Status V2UserDocumentParser::initializeUserPrivilegesFromUserDocument(const BSONObj& doc,
User* user) const {
BSONElement privilegesElement = doc[PRIVILEGES_FIELD_NAME];
if (privilegesElement.eoo())
return Status::OK();
if (privilegesElement.type() != Array) {
return Status(ErrorCodes::UnsupportedFormat,
"User document 'inheritedPrivileges' element must be Array if present.");
}
PrivilegeVector privileges;
std::string errmsg;
for (BSONObjIterator it(privilegesElement.Obj()); it.more(); it.next()) {
if ((*it).type() != Object) {
warning() << "Wrong type of element in inheritedPrivileges array for " <<
user->getName() << ": " << *it;
continue;
}
Privilege privilege;
ParsedPrivilege pp;
if (!pp.parseBSON((*it).Obj(), &errmsg) ||
!ParsedPrivilege::parsedPrivilegeToPrivilege(pp, &privilege, &errmsg)) {
warning() << "Could not parse privilege element in user document for " <<
user->getName() << ": " << errmsg;
continue;
}
privileges.push_back(privilege);
}
user->setPrivileges(privileges);
return Status::OK();
}
Status checkAuthorizedToGrantPrivileges(AuthorizationSession* authzSession,
const PrivilegeVector& privileges) {
for (PrivilegeVector::const_iterator it = privileges.begin(); it != privileges.end(); ++it) {
Status status = authzSession->checkAuthorizedToGrantPrivilege(*it);
if (!status.isOK()) {
return status;
}
}
return Status::OK();
}
Status RoleGraph::removePrivilegesFromRole(const RoleName& role,
const PrivilegeVector& privilegesToRemove) {
for (PrivilegeVector::const_iterator it = privilegesToRemove.begin();
it != privilegesToRemove.end();
++it) {
Status status = removePrivilegeFromRole(role, *it);
if (!status.isOK()) {
return status;
}
}
return Status::OK();
}
Status AuthorizationManager::getBSONForPrivileges(const PrivilegeVector& privileges,
mutablebson::Element resultArray) {
for (PrivilegeVector::const_iterator it = privileges.begin();
it != privileges.end(); ++it) {
std::string errmsg;
ParsedPrivilege privilege;
if (!ParsedPrivilege::privilegeToParsedPrivilege(*it, &privilege, &errmsg)) {
return Status(ErrorCodes::BadValue, errmsg);
}
resultArray.appendObject("privileges", privilege.toBSON());
}
return Status::OK();
}
void RoleGraph::_createBuiltinRoleIfNeeded(const RoleName& role) {
if (!isBuiltinRole(role) || _roleExistsDontCreateBuiltin(role)) {
return;
}
_createRoleDontCheckIfRoleExists(role);
PrivilegeVector privileges;
fassert(17145, addPrivilegesForBuiltinRole(role, &privileges));
for (size_t i = 0; i < privileges.size(); ++i) {
_addPrivilegeToRoleNoChecks(role, privileges[i]);
_allPrivilegesForRole[role].push_back(privileges[i]);
}
}
void User::setPrivileges(const PrivilegeVector& privileges) {
_privileges.clear();
for (size_t i = 0; i < privileges.size(); ++i) {
const Privilege& privilege = privileges[i];
_privileges[privilege.getResourcePattern()] = privilege;
}
}
Status V2UserDocumentParser::initializeUserPrivilegesFromUserDocument(const BSONObj& doc,
User* user) const {
BSONElement privilegesElement = doc[PRIVILEGES_FIELD_NAME];
if (privilegesElement.eoo())
return Status::OK();
if (privilegesElement.type() != Array) {
return Status(ErrorCodes::UnsupportedFormat,
"User document 'inheritedPrivileges' element must be Array if present.");
}
PrivilegeVector privileges;
std::string errmsg;
for (BSONObjIterator it(privilegesElement.Obj()); it.more(); it.next()) {
if ((*it).type() != Object) {
warning() << "Wrong type of element in inheritedPrivileges array for "
<< user->getName() << ": " << *it;
continue;
}
Privilege privilege;
ParsedPrivilege pp;
if (!pp.parseBSON((*it).Obj(), &errmsg)) {
warning() << "Could not parse privilege element in user document for "
<< user->getName() << ": " << errmsg;
continue;
}
std::vector<std::string> unrecognizedActions;
Status status =
ParsedPrivilege::parsedPrivilegeToPrivilege(pp, &privilege, &unrecognizedActions);
if (!status.isOK()) {
warning() << "Could not parse privilege element in user document for "
<< user->getName() << causedBy(status);
continue;
}
if (unrecognizedActions.size()) {
std::string unrecognizedActionsString;
joinStringDelim(unrecognizedActions, &unrecognizedActionsString, ',');
warning() << "Encountered unrecognized actions \" " << unrecognizedActionsString
<< "\" while parsing user document for " << user->getName();
}
privileges.push_back(privilege);
}
user->setPrivileges(privileges);
return Status::OK();
}
// NOTE: Current runtime of this is O(n*m) where n is the size of the current PrivilegeVector
// for the given role, and m is the size of the privilegesToAdd vector.
