void addPrivilegesRequiredForMapReduce(Command* commandTemplate, const std::string& dbname, const BSONObj& cmdObj, std::vector<Privilege>* out) { Config::OutputOptions outputOptions = Config::parseOutputOptions(dbname, cmdObj); ResourcePattern inputResource(commandTemplate->parseResourcePattern(dbname, cmdObj)); uassert(17142, mongoutils::str::stream() << "Invalid input resource " << inputResource.toString(), inputResource.isExactNamespacePattern()); out->push_back(Privilege(inputResource, ActionType::find)); if (outputOptions.outType != Config::INMEMORY) { ActionSet outputActions; outputActions.addAction(ActionType::insert); if (outputOptions.outType == Config::REPLACE) { outputActions.addAction(ActionType::remove); } else { outputActions.addAction(ActionType::update); } ResourcePattern outputResource( ResourcePattern::forExactNamespace( NamespaceString(outputOptions.finalNamespace))); uassert(17143, mongoutils::str::stream() << "Invalid target namespace " << outputResource.ns().ns(), outputResource.ns().isValid()); // TODO: check if outputNs exists and add createCollection privilege if not out->push_back(Privilege(outputResource, outputActions)); } }
void AuthorizationSession::addAuthorizedPrincipal(Principal* principal) { // Log out any already-logged-in user on the same database as "principal". logoutDatabase(principal->getName().getDB().toString()); // See SERVER-8144. _authenticatedPrincipals.add(principal); if (!principal->isImplicitPrivilegeAcquisitionEnabled()) return; const std::string dbname = principal->getName().getDB().toString(); if (dbname == StringData("local", StringData::LiteralTag()) && principal->getName().getUser() == internalSecurity.user) { // Grant full access to internal user ActionSet allActions; allActions.addAllActions(); acquirePrivilege(Privilege(PrivilegeSet::WILDCARD_RESOURCE, allActions), principal->getName()); return; } _acquirePrivilegesForPrincipalFromDatabase(ADMIN_DBNAME, principal->getName()); principal->markDatabaseAsProbed(ADMIN_DBNAME); _acquirePrivilegesForPrincipalFromDatabase(dbname, principal->getName()); principal->markDatabaseAsProbed(dbname); _externalState->onAddAuthorizedPrincipal(principal); }
virtual void addRequiredPrivileges(const std::string& dbname, const BSONObj& cmdObj, std::vector<Privilege>* out) { ActionSet actions; actions.addAction(ActionType::backupThrottle); out->push_back(Privilege(AuthorizationManager::SERVER_RESOURCE_NAME, actions)); }
void calculateDependencyGraph() { // zero out the graph DG = DependencyGraph<bool>(size()); // for each action we have for (size_t a=0; a<actions.size(); ++a) { // get the prerequisites for this action ActionSet pre = actions[a].getPrerequisites(); // subtract the worker from resource depot, prevent cyclic dependency if (a == DATA.getResourceDepot()) { pre.subtract(DATA.getWorker()); } // loop through prerequisites while (!pre.isEmpty()) { // get the next action Action p = pre.popAction(); // add it to the dependency graph DG.set(a, p, true); } } // do transitive reduction to obtain the tree DG.transitiveReduction(); }
void WriteCmd::addRequiredPrivileges(const std::string& dbname, const BSONObj& cmdObj, std::vector<Privilege>* out) { ActionSet actions; actions.addAction(_action); out->push_back(Privilege(parseResourcePattern(dbname, cmdObj), actions)); }
// builds the relevant action set for this search ActionSet calculateRelevantActions() { // the initial mask is blank ActionSet all; // let's say that we will always allow workers and supply producers all.add(DATA.getWorker()); all.add(DATA.getSupplyProvider()); // loop through each nonzero element of the goal for (Action a(0); a<DATA.size(); ++a) { // if we want some of this action if (params.goal.get(a) > 0) { //printf("GOAL HAS: %s\n", DATA[a].getName().c_str()); // add itself to the mask all.add(a); // if this action costs gas if (DATA[a].gasPrice() > 0) { // extractors are now relevant all.add(DATA.getRefinery()); } // also add all recursive prerequisites of this action calculateRecursivePrerequisites(a, all); } } return all; }
