Status RoleGraph::removeAllRolesFromRole(const RoleName& victim) {
typedef std::vector<RoleName> RoleNameVector;
if (!roleExists(victim)) {
return Status(ErrorCodes::RoleNotFound,
mongoutils::str::stream() << "Role: " << victim.getFullName()
<< " does not exist",
0);
}
if (isBuiltinRole(victim)) {
return Status(ErrorCodes::InvalidRoleModification,
mongoutils::str::stream() << "Cannot remove roles from built-in role: "
<< victim.getFullName(),
0);
}
RoleNameVector& subordinatesOfVictim = _roleToSubordinates[victim];
for (RoleNameVector::const_iterator subordinateRole = subordinatesOfVictim.begin(),
end = subordinatesOfVictim.end();
subordinateRole != end;
++subordinateRole) {
RoleNameVector& membersOfSubordinate = _roleToMembers[*subordinateRole];
RoleNameVector::iterator toErase =
std::find(membersOfSubordinate.begin(), membersOfSubordinate.end(), victim);
fassert(17173, toErase != membersOfSubordinate.end());
membersOfSubordinate.erase(toErase);
}
subordinatesOfVictim.clear();
return Status::OK();
}
Status RoleGraph::addRoleToRole(const RoleName& recipient, const RoleName& role) {
if (!roleExists(recipient)) {
return Status(ErrorCodes::RoleNotFound,
mongoutils::str::stream() << "Role: " << recipient.getFullName()
<< " does not exist");
}
if (isBuiltinRole(recipient)) {
return Status(ErrorCodes::InvalidRoleModification,
mongoutils::str::stream() << "Cannot grant roles to built-in role: "
<< role.getFullName());
}
if (!roleExists(role)) {
return Status(ErrorCodes::RoleNotFound,
mongoutils::str::stream() << "Role: " << role.getFullName()
<< " does not exist");
}
if (std::find(_roleToSubordinates[recipient].begin(),
_roleToSubordinates[recipient].end(),
role) == _roleToSubordinates[recipient].end()) {
// Only add role if it's not already present
_roleToSubordinates[recipient].push_back(role);
_roleToMembers[role].push_back(recipient);
}
return Status::OK();
}
Status RoleGraph::deleteRole(const RoleName& role) {
if (!roleExists(role)) {
return Status(ErrorCodes::RoleNotFound,
mongoutils::str::stream() << "Role: " << role.getFullName()
<< " does not exist",
0);
}
if (isBuiltinRole(role)) {
return Status(ErrorCodes::InvalidRoleModification,
mongoutils::str::stream() << "Cannot delete built-in role: "
<< role.getFullName(),
0);
}
for (std::vector<RoleName>::iterator it = _roleToSubordinates[role].begin();
it != _roleToSubordinates[role].end();
++it) {
_roleToMembers[*it].erase(
std::find(_roleToMembers[*it].begin(), _roleToMembers[*it].end(), role));
}
for (std::vector<RoleName>::iterator it = _roleToMembers[role].begin();
it != _roleToMembers[role].end();
++it) {
_roleToSubordinates[*it].erase(
std::find(_roleToSubordinates[*it].begin(), _roleToSubordinates[*it].end(), role));
}
_roleToSubordinates.erase(role);
_roleToIndirectSubordinates.erase(role);
_roleToMembers.erase(role);
_directPrivilegesForRole.erase(role);
_allPrivilegesForRole.erase(role);
_allRoles.erase(role);
return Status::OK();
}
Status RoleGraph::removeAllPrivilegesFromRole(const RoleName& role) {
if (!roleExists(role)) {
return Status(ErrorCodes::RoleNotFound,
mongoutils::str::stream() << "Role: " << role.getFullName()
<< " does not exist",
0);
}
if (isBuiltinRole(role)) {
return Status(ErrorCodes::InvalidRoleModification,
mongoutils::str::stream() << "Cannot remove privileges from built-in role: "
<< role.getFullName());
}
_directPrivilegesForRole[role].clear();
return Status::OK();
}
Status AuthorizationManager::updateRoleDocument(OperationContext* txn,
const RoleName& role,
const BSONObj& updateObj,
const BSONObj& writeConcern) const {
Status status = _externalState->updateOne(
txn,
rolesCollectionNamespace,
BSON(AuthorizationManager::ROLE_NAME_FIELD_NAME << role.getRole() <<
AuthorizationManager::ROLE_DB_FIELD_NAME << role.getDB()),
updateObj,
false,
writeConcern);
if (status.isOK()) {
return status;
}
if (status.code() == ErrorCodes::NoMatchingDocument) {
return Status(ErrorCodes::RoleNotFound,
mongoutils::str::stream() << "Role " << role.getFullName() <<
" not found");
}
if (status.code() == ErrorCodes::UnknownError) {
return Status(ErrorCodes::RoleModificationFailed, status.reason());
}
return status;
}
Status RoleGraph::removePrivilegeFromRole(const RoleName& role,
const Privilege& privilegeToRemove) {
if (!roleExists(role)) {
return Status(ErrorCodes::RoleNotFound,
mongoutils::str::stream() << "Role: " << role.getFullName()
<< " does not exist",
0);
}
if (isBuiltinRole(role)) {
return Status(ErrorCodes::InvalidRoleModification,
mongoutils::str::stream() << "Cannot remove privileges from built-in role: "
<< role.getFullName());
}
PrivilegeVector& currentPrivileges = _directPrivilegesForRole[role];
for (PrivilegeVector::iterator it = currentPrivileges.begin(); it != currentPrivileges.end();
++it) {
Privilege& curPrivilege = *it;
if (curPrivilege.getResourcePattern() == privilegeToRemove.getResourcePattern()) {
ActionSet curActions = curPrivilege.getActions();
if (!curActions.isSupersetOf(privilegeToRemove.getActions())) {
// Didn't possess all the actions being removed.
