void AuthorizationSession::addAuthorizedPrincipal(Principal* principal) {
// Log out any already-logged-in user on the same database as "principal".
logoutDatabase(principal->getName().getDB().toString()); // See SERVER-8144.
_authenticatedPrincipals.add(principal);
if (!principal->isImplicitPrivilegeAcquisitionEnabled())
return;
const std::string dbname = principal->getName().getDB().toString();
if (dbname == StringData("local", StringData::LiteralTag()) &&
principal->getName().getUser() == internalSecurity.user) {
// Grant full access to internal user
ActionSet allActions;
allActions.addAllActions();
acquirePrivilege(Privilege(PrivilegeSet::WILDCARD_RESOURCE, allActions),
principal->getName());
return;
}
_acquirePrivilegesForPrincipalFromDatabase(ADMIN_DBNAME, principal->getName());
principal->markDatabaseAsProbed(ADMIN_DBNAME);
_acquirePrivilegesForPrincipalFromDatabase(dbname, principal->getName());
principal->markDatabaseAsProbed(dbname);
_externalState->onAddAuthorizedPrincipal(principal);
}
void AuthorizationManager::addAuthorizedPrincipal(Principal* principal) {
_authenticatedPrincipals.add(principal);
if (!principal->isImplicitPrivilegeAcquisitionEnabled())
return;
_acquirePrivilegesForPrincipalFromDatabase(ADMIN_DBNAME, principal->getName());
principal->markDatabaseAsProbed(ADMIN_DBNAME);
const std::string dbname = principal->getName().getDB().toString();
_acquirePrivilegesForPrincipalFromDatabase(dbname, principal->getName());
principal->markDatabaseAsProbed(dbname);
}
void AuthorizationManager::addAuthorizedPrincipal(Principal* principal) {
// Log out any already-logged-in user on the same database as "principal".
logoutDatabase(principal->getName().getDB().toString()); // See SERVER-8144.
_authenticatedPrincipals.add(principal);
if (!principal->isImplicitPrivilegeAcquisitionEnabled())
return;
_acquirePrivilegesForPrincipalFromDatabase(ADMIN_DBNAME, principal->getName());
principal->markDatabaseAsProbed(ADMIN_DBNAME);
const std::string dbname = principal->getName().getDB().toString();
_acquirePrivilegesForPrincipalFromDatabase(dbname, principal->getName());
principal->markDatabaseAsProbed(dbname);
}
Status AuthorizationManager::_probeForPrivilege(const Privilege& privilege) {
Privilege modifiedPrivilege = _modifyPrivilegeForSpecialCases(privilege);
if (_acquiredPrivileges.hasPrivilege(modifiedPrivilege))
return Status::OK();
std::string dbname = nsToDatabase(modifiedPrivilege.getResource());
for (PrincipalSet::iterator iter = _authenticatedPrincipals.begin(),
end = _authenticatedPrincipals.end();
iter != end; ++iter) {
Principal* principal = *iter;
if (!principal->isImplicitPrivilegeAcquisitionEnabled())
continue;
if (principal->isDatabaseProbed(dbname))
continue;
_acquirePrivilegesForPrincipalFromDatabase(dbname, principal->getName());
principal->markDatabaseAsProbed(dbname);
if (_acquiredPrivileges.hasPrivilege(modifiedPrivilege))
return Status::OK();
}
return Status(ErrorCodes::Unauthorized, "unauthorized", 0);
}
