Status AuthorizationManager::_buildPrivilegeSetFromOldStylePrivilegeDocument( const std::string& dbname, const PrincipalName& principal, const BSONObj& privilegeDocument, PrivilegeSet* result) { if (!(privilegeDocument.hasField(USER_NAME_FIELD_NAME) && privilegeDocument.hasField(PASSWORD_FIELD_NAME))) { return Status(ErrorCodes::UnsupportedFormat, mongoutils::str::stream() << "Invalid old-style privilege document " "received when trying to extract privileges: " << privilegeDocument, 0); } if (privilegeDocument[USER_NAME_FIELD_NAME].str() != principal.getUser()) { return Status(ErrorCodes::BadValue, mongoutils::str::stream() << "Principal name from privilege document \"" << privilegeDocument[USER_NAME_FIELD_NAME].str() << "\" doesn't match name of provided Principal \"" << principal.getUser() << "\"", 0); } bool readOnly = privilegeDocument[READONLY_FIELD_NAME].trueValue(); ActionSet actions = getActionsForOldStyleUser(dbname, readOnly); std::string resourceName = (dbname == ADMIN_DBNAME || dbname == LOCAL_DBNAME) ? PrivilegeSet::WILDCARD_RESOURCE : dbname; result->grantPrivilege(Privilege(resourceName, actions), principal); return Status::OK(); }
Status AuthorizationManager::acquirePrivilegesFromPrivilegeDocument( const std::string& dbname, const PrincipalName& principal, const BSONObj& privilegeDocument) { if (!_authenticatedPrincipals.lookup(principal)) { return Status(ErrorCodes::UserNotFound, mongoutils::str::stream() << "No authenticated principle found with name: " << principal.getUser() << " from database " << principal.getDB(), 0); } if (principal.getUser() == internalSecurity.user) { // Grant full access to internal user ActionSet allActions; allActions.addAllActions(); return acquirePrivilege(Privilege(PrivilegeSet::WILDCARD_RESOURCE, allActions), principal); } return buildPrivilegeSet(dbname, principal, privilegeDocument, &_acquiredPrivileges); }
Status AuthorizationManager::acquirePrivilege(const Privilege& privilege, const PrincipalName& authorizingPrincipal) { if (!_authenticatedPrincipals.lookup(authorizingPrincipal)) { return Status(ErrorCodes::UserNotFound, mongoutils::str::stream() << "No authenticated principle found with name: " << authorizingPrincipal.getUser() << " from database " << authorizingPrincipal.getDB(), 0); } _acquiredPrivileges.grantPrivilege(privilege, authorizingPrincipal); return Status::OK(); }
Status AuthExternalState::getPrivilegeDocument(const std::string& dbname, const PrincipalName& principalName, BSONObj* result) { if (principalName.getUser() == internalSecurity.user) { if (internalSecurity.pwd.empty()) { return Status(ErrorCodes::UserNotFound, "key file must be used to log in with internal user", 15889); } *result = BSON(USER_FIELD << internalSecurity.user << PASSWORD_FIELD << internalSecurity.pwd).getOwned(); return Status::OK(); } std::string usersNamespace = dbname + ".system.users"; BSONObj userBSONObj; BSONObjBuilder queryBuilder; queryBuilder.append(USER_FIELD, principalName.getUser()); if (principalName.getDB() == dbname) { queryBuilder.appendNull(USER_SOURCE_FIELD); } else { queryBuilder.append(USER_SOURCE_FIELD, principalName.getDB()); } bool found = _findUser(usersNamespace, queryBuilder.obj(), &userBSONObj); if (!found) { return Status(ErrorCodes::UserNotFound, mongoutils::str::stream() << "auth: couldn't find user " << principalName.toString() << ", " << usersNamespace, 0); } *result = userBSONObj.getOwned(); return Status::OK(); }