return Status(
ErrorCodes::PrivilegeNotFound,
mongoutils::str::stream() << "Role: " << role.getFullName()
<< " does not contain a privilege on "
<< privilegeToRemove.getResourcePattern().toString()
<< " with actions: "
<< privilegeToRemove.getActions().toString(),
0);
}
curPrivilege.removeActions(privilegeToRemove.getActions());
if (curPrivilege.getActions().empty()) {
currentPrivileges.erase(it);
}
return Status::OK();
}
}
return Status(ErrorCodes::PrivilegeNotFound,
mongoutils::str::stream() << "Role: " << role.getFullName()
<< " does not "
"contain any privileges on "
<< privilegeToRemove.getResourcePattern().toString(),
0);
}
Status RoleGraph::addPrivilegeToRole(const RoleName& role, const Privilege& privilegeToAdd) {
if (!roleExists(role)) {
return Status(ErrorCodes::RoleNotFound,
mongoutils::str::stream() << "Role: " << role.getFullName()
<< " does not exist",
0);
}
if (isBuiltinRole(role)) {
return Status(ErrorCodes::InvalidRoleModification,
mongoutils::str::stream() << "Cannot grant privileges to built-in role: "
<< role.getFullName(),
0);
}
_addPrivilegeToRoleNoChecks(role, privilegeToAdd);
return Status::OK();
}
Status RoleGraph::createRole(const RoleName& role) {
if (roleExists(role)) {
return Status(ErrorCodes::DuplicateKey,
mongoutils::str::stream() << "Role: " << role.getFullName()
<< " already exists",
0);
}
_createRoleDontCheckIfRoleExists(role);
return Status::OK();
}
// NOTE: Current runtime of this is O(n*m) where n is the size of the current PrivilegeVector
// for the given role, and m is the size of the privilegesToAdd vector.
// If this was a PrivilegeSet (sorted on resource) rather than a PrivilegeVector, we
// could do this in O(n+m) instead.
