Status AuthzManagerExternalStateMongos::getRoleDescription(const RoleName& roleName, BSONObj* result) { try { scoped_ptr<ScopedDbConnection> conn(getConnectionForAuthzCollection( AuthorizationManager::rolesCollectionNamespace)); BSONObj cmdResult; conn->get()->runCommand( "admin", BSON("rolesInfo" << BSON_ARRAY(BSON(AuthorizationManager::ROLE_NAME_FIELD_NAME << roleName.getRole() << AuthorizationManager::ROLE_SOURCE_FIELD_NAME << roleName.getDB()))), cmdResult); if (!cmdResult["ok"].trueValue()) { int code = cmdResult["code"].numberInt(); if (code == 0) code = ErrorCodes::UnknownError; return Status(ErrorCodes::Error(code), cmdResult["errmsg"].str()); } *result = cmdResult["roles"]["0"].Obj().getOwned(); conn->done(); return Status::OK(); } catch (const DBException& e) { return e.toStatus(); } }
Status AuthzManagerExternalStateLocal::_getRoleDescription_inlock(const RoleName& roleName, bool showPrivileges, BSONObj* result) { if (!_roleGraph.roleExists(roleName)) return Status(ErrorCodes::RoleNotFound, "No role named " + roleName.toString()); mutablebson::Document resultDoc; fassert(17162, resultDoc.root().appendString( AuthorizationManager::ROLE_NAME_FIELD_NAME, roleName.getRole())); fassert(17163, resultDoc.root().appendString( AuthorizationManager::ROLE_SOURCE_FIELD_NAME, roleName.getDB())); fassert(17267, resultDoc.root().appendBool("isBuiltin", _roleGraph.isBuiltinRole(roleName))); mutablebson::Element rolesElement = resultDoc.makeElementArray("roles"); fassert(17164, resultDoc.root().pushBack(rolesElement)); mutablebson::Element inheritedRolesElement = resultDoc.makeElementArray("inheritedRoles"); fassert(17165, resultDoc.root().pushBack(inheritedRolesElement)); mutablebson::Element privilegesElement = resultDoc.makeElementArray("privileges"); mutablebson::Element inheritedPrivilegesElement = resultDoc.makeElementArray("inheritedPrivileges"); if (showPrivileges) { fassert(17166, resultDoc.root().pushBack(privilegesElement)); } mutablebson::Element warningsElement = resultDoc.makeElementArray("warnings"); addRoleNameObjectsToArrayElement(rolesElement, _roleGraph.getDirectSubordinates(roleName)); if (_roleGraphState == roleGraphStateConsistent) { addRoleNameObjectsToArrayElement( inheritedRolesElement, _roleGraph.getIndirectSubordinates(roleName)); if (showPrivileges) { addPrivilegeObjectsOrWarningsToArrayElement( privilegesElement, warningsElement, _roleGraph.getDirectPrivileges(roleName)); addPrivilegeObjectsOrWarningsToArrayElement( inheritedPrivilegesElement, warningsElement, _roleGraph.getAllPrivileges(roleName)); fassert(17323, resultDoc.root().pushBack(inheritedPrivilegesElement)); } } else if (showPrivileges) { warningsElement.appendString( "", "Role graph state inconsistent; only direct privileges available."); addPrivilegeObjectsOrWarningsToArrayElement( privilegesElement, warningsElement, _roleGraph.getDirectPrivileges(roleName)); } if (warningsElement.hasChildren()) { fassert(17167, resultDoc.root().pushBack(warningsElement)); } *result = resultDoc.getObject(); return Status::OK(); }