void DBHashCmd::addRequiredPrivileges(const std::string& dbname, const BSONObj& cmdObj, std::vector<Privilege>* out) { ActionSet actions; actions.addAction(ActionType::dbHash); out->push_back(Privilege(ResourcePattern::forDatabaseName(dbname), actions)); }
void CombatSearch_BestResponse::doSearch(const GameState & state, size_t depth) { if (timeLimitReached()) { throw BOSS_COMBATSEARCH_TIMEOUT; } _bestResponseData.update(_params.getInitialState(), state, _buildOrder); updateResults(state); if (isTerminalNode(state, depth)) { return; } ActionSet legalActions; generateLegalActions(state, legalActions, _params); for (UnitCountType a(0); a < legalActions.size(); ++a) { size_t ri = legalActions.size() - 1 - a; GameState child(state); child.doAction(legalActions[ri]); _buildOrder.add(legalActions[ri]); doSearch(child,depth+1); _buildOrder.pop_back(); } }
void Pipeline::addRequiredPrivileges(Command* commandTemplate, const string& db, BSONObj cmdObj, vector<Privilege>* out) { ResourcePattern inputResource(commandTemplate->parseResourcePattern(db, cmdObj)); uassert(17138, mongoutils::str::stream() << "Invalid input resource, " << inputResource.toString(), inputResource.isExactNamespacePattern()); if (false && cmdObj["allowDiskUsage"].trueValue()) { // TODO no privilege for this yet. } out->push_back(Privilege(inputResource, ActionType::find)); BSONObj pipeline = cmdObj.getObjectField("pipeline"); BSONForEach(stageElem, pipeline) { BSONObj stage = stageElem.embeddedObjectUserCheck(); if (str::equals(stage.firstElementFieldName(), "$out")) { NamespaceString outputNs(db, stage.firstElement().str()); uassert(17139, mongoutils::str::stream() << "Invalid $out target namespace, " << outputNs.ns(), outputNs.isValid()); ActionSet actions; actions.addAction(ActionType::remove); actions.addAction(ActionType::insert); out->push_back(Privilege(ResourcePattern::forExactNamespace(outputNs), actions)); } }
bb::cascades::VisualNode* NSRLastDocItemFactory::createItem (bb::cascades::ListView* list, const QString& type) { Q_UNUSED (type); NSRLastDocsListView *listView = static_cast<NSRLastDocsListView *> (list); NSRLastDocItem *item = new NSRLastDocItem (); NSRTranslator *translator = item->getTranslator (); ActionSet *actionSet = ActionSet::create (); ActionItem *shareAction = ActionItem::create().title (trUtf8 ("Share")); ActionItem *hideAction = ActionItem::create().title (trUtf8 ("Clear Recent", "Clear recent files")); DeleteActionItem *removeAction = DeleteActionItem::create (); shareAction->setImageSource (QUrl ("asset:///share.png")); hideAction->setImageSource (QUrl ("asset:///list-remove.png")); #if BBNDK_VERSION_AT_LEAST(10,2,0) shareAction->accessibility()->setName (trUtf8 ("Share file with others")); hideAction->accessibility()->setName (trUtf8 ("Remove file from the recent list only")); translator->addTranslatable ((UIObject *) shareAction->accessibility (), NSRTranslator::NSR_TRANSLATOR_TYPE_A11Y, QString ("NSRLastDocItemFactory"), QString ("Share file with others")); translator->addTranslatable ((UIObject *) hideAction->accessibility (), NSRTranslator::NSR_TRANSLATOR_TYPE_A11Y, QString ("NSRLastDocItemFactory"), QString ("Remove file from the recent list only")); #endif bool ok = connect (shareAction, SIGNAL (triggered ()), listView, SLOT (onShareActionTriggered ())); Q_UNUSED (ok); Q_ASSERT (ok); ok = connect (removeAction, SIGNAL (triggered ()), listView, SLOT (onRemoveActionTriggered ())); Q_ASSERT (ok); ok = connect (hideAction, SIGNAL (triggered ()), listView, SLOT (onHideActionTriggered ())); Q_ASSERT (ok); actionSet->add (shareAction); actionSet->add (hideAction); actionSet->add (removeAction); item->addActionSet (actionSet); translator->addTranslatable ((UIObject *) shareAction, NSRTranslator::NSR_TRANSLATOR_TYPE_ACTION, QString ("NSRLastDocItemFactory"), QString ("Share")); translator->addTranslatable ((UIObject *) hideAction, NSRTranslator::NSR_TRANSLATOR_TYPE_ACTION, QString ("NSRLastDocItemFactory"), QString ("Clear Recent")); return item; }
