void AuthorizationSession::addAuthorizedPrincipal(Principal* principal) { // Log out any already-logged-in user on the same database as "principal". logoutDatabase(principal->getName().getDB().toString()); // See SERVER-8144. _authenticatedPrincipals.add(principal); if (!principal->isImplicitPrivilegeAcquisitionEnabled()) return; const std::string dbname = principal->getName().getDB().toString(); if (dbname == StringData("local", StringData::LiteralTag()) && principal->getName().getUser() == internalSecurity.user) { // Grant full access to internal user ActionSet allActions; allActions.addAllActions(); acquirePrivilege(Privilege(PrivilegeSet::WILDCARD_RESOURCE, allActions), principal->getName()); return; } _acquirePrivilegesForPrincipalFromDatabase(ADMIN_DBNAME, principal->getName()); principal->markDatabaseAsProbed(ADMIN_DBNAME); _acquirePrivilegesForPrincipalFromDatabase(dbname, principal->getName()); principal->markDatabaseAsProbed(dbname); _externalState->onAddAuthorizedPrincipal(principal); }
void AuthorizationManager::grantInternalAuthorization(const std::string& principalName) { Principal* principal = new Principal(PrincipalName(principalName, "local")); ActionSet actions; actions.addAllActions(); addAuthorizedPrincipal(principal); fassert(16581, acquirePrivilege(Privilege(PrivilegeSet::WILDCARD_RESOURCE, actions), principal->getName()).isOK()); }
void AuthorizationSession::grantInternalAuthorization(const UserName& userName) { Principal* principal = new Principal(userName); ActionSet actions; actions.addAllActions(); addAuthorizedPrincipal(principal); fassert(16581, acquirePrivilege(Privilege(PrivilegeSet::WILDCARD_RESOURCE, actions), principal->getName()).isOK()); }
void AuthorizationManager::grantInternalAuthorization() { Principal* internalPrincipal = new Principal("__system"); _authenticatedPrincipals.add(internalPrincipal); ActionSet allActions; allActions.addAllActions(); AcquiredPrivilege privilege(Privilege("*", allActions), internalPrincipal); Status status = acquirePrivilege(privilege); verify (status == Status::OK()); }
MONGO_INITIALIZER_WITH_PREREQUISITES(SetupInternalSecurityUser, MONGO_NO_PREREQUISITES)( InitializerContext* context) { User* user = new User(UserName("__system", "local")); user->incrementRefCount(); // Pin this user so the ref count never drops below 1. ActionSet allActions; allActions.addAllActions(); PrivilegeVector privileges; RoleGraph::generateUniversalPrivileges(&privileges); user->addPrivileges(privileges); internalSecurity.user = user; return Status::OK(); }
Status AuthorizationManager::acquirePrivilegesFromPrivilegeDocument( const std::string& dbname, const PrincipalName& principal, const BSONObj& privilegeDocument) { if (!_authenticatedPrincipals.lookup(principal)) { return Status(ErrorCodes::UserNotFound, mongoutils::str::stream() << "No authenticated principle found with name: " << principal.getUser() << " from database " << principal.getDB(), 0); } if (principal.getUser() == internalSecurity.user) { // Grant full access to internal user ActionSet allActions; allActions.addAllActions(); return acquirePrivilege(Privilege(PrivilegeSet::WILDCARD_RESOURCE, allActions), principal); } return buildPrivilegeSet(dbname, principal, privilegeDocument, &_acquiredPrivileges); }
Status ActionSet::parseActionSetFromStringVector(const std::vector<std::string>& actionsVector, ActionSet* result) { ActionSet actions; for (size_t i = 0; i < actionsVector.size(); i++) { ActionType action; Status status = ActionType::parseActionFromString(actionsVector[i], &action); if (status != Status::OK()) { ActionSet empty; *result = empty; return status; } if (action == ActionType::anyAction) { actions.addAllActions(); break; } actions.addAction(action); } *result = actions; return Status::OK(); }
bool AuthorizationManager::hasInternalAuthorization() { ActionSet allActions; allActions.addAllActions(); return _acquiredPrivileges.hasPrivilege(Privilege(PrivilegeSet::WILDCARD_RESOURCE, allActions)); }
void RoleGraph::generateUniversalPrivileges(PrivilegeVector* privileges) { ActionSet allActions; allActions.addAllActions(); privileges->push_back(Privilege(ResourcePattern::forAnyResource(), allActions)); }
bool AuthorizationSession::hasInternalAuthorization() { ActionSet allActions; allActions.addAllActions(); return _checkAuthForPrivilegeHelper( Privilege(AuthorizationManager::WILDCARD_RESOURCE_NAME, allActions)).isOK(); }