void AuthorizationSession::_buildAuthenticatedRolesVector() { _authenticatedRoleNames.clear(); for (UserSet::iterator it = _authenticatedUsers.begin(); it != _authenticatedUsers.end(); ++it) { RoleNameIterator roles = (*it)->getIndirectRoles(); while (roles.more()) { RoleName roleName = roles.next(); _authenticatedRoleNames.push_back(RoleName(roleName.getRole(), roleName.getDB())); } } }
Status AuthzManagerExternalStateMongos::getRoleDescription(const RoleName& roleName, bool showPrivileges, BSONObj* result) { try { scoped_ptr<ScopedDbConnection> conn(getConnectionForAuthzCollection( AuthorizationManager::rolesCollectionNamespace)); BSONObj cmdResult; conn->get()->runCommand( "admin", BSON("rolesInfo" << BSON_ARRAY(BSON(AuthorizationManager::ROLE_NAME_FIELD_NAME << roleName.getRole() << AuthorizationManager::ROLE_SOURCE_FIELD_NAME << roleName.getDB())) << "showPrivileges" << showPrivileges), cmdResult); if (!cmdResult["ok"].trueValue()) { int code = cmdResult["code"].numberInt(); if (code == 0) code = ErrorCodes::UnknownError; return Status(ErrorCodes::Error(code), cmdResult["errmsg"].str()); } std::vector<BSONElement> foundRoles = cmdResult["roles"].Array(); if (foundRoles.size() == 0) { return Status(ErrorCodes::RoleNotFound, "Role \"" + roleName.toString() + "\" not found"); } if (foundRoles.size() > 1) { return Status(ErrorCodes::RoleDataInconsistent, mongoutils::str::stream() << "Found multiple roles on the \"" << roleName.getDB() << "\" database with name \"" << roleName.getRole() << "\""); } *result = foundRoles[0].Obj().getOwned(); conn->done(); return Status::OK(); } catch (const DBException& e) { return e.toStatus(); } }
Status AuthorizationManager::getBSONForRole(RoleGraph* graph, const RoleName& roleName, mutablebson::Element result) { if (!graph->roleExists(roleName)) { return Status(ErrorCodes::RoleNotFound, mongoutils::str::stream() << roleName.getFullName() << "does not name an existing role"); } std::string id = mongoutils::str::stream() << roleName.getDB() << "." << roleName.getRole(); result.appendString("_id", id); result.appendString(ROLE_NAME_FIELD_NAME, roleName.getRole()); result.appendString(ROLE_SOURCE_FIELD_NAME, roleName.getDB()); // Build privileges array mutablebson::Element privilegesArrayElement = result.getDocument().makeElementArray("privileges"); result.pushBack(privilegesArrayElement); const PrivilegeVector& privileges = graph->getDirectPrivileges(roleName); Status status = getBSONForPrivileges(privileges, privilegesArrayElement); if (!status.isOK()) { return status; } // Build roles array mutablebson::Element rolesArrayElement = result.getDocument().makeElementArray("roles"); result.pushBack(rolesArrayElement); for (RoleNameIterator roles = graph->getDirectSubordinates(roleName); roles.more(); roles.next()) { const RoleName& subRole = roles.get(); mutablebson::Element roleObj = result.getDocument().makeElementObject(""); roleObj.appendString(ROLE_NAME_FIELD_NAME, subRole.getRole()); roleObj.appendString(ROLE_SOURCE_FIELD_NAME, subRole.getDB()); rolesArrayElement.pushBack(roleObj); } return Status::OK(); }
