) { if ((*it).type() != Object) { warning() << "Wrong type of element in inheritedPrivileges array for " << user->getName() << ": " << *it; continue; } Privilege privilege; ParsedPrivilege pp; if (!pp.parseBSON((*it).Obj(), &errmsg)) { warning() << "Could not parse privilege element in user document for " << user->getName() << ": " << errmsg; continue; } std::vector<std::string> unrecognizedActions; Status status = ParsedPrivilege::parsedPrivilegeToPrivilege(pp, &privilege, &unrecognizedActions); if (!status.isOK()) { warning() << "Could not parse privilege element in user document for " << user->getName() << causedBy(status); continue; } if (unrecognizedActions.size()) { std::string unrecognizedActionsString; joinStringDelim(unrecognizedActions, &unrecognizedActionsString, ','); warning() << "Encountered unrecognized actions \" " << unrecognizedActionsString << "\" while parsing user document for " << user->getName(); } privileges.push_back(privilege); } user->setPrivileges(privileges); return Status::OK(); }
// NOTE: Current runtime of this is O(n*m) where n is the size of the current PrivilegeVector // for the given role, and m is the size of the privilegesToAdd vector. // If this was a PrivilegeSet (sorted on resource) rather than a PrivilegeVector, we // could do this in O(n+m) instead. Status RoleGraph::addPrivilegesToRole(const RoleName& role, const PrivilegeVector& privilegesToAdd) { if (!roleExists(role)) { return Status(ErrorCodes::RoleNotFound, mongoutils::str::stream() << "Role: " << role.getFullName() << " does not exist", 0); } if (isBuiltinRole(role)) { return Status(ErrorCodes::InvalidRoleModification, mongoutils::str::stream() << "Cannot grant privileges to built-in role: " << role.getFullName(), 0); } for (PrivilegeVector::const_iterator it = privilegesToAdd.begin(); it != privilegesToAdd.end(); ++it) { _addPrivilegeToRoleNoChecks(role, *it); } return Status::OK(); }
bool AuthorizationSession::_isAuthorizedForPrivilege(const Privilege& privilege) { const ResourcePattern& target(privilege.getResourcePattern()); ResourcePattern resourceSearchList[resourceSearchListCapacity]; const int resourceSearchListLength = buildResourceSearchList(target, resourceSearchList); ActionSet unmetRequirements = privilege.getActions(); PrivilegeVector defaultPrivileges = getDefaultPrivileges(); for (PrivilegeVector::iterator it = defaultPrivileges.begin(); it != defaultPrivileges.end(); ++it) { for (int i = 0; i < resourceSearchListLength; ++i) { if (!(it->getResourcePattern() == resourceSearchList[i])) continue; ActionSet userActions = it->getActions(); unmetRequirements.removeAllActionsFromSet(userActions); if (unmetRequirements.empty()) return true; } } for (UserSet::iterator it = _authenticatedUsers.begin(); it != _authenticatedUsers.end(); ++it) { User* user = *it; for (int i = 0; i < resourceSearchListLength; ++i) { ActionSet userActions = user->getActionsForResource(resourceSearchList[i]); unmetRequirements.removeAllActionsFromSet(userActions); if (unmetRequirements.empty()) return true; } } return false; }
void User::addPrivileges(const PrivilegeVector& privileges) { for (PrivilegeVector::const_iterator it = privileges.begin(); it != privileges.end(); ++it) { addPrivilege(*it); } }
bool run(const string& dbname, BSONObj& cmdObj, int options, string& errmsg, BSONObjBuilder& result, bool fromRepl) { AuthorizationManager* authzManager = getGlobalAuthorizationManager(); AuthzDocumentsUpdateGuard updateGuard(authzManager); if (!updateGuard.tryLock("Grant privileges to role")) { addStatus(Status(ErrorCodes::LockBusy, "Could not lock auth data update lock."), result); return false; } RoleName roleName; PrivilegeVector privilegesToAdd; BSONObj writeConcern; Status status = auth::parseAndValidateRolePrivilegeManipulationCommands( cmdObj, "grantPrivilegesToRole", dbname, &roleName, &privilegesToAdd, &writeConcern); if (!status.isOK()) { addStatus(status, result); return false; } if (!authzManager->roleExists(roleName)) { addStatus(Status(ErrorCodes::RoleNotFound, mongoutils::str::stream() << roleName.getFullName() << " does not name an existing role"), result); return false; } if (authzManager->isBuiltinRole(roleName)) { addStatus(Status(ErrorCodes::InvalidRoleModification, mongoutils::str::stream() << roleName.getFullName() << " is a built-in role and cannot be modified."), result); return false; } PrivilegeVector privileges = authzManager->getDirectPrivilegesForRole(roleName); for (PrivilegeVector::iterator it = privilegesToAdd.begin(); it != privilegesToAdd.end(); ++it) { Privilege::addPrivilegeToPrivilegeVector(&privileges, *it); } // Build up update modifier object to $set privileges. mutablebson::Document updateObj; mutablebson::Element setElement = updateObj.makeElementObject("$set"); status = updateObj.root().pushBack(setElement); if (!status.isOK()) { addStatus(status, result); return false; } mutablebson::Element privilegesElement = updateObj.makeElementArray("privileges"); status = setElement.pushBack(privilegesElement); if (!status.isOK()) { addStatus(status, result); return false; } status = authzManager->getBSONForPrivileges(privileges, privilegesElement); if (!status.isOK()) { addStatus(status, result); return false; } BSONObjBuilder updateBSONBuilder; updateObj.writeTo(&updateBSONBuilder); status = authzManager->updateRoleDocument( roleName, updateBSONBuilder.done(), writeConcern); if (!status.isOK()) { addStatus(status, result); return false; } return true; }