Status RoleGraph::addPrivilegesToRole(const RoleName& role,
const PrivilegeVector& privilegesToAdd) {
if (!roleExists(role)) {
return Status(ErrorCodes::RoleNotFound,
mongoutils::str::stream() << "Role: " << role.getFullName()
<< " does not exist",
0);
}
if (isBuiltinRole(role)) {
return Status(ErrorCodes::InvalidRoleModification,
mongoutils::str::stream() << "Cannot grant privileges to built-in role: "
<< role.getFullName(),
0);
}
for (PrivilegeVector::const_iterator it = privilegesToAdd.begin(); it != privilegesToAdd.end();
++it) {
_addPrivilegeToRoleNoChecks(role, *it);
}
return Status::OK();
}
Status RoleGraph::removeRoleFromRole(const RoleName& recipient, const RoleName& role) {
if (!roleExists(recipient)) {
return Status(ErrorCodes::RoleNotFound,
mongoutils::str::stream() << "Role: " << recipient.getFullName()
<< " does not exist",
0);
}
if (isBuiltinRole(recipient)) {
return Status(ErrorCodes::InvalidRoleModification,
mongoutils::str::stream() << "Cannot remove roles from built-in role: "
<< role.getFullName(),
0);
}
if (!roleExists(role)) {
return Status(ErrorCodes::RoleNotFound,
mongoutils::str::stream() << "Role: " << role.getFullName()
<< " does not exist",
0);
}
std::vector<RoleName>::iterator itToRm =
std::find(_roleToMembers[role].begin(), _roleToMembers[role].end(), recipient);
if (itToRm != _roleToMembers[role].end()) {
_roleToMembers[role].erase(itToRm);
} else {
return Status(ErrorCodes::RolesNotRelated,
mongoutils::str::stream() << recipient.getFullName() << " is not a member"
" of "
<< role.getFullName(),
0);
}
itToRm = std::find(
_roleToSubordinates[recipient].begin(), _roleToSubordinates[recipient].end(), role);
fassert(16827, itToRm != _roleToSubordinates[recipient].end());
_roleToSubordinates[recipient].erase(itToRm);
return Status::OK();
}
Status AuthorizationManager::getBSONForRole(RoleGraph* graph,
const RoleName& roleName,
mutablebson::Element result) {
if (!graph->roleExists(roleName)) {
return Status(ErrorCodes::RoleNotFound,
mongoutils::str::stream() << roleName.getFullName() <<
"does not name an existing role");
}
std::string id = mongoutils::str::stream() << roleName.getDB() << "." << roleName.getRole();
result.appendString("_id", id);
result.appendString(ROLE_NAME_FIELD_NAME, roleName.getRole());
result.appendString(ROLE_SOURCE_FIELD_NAME, roleName.getDB());
// Build privileges array
mutablebson::Element privilegesArrayElement =
result.getDocument().makeElementArray("privileges");
result.pushBack(privilegesArrayElement);
const PrivilegeVector& privileges = graph->getDirectPrivileges(roleName);
Status status = getBSONForPrivileges(privileges, privilegesArrayElement);
if (!status.isOK()) {
return status;
}
// Build roles array
mutablebson::Element rolesArrayElement = result.getDocument().makeElementArray("roles");
result.pushBack(rolesArrayElement);
for (RoleNameIterator roles = graph->getDirectSubordinates(roleName);
roles.more();
roles.next()) {
const RoleName& subRole = roles.get();
mutablebson::Element roleObj = result.getDocument().makeElementObject("");
roleObj.appendString(ROLE_NAME_FIELD_NAME, subRole.getRole());
roleObj.appendString(ROLE_SOURCE_FIELD_NAME, subRole.getDB());
rolesArrayElement.pushBack(roleObj);
}
return Status::OK();
}
bool run(const string& dbname,
BSONObj& cmdObj,
int options,
string& errmsg,
BSONObjBuilder& result,
bool fromRepl) {
AuthorizationManager* authzManager = getGlobalAuthorizationManager();
AuthzDocumentsUpdateGuard updateGuard(authzManager);
if (!updateGuard.tryLock("Grant privileges to role")) {
addStatus(Status(ErrorCodes::LockBusy, "Could not lock auth data update lock."),
result);
return false;
}
RoleName roleName;
PrivilegeVector privilegesToAdd;
BSONObj writeConcern;
Status status = auth::parseAndValidateRolePrivilegeManipulationCommands(
cmdObj,
"grantPrivilegesToRole",
dbname,
&roleName,
&privilegesToAdd,
&writeConcern);
if (!status.isOK()) {
addStatus(status, result);
return false;
}
if (!authzManager->roleExists(roleName)) {
addStatus(Status(ErrorCodes::RoleNotFound,
mongoutils::str::stream() << roleName.getFullName() <<
" does not name an existing role"),
result);
return false;
}
if (authzManager->isBuiltinRole(roleName)) {
addStatus(Status(ErrorCodes::InvalidRoleModification,
mongoutils::str::stream() << roleName.getFullName() <<
" is a built-in role and cannot be modified."),
result);
return false;
}
PrivilegeVector privileges = authzManager->getDirectPrivilegesForRole(roleName);
for (PrivilegeVector::iterator it = privilegesToAdd.begin();
it != privilegesToAdd.end(); ++it) {
Privilege::addPrivilegeToPrivilegeVector(&privileges, *it);
}
// Build up update modifier object to $set privileges.