Status AuthzManagerExternalStateMongos::getRoleDescription( OperationContext* opCtx, const RoleName& roleName, PrivilegeFormat showPrivileges, AuthenticationRestrictionsFormat showRestrictions, BSONObj* result) { BSONObjBuilder rolesInfoCmd; rolesInfoCmd.append("rolesInfo", BSON_ARRAY(BSON(AuthorizationManager::ROLE_NAME_FIELD_NAME << roleName.getRole() << AuthorizationManager::ROLE_DB_FIELD_NAME << roleName.getDB()))); addShowToBuilder(&rolesInfoCmd, showPrivileges, showRestrictions); BSONObjBuilder builder; const bool ok = Grid::get(opCtx)->catalogClient()->runUserManagementReadCommand( opCtx, "admin", rolesInfoCmd.obj(), &builder); BSONObj cmdResult = builder.obj(); if (!ok) { return getStatusFromCommandResult(cmdResult); } std::vector<BSONElement> foundRoles = cmdResult[rolesFieldName(showPrivileges)].Array(); if (foundRoles.size() == 0) { return Status(ErrorCodes::RoleNotFound, "Role \"" + roleName.toString() + "\" not found"); } if (foundRoles.size() > 1) { return Status(ErrorCodes::RoleDataInconsistent, str::stream() << "Found multiple roles on the \"" << roleName.getDB() << "\" database with name \"" << roleName.getRole() << "\""); } *result = foundRoles[0].Obj().getOwned(); return Status::OK(); }
Status AuthorizationManager::updateRoleDocument(const RoleName& role, const BSONObj& updateObj, const BSONObj& writeConcern) const { Status status = _externalState->updateOne( rolesCollectionNamespace, BSON(AuthorizationManager::ROLE_NAME_FIELD_NAME << role.getRole() << AuthorizationManager::ROLE_SOURCE_FIELD_NAME << role.getDB()), updateObj, false, writeConcern); if (status.isOK()) { return status; } if (status.code() == ErrorCodes::NoMatchingDocument) { return Status(ErrorCodes::RoleNotFound, mongoutils::str::stream() << "Role " << role.getFullName() << " not found"); } if (status.code() == ErrorCodes::UnknownError) { return Status(ErrorCodes::RoleModificationFailed, status.reason()); } return status; }
bool RoleGraph::isBuiltinRole(const RoleName& role) { bool isAdminDB = role.getDB() == ADMIN_DBNAME; if (role.getRole() == BUILTIN_ROLE_READ) { return true; } else if (role.getRole() == BUILTIN_ROLE_READ_WRITE) { return true; } else if (role.getRole() == BUILTIN_ROLE_USER_ADMIN) { return true; } else if (role.getRole() == BUILTIN_ROLE_DB_ADMIN) { return true; } else if (role.getRole() == BUILTIN_ROLE_DB_OWNER) { return true; } else if (isAdminDB && role.getRole() == BUILTIN_ROLE_READ_ANY_DB) { return true; } else if (isAdminDB && role.getRole() == BUILTIN_ROLE_READ_WRITE_ANY_DB) { return true; } else if (isAdminDB && role.getRole() == BUILTIN_ROLE_USER_ADMIN_ANY_DB) { return true; } else if (isAdminDB && role.getRole() == BUILTIN_ROLE_DB_ADMIN_ANY_DB) { return true; } else if (isAdminDB && role.getRole() == BUILTIN_ROLE_CLUSTER_MONITOR) { return true; } else if (isAdminDB && role.getRole() == BUILTIN_ROLE_HOST_MANAGEMENT) { return true; } else if (isAdminDB && role.getRole() == BUILTIN_ROLE_CLUSTER_MANAGEMENT) { return true; } else if (isAdminDB && role.getRole() == BUILTIN_ROLE_CLUSTER_ADMIN) { return true; } else if (isAdminDB && role.getRole() == BUILTIN_ROLE_ROOT) { return true; } else if (isAdminDB && role.getRole() == BUILTIN_ROLE_INTERNAL) { return true; } return false; }