void createRecursiveActionSet_AllBulbOn() { string actionsetDesc; ActionSet *allBulbOn = new ActionSet(); allBulbOn->type = OIC::ACTIONSET_TYPE::RECURSIVE; allBulbOn->actionsetName = "AllBulbOnRecursiveCall"; allBulbOn->mTime.tm_year = 0; allBulbOn->mTime.tm_mon = 0; allBulbOn->mTime.tm_mday = 0; allBulbOn->mTime.tm_hour = 0; allBulbOn->mTime.tm_min = 0; allBulbOn->mTime.tm_sec = 5; allBulbOn->setDelay(allBulbOn->getSecAbsTime()); for (auto iter = lights.begin(); iter != lights.end(); ++iter) { Action *action = new Action(); action->target = (*iter); Capability *capa = new Capability(); capa->capability = "power"; capa->status = "on"; action->listOfCapability.push_back(capa); allBulbOn->listOfAction.push_back(action); } if (g_resource) { thingsMgr->addActionSet(g_resource, allBulbOn, onPut); } delete allBulbOn; }
void addRequiredPrivileges(const std::string& dbname, const BSONObj& cmdObj, std::vector<Privilege>* out) const override { ActionSet actions; actions.addAction(ActionType::convertToCapped); out->push_back(Privilege(parseResourcePattern(dbname, cmdObj), actions)); }
void addPrivilegesRequiredForFindAndModify(Command* commandTemplate, const std::string& dbname, const BSONObj& cmdObj, std::vector<Privilege>* out) { bool update = cmdObj["update"].trueValue(); bool upsert = cmdObj["upsert"].trueValue(); bool remove = cmdObj["remove"].trueValue(); ActionSet actions; actions.addAction(ActionType::find); if (update) { actions.addAction(ActionType::update); } if (upsert) { actions.addAction(ActionType::insert); } if (remove) { actions.addAction(ActionType::remove); } ResourcePattern resource(commandTemplate->parseResourcePattern(dbname, cmdObj)); uassert(17137, "Invalid target namespace " + resource.toString(), resource.isExactNamespacePattern()); out->push_back(Privilege(resource, actions)); }
virtual void addRequiredPrivileges(const std::string& dbname, const BSONObj& cmdObj, std::vector<Privilege>* out) { ActionSet actions; actions.addAction(ActionType::find); out->push_back(Privilege(parseResourcePattern(dbname, cmdObj), actions)); }
virtual void addRequiredPrivileges(const std::string& dbname, const BSONObj& cmdObj, std::vector<Privilege>* out) { ActionSet actions; actions.addAction(ActionType::resync); out->push_back(Privilege(ResourcePattern::forClusterResource(), actions)); }
void XRuleIP::xrule_impl( IronBee::Transaction tx, ActionSet& actions ) { const char *remote_ip = tx.effective_remote_ip_string(); ib_ip4_t ipv4; ib_ip6_t ipv6; ib_log_debug_tx(tx.ib(), "Checking IP Access for %s", remote_ip); // Check IP lists. if (remote_ip == NULL) { BOOST_THROW_EXCEPTION( IronBee::einval() << IronBee::errinfo_what("No remote IP available.") ); } else if (IB_OK == ib_ip4_str_to_ip(remote_ip, &ipv4)) { const ib_ipset4_entry_t *entry; ib_status_t rc; rc = ib_ipset4_query(&(m_ipset4), ipv4, NULL, &entry, NULL); if (rc == IB_OK) { ib_log_debug_tx(tx.ib(), "IP matched %s", remote_ip); action_ptr action = IronBee::data_to_value<action_ptr>(entry->data); actions.set(action); } else { ib_log_debug_tx( tx.ib(), "IP set is empty or does not include %s", remote_ip); } } else if (IB_OK == ib_ip6_str_to_ip(remote_ip, &ipv6)) { const ib_ipset6_entry_t *entry; ib_status_t rc; rc = ib_ipset6_query(&(m_ipset6), ipv6, NULL, &entry, NULL); if (rc == IB_OK) { ib_log_debug_tx(tx.ib(), "IP matched %s", remote_ip); action_ptr action = IronBee::data_to_value<action_ptr>(entry->data); actions.set(action); } else { ib_log_debug_tx( tx.ib(), "IP set is empty or does not include %s", remote_ip); } } else { BOOST_THROW_EXCEPTION( IronBee::enoent() << IronBee::errinfo_what("Cannot convert IP to v4 or v6.") ); } }
virtual void addRequiredPrivileges(const std::string& dbname, const BSONObj& cmdObj, std::vector<Privilege>* out) { // TODO: update this with the new rules around user creation in 2.6. ActionSet actions; actions.addAction(ActionType::userAdmin); out->push_back(Privilege(dbname, actions)); }
