Status AuthzManagerExternalStateMongos::getRoleDescription(OperationContext* txn,
const RoleName& roleName,
bool showPrivileges,
BSONObj* result) {
BSONObj rolesInfoCmd =
BSON("rolesInfo" << BSON_ARRAY(BSON(
AuthorizationManager::ROLE_NAME_FIELD_NAME
<< roleName.getRole() << AuthorizationManager::ROLE_DB_FIELD_NAME
<< roleName.getDB())) << "showPrivileges" << showPrivileges);
BSONObjBuilder builder;
const bool ok = grid.catalogManager(txn)
->runUserManagementReadCommand(txn, "admin", rolesInfoCmd, &builder);
BSONObj cmdResult = builder.obj();
if (!ok) {
return Command::getStatusFromCommandResult(cmdResult);
}
std::vector<BSONElement> foundRoles = cmdResult["roles"].Array();
if (foundRoles.size() == 0) {
return Status(ErrorCodes::RoleNotFound, "Role \"" + roleName.toString() + "\" not found");
}
if (foundRoles.size() > 1) {
return Status(ErrorCodes::RoleDataInconsistent,
str::stream() << "Found multiple roles on the \"" << roleName.getDB()
<< "\" database with name \"" << roleName.getRole() << "\"");
}
*result = foundRoles[0].Obj().getOwned();
return Status::OK();
}
Status AuthzManagerExternalStateMongos::getRoleDescription(OperationContext* opCtx,
const RoleName& roleName,
PrivilegeFormat showPrivileges,
BSONObj* result) {
BSONObjBuilder rolesInfoCmd;
rolesInfoCmd.append("rolesInfo",
BSON_ARRAY(BSON(AuthorizationManager::ROLE_NAME_FIELD_NAME
<< roleName.getRole()
<< AuthorizationManager::ROLE_DB_FIELD_NAME
<< roleName.getDB())));
addShowPrivilegesToBuilder(&rolesInfoCmd, showPrivileges);
BSONObjBuilder builder;
const bool ok = Grid::get(opCtx)->catalogClient()->runUserManagementReadCommand(
opCtx, "admin", rolesInfoCmd.obj(), &builder);
BSONObj cmdResult = builder.obj();
if (!ok) {
return getStatusFromCommandResult(cmdResult);
}
std::vector<BSONElement> foundRoles = cmdResult[rolesFieldName(showPrivileges)].Array();
if (foundRoles.size() == 0) {
return Status(ErrorCodes::RoleNotFound, "Role \"" + roleName.toString() + "\" not found");
}
if (foundRoles.size() > 1) {
return Status(ErrorCodes::RoleDataInconsistent,
str::stream() << "Found multiple roles on the \"" << roleName.getDB()
<< "\" database with name \""
<< roleName.getRole()
<< "\"");
}
*result = foundRoles[0].Obj().getOwned();
return Status::OK();
}
bool RoleGraph::isBuiltinRole(const RoleName& role) {
if (!NamespaceString::validDBName(role.getDB()) || role.getDB() == "$external") {
return false;
}
bool isAdminDB = role.getDB() == ADMIN_DBNAME;
if (role.getRole() == BUILTIN_ROLE_READ) {
return true;
}
else if (role.getRole() == BUILTIN_ROLE_READ_WRITE) {
return true;
}
else if (role.getRole() == BUILTIN_ROLE_USER_ADMIN) {
return true;
}
else if (role.getRole() == BUILTIN_ROLE_DB_ADMIN) {
return true;
}
else if (role.getRole() == BUILTIN_ROLE_DB_OWNER) {
return true;
}
else if (isAdminDB && role.getRole() == BUILTIN_ROLE_READ_ANY_DB) {
return true;
}
else if (isAdminDB && role.getRole() == BUILTIN_ROLE_READ_WRITE_ANY_DB) {
return true;
}
else if (isAdminDB && role.getRole() == BUILTIN_ROLE_USER_ADMIN_ANY_DB) {
return true;
}
else if (isAdminDB && role.getRole() == BUILTIN_ROLE_DB_ADMIN_ANY_DB) {
return true;
}
else if (isAdminDB && role.getRole() == BUILTIN_ROLE_CLUSTER_MONITOR) {
return true;
}
else if (isAdminDB && role.getRole() == BUILTIN_ROLE_HOST_MANAGEMENT) {
return true;
}
else if (isAdminDB && role.getRole() == BUILTIN_ROLE_CLUSTER_MANAGEMENT) {
return true;
}
else if (isAdminDB && role.getRole() == BUILTIN_ROLE_CLUSTER_ADMIN) {
return true;
}
else if (isAdminDB && role.getRole() == BUILTIN_ROLE_BACKUP) {
return true;
}
else if (isAdminDB && role.getRole() == BUILTIN_ROLE_RESTORE) {
return true;
}
else if (isAdminDB && role.getRole() == BUILTIN_ROLE_ROOT) {
return true;
}