bool RoleGraph::addPrivilegesForBuiltinRole(const RoleName& roleName, PrivilegeVector* result) { const bool isAdminDB = (roleName.getDB() == ADMIN_DBNAME); if (roleName.getRole() == BUILTIN_ROLE_READ) { addReadOnlyDbPrivileges(result, roleName.getDB()); } else if (roleName.getRole() == BUILTIN_ROLE_READ_WRITE) { addReadWriteDbPrivileges(result, roleName.getDB()); } else if (roleName.getRole() == BUILTIN_ROLE_USER_ADMIN) { addUserAdminDbPrivileges(result, roleName.getDB()); } else if (roleName.getRole() == BUILTIN_ROLE_DB_ADMIN) { addDbAdminDbPrivileges(result, roleName.getDB()); } else if (roleName.getRole() == BUILTIN_ROLE_DB_OWNER) { addDbOwnerPrivileges(result, roleName.getDB()); } else if (isAdminDB && roleName.getRole() == BUILTIN_ROLE_READ_ANY_DB) { addReadOnlyAnyDbPrivileges(result); } else if (isAdminDB && roleName.getRole() == BUILTIN_ROLE_READ_WRITE_ANY_DB) { addReadWriteAnyDbPrivileges(result); } else if (isAdminDB && roleName.getRole() == BUILTIN_ROLE_USER_ADMIN_ANY_DB) { addUserAdminAnyDbPrivileges(result); } else if (isAdminDB && roleName.getRole() == BUILTIN_ROLE_DB_ADMIN_ANY_DB) { addDbAdminAnyDbPrivileges(result); } else if (isAdminDB && roleName.getRole() == BUILTIN_ROLE_CLUSTER_MONITOR) { addClusterMonitorPrivileges(result); } else if (isAdminDB && roleName.getRole() == BUILTIN_ROLE_HOST_MANAGEMENT) { addHostManagerPrivileges(result); } else if (isAdminDB && roleName.getRole() == BUILTIN_ROLE_CLUSTER_MANAGEMENT) { addClusterManagerPrivileges(result); } else if (isAdminDB && roleName.getRole() == BUILTIN_ROLE_CLUSTER_ADMIN) { addClusterAdminPrivileges(result); } else if (isAdminDB && roleName.getRole() == BUILTIN_ROLE_ROOT) { addRootRolePrivileges(result); } else if (isAdminDB && roleName.getRole() == BUILTIN_ROLE_INTERNAL) { addInternalRolePrivileges(result); } else { return false; } return true; }
bool RoleGraph::isBuiltinRole(const RoleName& role) { if (!NamespaceString::validDBName(role.getDB()) || role.getDB() == "$external") { return false; } bool isAdminDB = role.getDB() == ADMIN_DBNAME; if (role.getRole() == BUILTIN_ROLE_READ) { return true; } else if (role.getRole() == BUILTIN_ROLE_READ_WRITE) { return true; } else if (role.getRole() == BUILTIN_ROLE_USER_ADMIN) { return true; } else if (role.getRole() == BUILTIN_ROLE_DB_ADMIN) { return true; } else if (role.getRole() == BUILTIN_ROLE_DB_OWNER) { return true; } else if (isAdminDB && role.getRole() == BUILTIN_ROLE_READ_ANY_DB) { return true; } else if (isAdminDB && role.getRole() == BUILTIN_ROLE_READ_WRITE_ANY_DB) { return true; } else if (isAdminDB && role.getRole() == BUILTIN_ROLE_USER_ADMIN_ANY_DB) { return true; } else if (isAdminDB && role.getRole() == BUILTIN_ROLE_DB_ADMIN_ANY_DB) { return true; } else if (isAdminDB && role.getRole() == BUILTIN_ROLE_CLUSTER_MONITOR) { return true; } else if (isAdminDB && role.getRole() == BUILTIN_ROLE_HOST_MANAGEMENT) { return true; } else if (isAdminDB && role.getRole() == BUILTIN_ROLE_CLUSTER_MANAGEMENT) { return true; } else if (isAdminDB && role.getRole() == BUILTIN_ROLE_CLUSTER_ADMIN) { return true; } else if (isAdminDB && role.getRole() == BUILTIN_ROLE_BACKUP) { return true; } else if (isAdminDB && role.getRole() == BUILTIN_ROLE_RESTORE) { return true; } else if (isAdminDB && role.getRole() == BUILTIN_ROLE_ROOT) { return true; } else if (isAdminDB && role.getRole() == BUILTIN_ROLE_INTERNAL) { return true; } return false; }