void PartialPolicyExecutor::executeActionStep() { if (isGoalReached || hasFailed) return; if (active != NULL && !active->hasFinished()) { if (newAction) { for_each(executionObservers.begin(),executionObservers.end(),NotifyActionStart(active->toFluent(actionCounter))); newAction = false; } active->run(); } else { if (active != NULL) { for_each(executionObservers.begin(),executionObservers.end(),NotifyActionTermination(active->toFluent(actionCounter++))); } isGoalReached = kr->currentStateQuery(goalRules).isSatisfied(); if (isGoalReached) //well done! return; //choose the next action AnswerSet currentState = kr->currentStateQuery(vector<AspRule>()); set<AspFluent> state(currentState.getFluents().begin(), currentState.getFluents().end()); ActionSet options = policy->actions(state); if (options.empty() || (active != NULL && active->hasFailed())) { //there's no action for this state, computing more plans //if the last action failed, we may want to have some more option PartialPolicy *otherPolicy = planner->computePolicy(goalRules,suboptimality); policy->merge(otherPolicy); delete otherPolicy; for_each(executionObservers.begin(),executionObservers.end(),bind2nd(mem_fun(&ExecutionObserver::policyChanged),policy)); options = policy->actions(state); if (options.empty()) { //no actions available from here! hasFailed = true; return; } } set<AspFluent>::const_iterator chosen = selector->choose(options); delete active; active = instantiateAction(actionMap,*chosen); actionCounter++; newAction = true; } }
ActionSet AuthorizationManager::getAllUserActions() const { ActionSet allActions; allActions.addAllActionsFromSet(readRoleActions); allActions.addAllActionsFromSet(readWriteRoleActions); allActions.addAllActionsFromSet(userAdminRoleActions); allActions.addAllActionsFromSet(dbAdminRoleActions); allActions.addAllActionsFromSet(clusterAdminRoleActions); return allActions; }
ActionSet PrivilegeDocumentParser::getAllUserActions() const { ActionSet allActions; allActions.addAllActionsFromSet(readRoleActions); allActions.addAllActionsFromSet(readWriteRoleActions); allActions.addAllActionsFromSet(userAdminRoleActions); allActions.addAllActionsFromSet(dbAdminRoleActions); allActions.addAllActionsFromSet(clusterAdminRoleActions); return allActions; }
void AuthorizationManager::grantInternalAuthorization(const std::string& principalName) { Principal* principal = new Principal(PrincipalName(principalName, "local")); ActionSet actions; actions.addAllActions(); addAuthorizedPrincipal(principal); fassert(16581, acquirePrivilege(Privilege(PrivilegeSet::WILDCARD_RESOURCE, actions), principal->getName()).isOK()); }
void XRuleTime::xrule_impl( IronBee::Transaction tx, ActionSet& actions ) { if (actions.overrides(m_action)) { /* Get tx start time, shifted into the local time zone. */ boost::posix_time::ptime tx_start = tx.started_time() + m_zone_info->base_utc_offset(); std::ostringstream os; std::locale loc( os.getloc(), new boost::posix_time::time_facet("%H:%M:%S")); os.imbue(loc); os << "Checking current time " << tx_start << " against window " << m_start_time << "-" << m_end_time << "."; ib_log_debug_tx(tx.ib(), "%s", os.str().c_str()); bool in_window = ( m_start_time.time_of_day() <= tx_start.time_of_day() && tx_start.time_of_day() < m_end_time.time_of_day() ); // If any days of the week are specified in our window... if (m_days.size() > 0) { // ...get the day of the week... short dow = boost::gregorian::gregorian_calendar::day_of_week( tx_start.date().year_month_day()); // ...and update the in_window boolean. in_window &= (m_days.find(dow) != m_days.end()); } // If we are in the window specified (considering the // m_invert member) then execute the associated action. if (in_window ^ m_invert) { ib_log_debug_tx(tx.ib(), "XRuleTime was matched."); actions.set(m_action); } else { ib_log_debug_tx(tx.ib(), "XRuleTime was not matched."); } } else { ib_log_debug_tx( tx.ib(), "Skipping rule as action does not override tx actions."); } }