else if (isAdminDB && role.getRole() == BUILTIN_ROLE_INTERNAL) {
return true;
}
return false;
}
Status AuthorizationManager::updateRoleDocument(OperationContext* txn,
const RoleName& role,
const BSONObj& updateObj,
const BSONObj& writeConcern) const {
Status status = _externalState->updateOne(
txn,
rolesCollectionNamespace,
BSON(AuthorizationManager::ROLE_NAME_FIELD_NAME << role.getRole() <<
AuthorizationManager::ROLE_DB_FIELD_NAME << role.getDB()),
updateObj,
false,
writeConcern);
if (status.isOK()) {
return status;
}
if (status.code() == ErrorCodes::NoMatchingDocument) {
return Status(ErrorCodes::RoleNotFound,
mongoutils::str::stream() << "Role " << role.getFullName() <<
" not found");
}
if (status.code() == ErrorCodes::UnknownError) {
return Status(ErrorCodes::RoleModificationFailed, status.reason());
}
return status;
}
Status AuthzManagerExternalStateMongos::getRoleDescription(const RoleName& roleName,
BSONObj* result) {
try {
scoped_ptr<ScopedDbConnection> conn(getConnectionForAuthzCollection(
AuthorizationManager::rolesCollectionNamespace));
BSONObj cmdResult;
conn->get()->runCommand(
"admin",
BSON("rolesInfo" <<
BSON_ARRAY(BSON(AuthorizationManager::ROLE_NAME_FIELD_NAME <<
roleName.getRole() <<
AuthorizationManager::ROLE_SOURCE_FIELD_NAME <<
roleName.getDB()))),
cmdResult);
if (!cmdResult["ok"].trueValue()) {
int code = cmdResult["code"].numberInt();
if (code == 0) code = ErrorCodes::UnknownError;
return Status(ErrorCodes::Error(code), cmdResult["errmsg"].str());
}
*result = cmdResult["roles"]["0"].Obj().getOwned();
conn->done();
return Status::OK();
} catch (const DBException& e) {
return e.toStatus();
}
}
Status checkAuthForDropRoleCommand(Client* client,
const std::string& dbname,
const BSONObj& cmdObj) {
AuthorizationSession* authzSession = AuthorizationSession::get(client);
RoleName roleName;
Status status = auth::parseDropRoleCommand(cmdObj, dbname, &roleName);
if (!status.isOK()) {
return status;
}
if (!authzSession->isAuthorizedForActionsOnResource(
ResourcePattern::forDatabaseName(roleName.getDB()), ActionType::dropRole)) {
return Status(ErrorCodes::Unauthorized,
str::stream() << "Not authorized to drop roles from the " << roleName.getDB()
<< " database");
}
return Status::OK();
}
Status AuthzManagerExternalStateLocal::_getRoleDescription_inlock(const RoleName& roleName,
bool showPrivileges,
BSONObj* result) {
if (!_roleGraph.roleExists(roleName))
return Status(ErrorCodes::RoleNotFound, "No role named " + roleName.toString());
mutablebson::Document resultDoc;
fassert(17162, resultDoc.root().appendString(
AuthorizationManager::ROLE_NAME_FIELD_NAME, roleName.getRole()));
fassert(17163, resultDoc.root().appendString(
AuthorizationManager::ROLE_SOURCE_FIELD_NAME, roleName.getDB()));
fassert(17267,
resultDoc.root().appendBool("isBuiltin", _roleGraph.isBuiltinRole(roleName)));
mutablebson::Element rolesElement = resultDoc.makeElementArray("roles");
fassert(17164, resultDoc.root().pushBack(rolesElement));
mutablebson::Element inheritedRolesElement = resultDoc.makeElementArray("inheritedRoles");
fassert(17165, resultDoc.root().pushBack(inheritedRolesElement));
mutablebson::Element privilegesElement = resultDoc.makeElementArray("privileges");
mutablebson::Element inheritedPrivilegesElement =
resultDoc.makeElementArray("inheritedPrivileges");
if (showPrivileges) {
fassert(17166, resultDoc.root().pushBack(privilegesElement));
}
mutablebson::Element warningsElement = resultDoc.makeElementArray("warnings");
addRoleNameObjectsToArrayElement(rolesElement, _roleGraph.getDirectSubordinates(roleName));
if (_roleGraphState == roleGraphStateConsistent) {
addRoleNameObjectsToArrayElement(
inheritedRolesElement, _roleGraph.getIndirectSubordinates(roleName));