mutablebson::Document updateObj;
mutablebson::Element setElement = updateObj.makeElementObject("$set");
status = updateObj.root().pushBack(setElement);
if (!status.isOK()) {
addStatus(status, result);
return false;
}
mutablebson::Element privilegesElement = updateObj.makeElementArray("privileges");
status = setElement.pushBack(privilegesElement);
if (!status.isOK()) {
addStatus(status, result);
return false;
}
status = authzManager->getBSONForPrivileges(privileges, privilegesElement);
if (!status.isOK()) {
addStatus(status, result);
return false;
}
BSONObjBuilder updateBSONBuilder;
updateObj.writeTo(&updateBSONBuilder);
status = authzManager->updateRoleDocument(
roleName,
updateBSONBuilder.done(),
writeConcern);
if (!status.isOK()) {
addStatus(status, result);
return false;
}
return true;
}
Status RoleGraph::_recomputePrivilegeDataHelper(const RoleName& startingRole,
unordered_set<RoleName>& visitedRoles) {
if (visitedRoles.count(startingRole)) {
return Status::OK();
}
std::vector<RoleName> inProgressRoles;
inProgressRoles.push_back(startingRole);
while (inProgressRoles.size()) {
const RoleName currentRole = inProgressRoles.back();
fassert(17277, !visitedRoles.count(currentRole));
if (!roleExists(currentRole)) {
return Status(ErrorCodes::RoleNotFound,
mongoutils::str::stream() << "Role: " << currentRole.getFullName()
<< " does not exist",
0);
}
// Check for cycles
{
const std::vector<RoleName>::const_iterator begin = inProgressRoles.begin();
// The currentRole will always be last so don't look there.
const std::vector<RoleName>::const_iterator end = --inProgressRoles.end();
const std::vector<RoleName>::const_iterator firstOccurence =
std::find(begin, end, currentRole);
if (firstOccurence != end) {
std::ostringstream os;
os << "Cycle in dependency graph: ";
for (std::vector<RoleName>::const_iterator it = firstOccurence; it != end; ++it) {
os << it->getFullName() << " -> ";
}
os << currentRole.getFullName();
return Status(ErrorCodes::GraphContainsCycle, os.str());
}
}
// Make sure we've already visited all subordinate roles before worrying about this one.
const std::vector<RoleName>& currentRoleDirectRoles = _roleToSubordinates[currentRole];
std::vector<RoleName>::const_iterator roleIt;
for (roleIt = currentRoleDirectRoles.begin(); roleIt != currentRoleDirectRoles.end();
++roleIt) {
const RoleName& childRole = *roleIt;
if (!visitedRoles.count(childRole)) {
inProgressRoles.push_back(childRole);
break;
}
}
// If roleIt didn't reach the end of currentRoleDirectRoles that means we found a child
// of currentRole that we haven't visited yet.
if (roleIt != currentRoleDirectRoles.end()) {
continue;
}
// At this point, we know that we've already visited all child roles of currentRole
// and thus their "all privileges" sets are correct and can be added to currentRole's
// "all privileges" set
// Need to clear out the "all privileges" vector for the current role, and re-fill it
// with just the direct privileges for this role.
PrivilegeVector& currentRoleAllPrivileges = _allPrivilegesForRole[currentRole];
currentRoleAllPrivileges = _directPrivilegesForRole[currentRole];
// Need to do the same thing for the indirect roles
unordered_set<RoleName>& currentRoleIndirectRoles =
_roleToIndirectSubordinates[currentRole];
currentRoleIndirectRoles.clear();
for (std::vector<RoleName>::const_iterator it = currentRoleDirectRoles.begin();
it != currentRoleDirectRoles.end();
++it) {
currentRoleIndirectRoles.insert(*it);
}
// Recursively add children's privileges to current role's "all privileges" vector, and
// children's roles to current roles's "indirect roles" vector.
for (std::vector<RoleName>::const_iterator roleIt = currentRoleDirectRoles.begin();
roleIt != currentRoleDirectRoles.end();
++roleIt) {
// At this point, we already know that the "all privilege" set for the child is
// correct, so add those privileges to our "all privilege" set.
const RoleName& childRole = *roleIt;
const PrivilegeVector& childsPrivileges = _allPrivilegesForRole[childRole];
for (PrivilegeVector::const_iterator privIt = childsPrivileges.begin();
privIt != childsPrivileges.end();
++privIt) {
Privilege::addPrivilegeToPrivilegeVector(¤tRoleAllPrivileges, *privIt);
}
// We also know that the "indirect roles" for the child is also correct, so we can
// add those roles to our "indirect roles" set.
const unordered_set<RoleName>& childsRoles = _roleToIndirectSubordinates[childRole];
for (unordered_set<RoleName>::const_iterator childsRoleIt = childsRoles.begin();
childsRoleIt != childsRoles.end();
++childsRoleIt) {
currentRoleIndirectRoles.insert(*childsRoleIt);
}
}
visitedRoles.insert(currentRole);
inProgressRoles.pop_back();
}
return Status::OK();
}