void Pipeline::addRequiredPrivileges(Command* commandTemplate,
const string& db,
BSONObj cmdObj,
vector<Privilege>* out) {
ResourcePattern inputResource(commandTemplate->parseResourcePattern(db, cmdObj));
uassert(17138,
mongoutils::str::stream() << "Invalid input resource, " << inputResource.toString(),
inputResource.isExactNamespacePattern());
out->push_back(Privilege(inputResource, ActionType::find));
BSONObj pipeline = cmdObj.getObjectField("pipeline");
BSONForEach(stageElem, pipeline) {
BSONObj stage = stageElem.embeddedObjectUserCheck();
if (str::equals(stage.firstElementFieldName(), "$out")) {
NamespaceString outputNs(db, stage.firstElement().str());
uassert(17139,
mongoutils::str::stream() << "Invalid $out target namespace, " <<
outputNs.ns(),
outputNs.isValid());
ActionSet actions;
actions.addAction(ActionType::remove);
actions.addAction(ActionType::insert);
out->push_back(Privilege(ResourcePattern::forExactNamespace(outputNs), actions));
}
}
void addPrivilegesRequiredForMapReduce(Command* commandTemplate,
const std::string& dbname,
const BSONObj& cmdObj,
std::vector<Privilege>* out) {
Config::OutputOptions outputOptions = Config::parseOutputOptions(dbname, cmdObj);
ResourcePattern inputResource(commandTemplate->parseResourcePattern(dbname, cmdObj));
uassert(17142, mongoutils::str::stream() <<
"Invalid input resource " << inputResource.toString(),
inputResource.isExactNamespacePattern());
out->push_back(Privilege(inputResource, ActionType::find));
if (outputOptions.outType != Config::INMEMORY) {
ActionSet outputActions;
outputActions.addAction(ActionType::insert);
if (outputOptions.outType == Config::REPLACE) {
outputActions.addAction(ActionType::remove);
}
else {
outputActions.addAction(ActionType::update);
}
ResourcePattern outputResource(
ResourcePattern::forExactNamespace(
NamespaceString(outputOptions.finalNamespace)));
uassert(17143, mongoutils::str::stream() << "Invalid target namespace " <<
outputResource.ns().ns(),
outputResource.ns().isValid());
// TODO: check if outputNs exists and add createCollection privilege if not
out->push_back(Privilege(outputResource, outputActions));
}
}
void Pipeline::addRequiredPrivileges(Command* commandTemplate,
const string& db,
BSONObj cmdObj,
vector<Privilege>* out) {
ResourcePattern inputResource(commandTemplate->parseResourcePattern(db, cmdObj));
uassert(17138,
mongoutils::str::stream() << "Invalid input resource, " << inputResource.toString(),
inputResource.isExactNamespacePattern());
if (false && cmdObj["allowDiskUsage"].trueValue()) {
// TODO no privilege for this yet.
}
out->push_back(Privilege(inputResource, ActionType::find));
BSONObj pipeline = cmdObj.getObjectField("pipeline");
BSONForEach(stageElem, pipeline) {
BSONObj stage = stageElem.embeddedObjectUserCheck();
if (str::equals(stage.firstElementFieldName(), "$out")) {
// TODO Figure out how to handle temp collection privileges. For now, using the
// output ns is ok since we only do db-level privilege checks.
NamespaceString outputNs(db, stage.firstElement().str());
uassert(17139,
mongoutils::str::stream() << "Invalid $out target namespace, " <<
outputNs.ns(),
outputNs.isValid());
ActionSet actions;
// logically on output ns
actions.addAction(ActionType::remove);
actions.addAction(ActionType::insert);
// on temp ns due to implementation, but not logically on output ns
actions.addAction(ActionType::createCollection);
actions.addAction(ActionType::createIndex);
actions.addAction(ActionType::dropCollection);
actions.addAction(ActionType::renameCollectionSameDB);
out->push_back(Privilege(ResourcePattern::forExactNamespace(outputNs), actions));
out->push_back(Privilege(ResourcePattern::forExactNamespace(
NamespaceString(db, "system.indexes")),
ActionType::find));
}
}