// If this was a PrivilegeSet (sorted on resource) rather than a PrivilegeVector, we
// could do this in O(n+m) instead.
Status RoleGraph::addPrivilegesToRole(const RoleName& role,
const PrivilegeVector& privilegesToAdd) {
if (!roleExists(role)) {
return Status(ErrorCodes::RoleNotFound,
mongoutils::str::stream() << "Role: " << role.getFullName()
<< " does not exist",
0);
}
if (isBuiltinRole(role)) {
return Status(ErrorCodes::InvalidRoleModification,
mongoutils::str::stream() << "Cannot grant privileges to built-in role: "
<< role.getFullName(),
0);
}
for (PrivilegeVector::const_iterator it = privilegesToAdd.begin(); it != privilegesToAdd.end();
++it) {
_addPrivilegeToRoleNoChecks(role, *it);
}
return Status::OK();
}
bool AuthorizationSession::_isAuthorizedForPrivilege(const Privilege& privilege) {
const ResourcePattern& target(privilege.getResourcePattern());
ResourcePattern resourceSearchList[resourceSearchListCapacity];
const int resourceSearchListLength = buildResourceSearchList(target, resourceSearchList);
ActionSet unmetRequirements = privilege.getActions();
PrivilegeVector defaultPrivileges = getDefaultPrivileges();
for (PrivilegeVector::iterator it = defaultPrivileges.begin(); it != defaultPrivileges.end();
++it) {
for (int i = 0; i < resourceSearchListLength; ++i) {
if (!(it->getResourcePattern() == resourceSearchList[i]))
continue;
ActionSet userActions = it->getActions();
unmetRequirements.removeAllActionsFromSet(userActions);
if (unmetRequirements.empty())
return true;
}
}
for (UserSet::iterator it = _authenticatedUsers.begin(); it != _authenticatedUsers.end();
++it) {
User* user = *it;
for (int i = 0; i < resourceSearchListLength; ++i) {
ActionSet userActions = user->getActionsForResource(resourceSearchList[i]);
unmetRequirements.removeAllActionsFromSet(userActions);
if (unmetRequirements.empty())
return true;
}
}
return false;
}
void User::addPrivileges(const PrivilegeVector& privileges) {
for (PrivilegeVector::const_iterator it = privileges.begin(); it != privileges.end(); ++it) {
addPrivilege(*it);
}
}
bool run(const string& dbname,
BSONObj& cmdObj,
int options,
string& errmsg,
BSONObjBuilder& result,
bool fromRepl) {
AuthorizationManager* authzManager = getGlobalAuthorizationManager();
AuthzDocumentsUpdateGuard updateGuard(authzManager);
if (!updateGuard.tryLock("Grant privileges to role")) {
addStatus(Status(ErrorCodes::LockBusy, "Could not lock auth data update lock."),
result);
return false;
}
RoleName roleName;
PrivilegeVector privilegesToAdd;
BSONObj writeConcern;
Status status = auth::parseAndValidateRolePrivilegeManipulationCommands(
cmdObj,
"grantPrivilegesToRole",
dbname,
&roleName,
&privilegesToAdd,
&writeConcern);
if (!status.isOK()) {
addStatus(status, result);
return false;
}
if (!authzManager->roleExists(roleName)) {
addStatus(Status(ErrorCodes::RoleNotFound,
mongoutils::str::stream() << roleName.getFullName() <<
" does not name an existing role"),
result);
return false;
}
if (authzManager->isBuiltinRole(roleName)) {
addStatus(Status(ErrorCodes::InvalidRoleModification,
mongoutils::str::stream() << roleName.getFullName() <<
" is a built-in role and cannot be modified."),
result);
return false;
}
PrivilegeVector privileges = authzManager->getDirectPrivilegesForRole(roleName);
for (PrivilegeVector::iterator it = privilegesToAdd.begin();
it != privilegesToAdd.end(); ++it) {
Privilege::addPrivilegeToPrivilegeVector(&privileges, *it);
}
// Build up update modifier object to $set privileges.
mutablebson::Document updateObj;
mutablebson::Element setElement = updateObj.makeElementObject("$set");
status = updateObj.root().pushBack(setElement);
if (!status.isOK()) {
addStatus(status, result);
return false;
}
mutablebson::Element privilegesElement = updateObj.makeElementArray("privileges");
status = setElement.pushBack(privilegesElement);
if (!status.isOK()) {
addStatus(status, result);
return false;
}
status = authzManager->getBSONForPrivileges(privileges, privilegesElement);
if (!status.isOK()) {
addStatus(status, result);
return false;
}
BSONObjBuilder updateBSONBuilder;
updateObj.writeTo(&updateBSONBuilder);
status = authzManager->updateRoleDocument(
roleName,
updateBSONBuilder.done(),
writeConcern);
if (!status.isOK()) {
addStatus(status, result);
return false;
}
return true;
}
