Status checkAuthorizedToGrantPrivileges(AuthorizationSession* authzSession, const PrivilegeVector& privileges) { for (PrivilegeVector::const_iterator it = privileges.begin(); it != privileges.end(); ++it) { Status status = authzSession->checkAuthorizedToGrantPrivilege(*it); if (!status.isOK()) { return status; } } return Status::OK(); }
Status RoleGraph::removePrivilegesFromRole(const RoleName& role, const PrivilegeVector& privilegesToRemove) { for (PrivilegeVector::const_iterator it = privilegesToRemove.begin(); it != privilegesToRemove.end(); ++it) { Status status = removePrivilegeFromRole(role, *it); if (!status.isOK()) { return status; } } return Status::OK(); }
Status AuthorizationManager::getBSONForPrivileges(const PrivilegeVector& privileges, mutablebson::Element resultArray) { for (PrivilegeVector::const_iterator it = privileges.begin(); it != privileges.end(); ++it) { std::string errmsg; ParsedPrivilege privilege; if (!ParsedPrivilege::privilegeToParsedPrivilege(*it, &privilege, &errmsg)) { return Status(ErrorCodes::BadValue, errmsg); } resultArray.appendObject("privileges", privilege.toBSON()); } return Status::OK(); }
// NOTE: Current runtime of this is O(n*m) where n is the size of the current PrivilegeVector // for the given role, and m is the size of the privilegesToAdd vector. // If this was a PrivilegeSet (sorted on resource) rather than a PrivilegeVector, we // could do this in O(n+m) instead. Status RoleGraph::addPrivilegesToRole(const RoleName& role, const PrivilegeVector& privilegesToAdd) { if (!roleExists(role)) { return Status(ErrorCodes::RoleNotFound, mongoutils::str::stream() << "Role: " << role.getFullName() << " does not exist", 0); } if (isBuiltinRole(role)) { return Status(ErrorCodes::InvalidRoleModification, mongoutils::str::stream() << "Cannot grant privileges to built-in role: " << role.getFullName(), 0); } for (PrivilegeVector::const_iterator it = privilegesToAdd.begin(); it != privilegesToAdd.end(); ++it) { _addPrivilegeToRoleNoChecks(role, *it); } return Status::OK(); }
bool AuthorizationSession::_isAuthorizedForPrivilege(const Privilege& privilege) { const ResourcePattern& target(privilege.getResourcePattern()); ResourcePattern resourceSearchList[resourceSearchListCapacity]; const int resourceSearchListLength = buildResourceSearchList(target, resourceSearchList); ActionSet unmetRequirements = privilege.getActions(); PrivilegeVector defaultPrivileges = getDefaultPrivileges(); for (PrivilegeVector::iterator it = defaultPrivileges.begin(); it != defaultPrivileges.end(); ++it) { for (int i = 0; i < resourceSearchListLength; ++i) { if (!(it->getResourcePattern() == resourceSearchList[i])) continue; ActionSet userActions = it->getActions(); unmetRequirements.removeAllActionsFromSet(userActions); if (unmetRequirements.empty()) return true; } } for (UserSet::iterator it = _authenticatedUsers.begin(); it != _authenticatedUsers.end(); ++it) { User* user = *it; for (int i = 0; i < resourceSearchListLength; ++i) { ActionSet userActions = user->getActionsForResource(resourceSearchList[i]); unmetRequirements.removeAllActionsFromSet(userActions); if (unmetRequirements.empty()) return true; } } return false; }
void User::addPrivileges(const PrivilegeVector& privileges) { for (PrivilegeVector::const_iterator it = privileges.begin(); it != privileges.end(); ++it) { addPrivilege(*it); } }
bool run(const string& dbname, BSONObj& cmdObj, int options, string& errmsg, BSONObjBuilder& result, bool fromRepl) { AuthorizationManager* authzManager = getGlobalAuthorizationManager(); AuthzDocumentsUpdateGuard updateGuard(authzManager); if (!updateGuard.tryLock("Grant privileges to role")) { addStatus(Status(ErrorCodes::LockBusy, "Could not lock auth data update lock."), result); return false; } RoleName roleName; PrivilegeVector privilegesToAdd; BSONObj writeConcern; Status status = auth::parseAndValidateRolePrivilegeManipulationCommands( cmdObj, "grantPrivilegesToRole", dbname, &roleName, &privilegesToAdd, &writeConcern); if (!status.isOK()) { addStatus(status, result); return false; } if (!authzManager->roleExists(roleName)) { addStatus(Status(ErrorCodes::RoleNotFound, mongoutils::str::stream() << roleName.getFullName() << " does not name an existing role"), result); return false; } if (authzManager->isBuiltinRole(roleName)) { addStatus(Status(ErrorCodes::InvalidRoleModification, mongoutils::str::stream() << roleName.getFullName() << " is a built-in role and cannot be modified."), result); return false; } PrivilegeVector privileges = authzManager->getDirectPrivilegesForRole(roleName); for (PrivilegeVector::iterator it = privilegesToAdd.begin(); it != privilegesToAdd.end(); ++it) { Privilege::addPrivilegeToPrivilegeVector(&privileges, *it); } // Build up update modifier object to $set privileges. mutablebson::Document updateObj; mutablebson::Element setElement = updateObj.makeElementObject("$set"); status = updateObj.root().pushBack(setElement); if (!status.isOK()) { addStatus(status, result); return false; } mutablebson::Element privilegesElement = updateObj.makeElementArray("privileges"); status = setElement.pushBack(privilegesElement); if (!status.isOK()) { addStatus(status, result); return false; } status = authzManager->getBSONForPrivileges(privileges, privilegesElement); if (!status.isOK()) { addStatus(status, result); return false; } BSONObjBuilder updateBSONBuilder; updateObj.writeTo(&updateBSONBuilder); status = authzManager->updateRoleDocument( roleName, updateBSONBuilder.done(), writeConcern); if (!status.isOK()) { addStatus(status, result); return false; } return true; }