if (showPrivileges) {
addPrivilegeObjectsOrWarningsToArrayElement(
privilegesElement,
warningsElement,
_roleGraph.getDirectPrivileges(roleName));
addPrivilegeObjectsOrWarningsToArrayElement(
inheritedPrivilegesElement,
warningsElement,
_roleGraph.getAllPrivileges(roleName));
fassert(17323, resultDoc.root().pushBack(inheritedPrivilegesElement));
}
}
else if (showPrivileges) {
warningsElement.appendString(
"", "Role graph state inconsistent; only direct privileges available.");
addPrivilegeObjectsOrWarningsToArrayElement(
privilegesElement, warningsElement, _roleGraph.getDirectPrivileges(roleName));
}
if (warningsElement.hasChildren()) {
fassert(17167, resultDoc.root().pushBack(warningsElement));
}
*result = resultDoc.getObject();
return Status::OK();
}
void AuthorizationSession::_buildAuthenticatedRolesVector() {
_authenticatedRoleNames.clear();
for (UserSet::iterator it = _authenticatedUsers.begin(); it != _authenticatedUsers.end();
++it) {
RoleNameIterator roles = (*it)->getIndirectRoles();
while (roles.more()) {
RoleName roleName = roles.next();
_authenticatedRoleNames.push_back(RoleName(roleName.getRole(), roleName.getDB()));
}
}
}
Status AuthzManagerExternalStateMongos::getRoleDescription(const RoleName& roleName,
bool showPrivileges,
BSONObj* result) {
try {
scoped_ptr<ScopedDbConnection> conn(getConnectionForAuthzCollection(
AuthorizationManager::rolesCollectionNamespace));
BSONObj cmdResult;
conn->get()->runCommand(
"admin",
BSON("rolesInfo" <<
BSON_ARRAY(BSON(AuthorizationManager::ROLE_NAME_FIELD_NAME <<
roleName.getRole() <<
AuthorizationManager::ROLE_SOURCE_FIELD_NAME <<
roleName.getDB())) <<
"showPrivileges" << showPrivileges),
cmdResult);
if (!cmdResult["ok"].trueValue()) {
int code = cmdResult["code"].numberInt();
if (code == 0) code = ErrorCodes::UnknownError;
return Status(ErrorCodes::Error(code), cmdResult["errmsg"].str());
}
std::vector<BSONElement> foundRoles = cmdResult["roles"].Array();
if (foundRoles.size() == 0) {
return Status(ErrorCodes::RoleNotFound,
"Role \"" + roleName.toString() + "\" not found");
}
if (foundRoles.size() > 1) {
return Status(ErrorCodes::RoleDataInconsistent,
mongoutils::str::stream() << "Found multiple roles on the \"" <<
roleName.getDB() << "\" database with name \"" <<
roleName.getRole() << "\"");
}
*result = foundRoles[0].Obj().getOwned();
conn->done();
return Status::OK();
} catch (const DBException& e) {
return e.toStatus();
}
}
bool RoleGraph::addPrivilegesForBuiltinRole(const RoleName& roleName,
PrivilegeVector* result) {
const bool isAdminDB = (roleName.getDB() == ADMIN_DBNAME);
if (roleName.getRole() == BUILTIN_ROLE_READ) {
addReadOnlyDbPrivileges(result, roleName.getDB());
}
else if (roleName.getRole() == BUILTIN_ROLE_READ_WRITE) {
addReadWriteDbPrivileges(result, roleName.getDB());
}
else if (roleName.getRole() == BUILTIN_ROLE_USER_ADMIN) {
addUserAdminDbPrivileges(result, roleName.getDB());
}
else if (roleName.getRole() == BUILTIN_ROLE_DB_ADMIN) {
addDbAdminDbPrivileges(result, roleName.getDB());
}
else if (roleName.getRole() == BUILTIN_ROLE_DB_OWNER) {
addDbOwnerPrivileges(result, roleName.getDB());
}
else if (isAdminDB && roleName.getRole() == BUILTIN_ROLE_READ_ANY_DB) {
addReadOnlyAnyDbPrivileges(result);
}
else if (isAdminDB && roleName.getRole() == BUILTIN_ROLE_READ_WRITE_ANY_DB) {
addReadWriteAnyDbPrivileges(result);
}
else if (isAdminDB && roleName.getRole() == BUILTIN_ROLE_USER_ADMIN_ANY_DB) {
addUserAdminAnyDbPrivileges(result);
}
else if (isAdminDB && roleName.getRole() == BUILTIN_ROLE_DB_ADMIN_ANY_DB) {
addDbAdminAnyDbPrivileges(result);
}
else if (isAdminDB && roleName.getRole() == BUILTIN_ROLE_CLUSTER_MONITOR) {
addClusterMonitorPrivileges(result);
}