bool AuthorizationSession::_isAuthorizedForPrivilege(const Privilege& privilege) { AuthorizationManager& authMan = getAuthorizationManager(); const ResourcePattern& target(privilege.getResourcePattern()); ResourcePattern resourceSearchList[resourceSearchListCapacity]; const int resourceSearchListLength = buildResourceSearchList(target, resourceSearchList); ActionSet unmetRequirements = privilege.getActions(); UserSet::iterator it = _authenticatedUsers.begin(); while (it != _authenticatedUsers.end()) { User* user = *it; if (!user->isValid()) { // Make a good faith effort to acquire an up-to-date user object, since the one // we've cached is marked "out-of-date." UserName name = user->getName(); User* updatedUser; Status status = authMan.acquireUser(name, &updatedUser); switch (status.code()) { case ErrorCodes::OK: { // Success! Replace the old User object with the updated one. fassert(17067, _authenticatedUsers.replaceAt(it, updatedUser) == user); authMan.releaseUser(user); user = updatedUser; LOG(1) << "Updated session cache of user information for " << name; break; } case ErrorCodes::UserNotFound: { // User does not exist anymore; remove it from _authenticatedUsers. fassert(17068, _authenticatedUsers.removeAt(it) == user); authMan.releaseUser(user); LOG(1) << "Removed deleted user " << name << " from session cache of user information."; continue; // No need to advance "it" in this case. } default: // Unrecognized error; assume that it's transient, and continue working with the // out-of-date privilege data. warning() << "Could not fetch updated user privilege information for " << name << "; continuing to use old information. Reason is " << status; break; } } for (int i = 0; i < resourceSearchListLength; ++i) { ActionSet userActions = user->getActionsForResource(resourceSearchList[i]); unmetRequirements.removeAllActionsFromSet(userActions); if (unmetRequirements.empty()) return true; } ++it; } return false; }
void AuthorizationSession::grantInternalAuthorization(const UserName& userName) { Principal* principal = new Principal(userName); ActionSet actions; actions.addAllActions(); addAuthorizedPrincipal(principal); fassert(16581, acquirePrivilege(Privilege(PrivilegeSet::WILDCARD_RESOURCE, actions), principal->getName()).isOK()); }
void AuthorizationManager::grantInternalAuthorization() { Principal* internalPrincipal = new Principal("__system"); _authenticatedPrincipals.add(internalPrincipal); ActionSet allActions; allActions.addAllActions(); AcquiredPrivilege privilege(Privilege("*", allActions), internalPrincipal); Status status = acquirePrivilege(privilege); verify (status == Status::OK()); }
void printActionNames(ActionSet s) { while (!s.isEmpty()) { Action a = s.popAction(); printf("%s\n", getStarcraftAction(a).getName().c_str()); } }
// recursive function which does all search logic void DFBBMonteCarlo(StarcraftStateType & s, int depth) { printf("Depth %d\n", depth); // increase the node expansion count nodesExpanded++; // the time at which the last thing in the queue will finish int finishTime = s.getLastFinishTime(); if (finishTime >= upperBound) { return; } int bucket = getBucket(finishTime); int armyValue = s.getArmyValue(); if (armyValue > armyValues[bucket]) { armyValues[bucket] = armyValue; buildOrders[bucket] = getBuildOrder(s); } // if we are using search timeout and we are over the limit if (params.searchTimeLimit && (nodesExpanded % 1000 == 0) && (searchTimer.getElapsedTimeInMilliSec() > params.searchTimeLimit)) { // throw an exception to unroll the recursion throw 1; } // get the legal action set ActionSet legalActions = s.getLegalActionsMonteCarlo(params.goal); // if we have children, update the counter if (!legalActions.isEmpty()) { numGenerations += 1; numChildren += legalActions.numActions(); Action nextAction = legalActions.randomAction(); StarcraftStateType child(s); int readyTime = child.resourcesReady(nextAction); child.doAction(nextAction, readyTime); child.setParent(&s); DFBBMonteCarlo(child, depth+1); } else { printf("No legal actions %d\n", depth); } }
virtual Status checkAuthForCommand(ClientBasic* client, const std::string& dbname, const BSONObj& cmdObj) { ActionSet actions; actions.addAction(ActionType::createIndex); Privilege p(parseResourcePattern(dbname, cmdObj), actions); if ( client->getAuthorizationSession()->isAuthorizedForPrivilege(p) ) return Status::OK(); return Status(ErrorCodes::Unauthorized, "Unauthorized"); }
Status Pipeline::checkAuthForCommand(ClientBasic* client, const std::string& db, const BSONObj& cmdObj) { NamespaceString inputNs(db, cmdObj.firstElement().str()); auto inputResource = ResourcePattern::forExactNamespace(inputNs); uassert(17138, mongoutils::str::stream() << "Invalid input namespace, " << inputNs.ns(), inputNs.isValid()); std::vector<Privilege> privileges; if (dps::extractElementAtPath(cmdObj, "pipeline.0.$indexStats")) { Privilege::addPrivilegeToPrivilegeVector( &privileges, Privilege(ResourcePattern::forAnyNormalResource(), ActionType::indexStats)); } else if (dps::extractElementAtPath(cmdObj, "pipeline.0.$collStats")) { Privilege::addPrivilegeToPrivilegeVector(&privileges, Privilege(inputResource, ActionType::collStats)); } else { // If no source requiring an alternative permission scheme is specified then default to // requiring find() privileges on the given namespace. Privilege::addPrivilegeToPrivilegeVector(&privileges, Privilege(inputResource, ActionType::find)); } BSONObj pipeline = cmdObj.getObjectField("pipeline"); BSONForEach(stageElem, pipeline) { BSONObj stage = stageElem.embeddedObjectUserCheck(); StringData stageName = stage.firstElementFieldName(); if (stageName == "$out" && stage.firstElementType() == String) { NamespaceString outputNs(db, stage.firstElement().str()); uassert(17139, mongoutils::str::stream() << "Invalid $out target namespace, " << outputNs.ns(), outputNs.isValid()); ActionSet actions; actions.addAction(ActionType::remove); actions.addAction(ActionType::insert); if (shouldBypassDocumentValidationForCommand(cmdObj)) { actions.addAction(ActionType::bypassDocumentValidation); } Privilege::addPrivilegeToPrivilegeVector( &privileges, Privilege(ResourcePattern::forExactNamespace(outputNs), actions)); } else if (stageName == "$lookup" && stage.firstElementType() == Object) { NamespaceString fromNs(db, stage.firstElement()["from"].str()); Privilege::addPrivilegeToPrivilegeVector( &privileges, Privilege(ResourcePattern::forExactNamespace(fromNs), ActionType::find)); } else if (stageName == "$graphLookup" && stage.firstElementType() == Object) { NamespaceString fromNs(db, stage.firstElement()["from"].str()); Privilege::addPrivilegeToPrivilegeVector( &privileges, Privilege(ResourcePattern::forExactNamespace(fromNs), ActionType::find)); } }
void Pipeline::addRequiredPrivileges(const string& db, BSONObj cmdObj, vector<Privilege>* out) { ActionSet actions; actions.addAction(ActionType::find); out->push_back(Privilege(db + '.' + cmdObj.firstElement().str(), actions)); if (false && cmdObj["allowDiskUsage"].trueValue()) { // TODO no privilege for this yet. } BSONObj pipeline = cmdObj.getObjectField("pipeline"); BSONForEach(stageElem, pipeline) { BSONObj stage = stageElem.embeddedObjectUserCheck(); if (str::equals(stage.firstElementFieldName(), "$out")) { // TODO Figure out how to handle temp collection privileges. For now, using the // output ns is ok since we only do db-level privilege checks. const string outputNs = db + '.' + stage.firstElement().str(); ActionSet actions; // logically on output ns actions.addAction(ActionType::remove); actions.addAction(ActionType::insert); actions.addAction(ActionType::indexRead); // on temp ns due to implementation, but not logically on output ns actions.addAction(ActionType::createCollection); actions.addAction(ActionType::ensureIndex); actions.addAction(ActionType::dropCollection); actions.addAction(ActionType::renameCollectionSameDB); out->push_back(Privilege(outputNs, actions)); } }