else if (isAdminDB && roleName.getRole() == BUILTIN_ROLE_HOST_MANAGEMENT) {
addHostManagerPrivileges(result);
}
else if (isAdminDB && roleName.getRole() == BUILTIN_ROLE_CLUSTER_MANAGEMENT) {
addClusterManagerPrivileges(result);
}
else if (isAdminDB && roleName.getRole() == BUILTIN_ROLE_CLUSTER_ADMIN) {
addClusterAdminPrivileges(result);
}
else if (isAdminDB && roleName.getRole() == BUILTIN_ROLE_BACKUP) {
addBackupPrivileges(result);
}
else if (isAdminDB && roleName.getRole() == BUILTIN_ROLE_RESTORE) {
addRestorePrivileges(result);
}
else if (isAdminDB && roleName.getRole() == BUILTIN_ROLE_ROOT) {
addRootRolePrivileges(result);
}
else if (isAdminDB && roleName.getRole() == BUILTIN_ROLE_INTERNAL) {
addInternalRolePrivileges(result);
}
else {
return false;
}
return true;
}
Status AuthorizationManager::getBSONForRole(RoleGraph* graph,
const RoleName& roleName,
mutablebson::Element result) {
if (!graph->roleExists(roleName)) {
return Status(ErrorCodes::RoleNotFound,
mongoutils::str::stream() << roleName.getFullName() <<
"does not name an existing role");
}
std::string id = mongoutils::str::stream() << roleName.getDB() << "." << roleName.getRole();
result.appendString("_id", id);
result.appendString(ROLE_NAME_FIELD_NAME, roleName.getRole());
result.appendString(ROLE_SOURCE_FIELD_NAME, roleName.getDB());
// Build privileges array
mutablebson::Element privilegesArrayElement =
result.getDocument().makeElementArray("privileges");
result.pushBack(privilegesArrayElement);
const PrivilegeVector& privileges = graph->getDirectPrivileges(roleName);
Status status = getBSONForPrivileges(privileges, privilegesArrayElement);
if (!status.isOK()) {
return status;
}
// Build roles array
mutablebson::Element rolesArrayElement = result.getDocument().makeElementArray("roles");
result.pushBack(rolesArrayElement);
for (RoleNameIterator roles = graph->getDirectSubordinates(roleName);
roles.more();
roles.next()) {
const RoleName& subRole = roles.get();
mutablebson::Element roleObj = result.getDocument().makeElementObject("");
roleObj.appendString(ROLE_NAME_FIELD_NAME, subRole.getRole());
roleObj.appendString(ROLE_SOURCE_FIELD_NAME, subRole.getDB());
rolesArrayElement.pushBack(roleObj);
}
return Status::OK();
}
bool RoleGraph::isBuiltinRole(const RoleName& role) {
bool isAdminDB = role.getDB() == ADMIN_DBNAME;
if (role.getRole() == BUILTIN_ROLE_READ) {
return true;
}
else if (role.getRole() == BUILTIN_ROLE_READ_WRITE) {
return true;
}
else if (role.getRole() == BUILTIN_ROLE_USER_ADMIN) {
return true;
}
else if (role.getRole() == BUILTIN_ROLE_DB_ADMIN) {
return true;
}
else if (role.getRole() == BUILTIN_ROLE_DB_OWNER) {
return true;
}
else if (isAdminDB && role.getRole() == BUILTIN_ROLE_READ_ANY_DB) {
return true;
}
else if (isAdminDB && role.getRole() == BUILTIN_ROLE_READ_WRITE_ANY_DB) {
return true;
}
else if (isAdminDB && role.getRole() == BUILTIN_ROLE_USER_ADMIN_ANY_DB) {
return true;
}
else if (isAdminDB && role.getRole() == BUILTIN_ROLE_DB_ADMIN_ANY_DB) {
return true;
}
else if (isAdminDB && role.getRole() == BUILTIN_ROLE_CLUSTER_MONITOR) {
return true;
}
else if (isAdminDB && role.getRole() == BUILTIN_ROLE_HOST_MANAGEMENT) {
return true;
}
else if (isAdminDB && role.getRole() == BUILTIN_ROLE_CLUSTER_MANAGEMENT) {
return true;
}
else if (isAdminDB && role.getRole() == BUILTIN_ROLE_CLUSTER_ADMIN) {
return true;
}
else if (isAdminDB && role.getRole() == BUILTIN_ROLE_ROOT) {
return true;
}
else if (isAdminDB && role.getRole() == BUILTIN_ROLE_INTERNAL) {
return true;
}
return false;
}
bool AuthorizationSession::isAuthorizedToRevokeRole(const RoleName& role) {
return isAuthorizedForActionsOnResource(ResourcePattern::forDatabaseName(role.getDB()),
ActionType::revokeRole);
}