added more authorization to tokumx-only commands #527

Tokutek · Sep 21, 2013 · 0586712 · 0586712
1 parent 77010b7
commit 0586712
Show file tree

Hide file tree

Showing 5 changed files with 26 additions and 3 deletions.
diff --git a/src/mongo/db/auth/action_types.txt b/src/mongo/db/auth/action_types.txt
@@ -12,6 +12,7 @@
 "cloneCollectionLocalSource",
 "cloneCollectionTarget",
 "closeAllDatabases",
+"collectionsExist",
 "collMod",
 "collStats",
 "compact",
@@ -88,6 +89,7 @@
 "unlock",
 "unsetSharding",
 "update",
+"updateSlave",
 "userAdmin",
 "validate",
 "writebacklisten",

diff --git a/src/mongo/db/auth/authorization_manager.cpp b/src/mongo/db/auth/authorization_manager.cpp
@@ -98,6 +98,7 @@ namespace {
  MONGO_INITIALIZER(AuthorizationSystemRoles)(InitializerContext* context) {
  // Read role
  readRoleActions.addAction(ActionType::cloneCollectionLocalSource);
+ readRoleActions.addAction(ActionType::collectionsExist);
  readRoleActions.addAction(ActionType::collStats);
  readRoleActions.addAction(ActionType::dbHash);
  readRoleActions.addAction(ActionType::dbStats);
@@ -176,6 +177,7 @@ namespace {
  clusterAdminRoleReadActions.addAction(ActionType::getShardVersion);
  clusterAdminRoleReadActions.addAction(ActionType::listShards);
  clusterAdminRoleReadActions.addAction(ActionType::netstat);
+ clusterAdminRoleReadActions.addAction(ActionType::replGetExpireOplog);
  clusterAdminRoleReadActions.addAction(ActionType::replSetFreeze);
  clusterAdminRoleReadActions.addAction(ActionType::replSetGetStatus);
  clusterAdminRoleReadActions.addAction(ActionType::replSetMaintenance);
@@ -184,7 +186,6 @@ namespace {
  clusterAdminRoleReadActions.addAction(ActionType::setShardVersion); // TODO: should this be internal?
  clusterAdminRoleReadActions.addAction(ActionType::splitVector);
  clusterAdminRoleReadActions.addAction(ActionType::unsetSharding);
- clusterAdminRoleReadActions.addAction(ActionType::replGetExpireOplog);
 
  clusterAdminRoleWriteActions.addAction(ActionType::addShard);
  clusterAdminRoleWriteActions.addAction(ActionType::dropDatabase); // TODO: Should there be a CREATE_DATABASE also?
@@ -193,14 +194,15 @@ namespace {
  clusterAdminRoleWriteActions.addAction(ActionType::moveChunk);
  clusterAdminRoleWriteActions.addAction(ActionType::movePrimary);
  clusterAdminRoleWriteActions.addAction(ActionType::removeShard);
+ clusterAdminRoleWriteActions.addAction(ActionType::replSetExpireOplog);
  clusterAdminRoleWriteActions.addAction(ActionType::replSetInitiate);
  clusterAdminRoleWriteActions.addAction(ActionType::replSetReconfig);
  clusterAdminRoleWriteActions.addAction(ActionType::resync);
  clusterAdminRoleWriteActions.addAction(ActionType::shardCollection);
  clusterAdminRoleWriteActions.addAction(ActionType::shardingState);
  clusterAdminRoleWriteActions.addAction(ActionType::split);
  clusterAdminRoleWriteActions.addAction(ActionType::splitChunk);
- clusterAdminRoleWriteActions.addAction(ActionType::replSetExpireOplog);
+ clusterAdminRoleWriteActions.addAction(ActionType::updateSlave);
 
  clusterAdminRoleActions.addAllActionsFromSet(clusterAdminRoleReadActions);
  clusterAdminRoleActions.addAllActionsFromSet(clusterAdminRoleWriteActions);

diff --git a/src/mongo/db/cloner.cpp b/src/mongo/db/cloner.cpp
@@ -24,6 +24,9 @@
 #include "mongo/bson/util/builder.h"
 #include "mongo/client/dbclientinterface.h"
 #include "mongo/client/remote_transaction.h"
+#include "mongo/db/auth/authorization_manager.h"
+#include "mongo/db/auth/action_set.h"
+#include "mongo/db/auth/action_type.h"
 #include "mongo/db/client.h"
 #include "mongo/db/cloner.h"
 #include "mongo/db/jsobj.h"
@@ -579,6 +582,13 @@ namespace mongo {
  CmdCollectionsExist() : QueryCommand("_collectionsExist") {}
  virtual void help(stringstream &h) const { h << "internal use only"; }
  virtual bool slaveOk() const { return true; }
+ virtual void addRequiredPrivileges(const std::string& dbname,
+ const BSONObj& cmdObj,
+ std::vector<Privilege>* out) {
+ ActionSet actions;
+ actions.addAction(ActionType::collectionsExist);
+ out->push_back(Privilege(AuthorizationManager::CLUSTER_RESOURCE_NAME, actions));
+ }
  virtual bool run(const string &dbname, BSONObj &jsobj, int, string &errmsg, BSONObjBuilder &result, bool) {
  BSONElement arrElt = jsobj["_collectionsExist"];
  if (!arrElt.ok() || arrElt.type() != Array) {

diff --git a/src/mongo/db/repl_block.cpp b/src/mongo/db/repl_block.cpp
@@ -18,6 +18,9 @@
 */
 
 #include "pch.h"
+#include "mongo/db/auth/authorization_manager.h"
+#include "mongo/db/auth/action_set.h"
+#include "mongo/db/auth/action_type.h"
 #include "repl.h"
 #include "repl_block.h"
 #include "instance.h"
@@ -233,6 +236,13 @@ namespace mongo {
  virtual int txnFlags() const { return noTxnFlags(); }
  virtual bool canRunInMultiStmtTxn() const { return true; }
  virtual OpSettings getOpSettings() const { return OpSettings(); }
+ virtual void addRequiredPrivileges(const std::string& dbname,
+ const BSONObj& cmdObj,
+ std::vector<Privilege>* out) {
+ ActionSet actions;
+ actions.addAction(ActionType::updateSlave);
+ out->push_back(Privilege(AuthorizationManager::CLUSTER_RESOURCE_NAME, actions));
+ }
  virtual void help( stringstream& help ) const {
  help << "internal." << endl;
  }

diff --git a/src/mongo/s/d_migrate.cpp b/src/mongo/s/d_migrate.cpp
@@ -34,7 +34,6 @@
 #include "mongo/db/auth/authorization_manager.h"
 #include "mongo/db/auth/action_set.h"
 #include "mongo/db/auth/action_type.h"
-#include "mongo/db/auth/authorization_manager.h"
 #include "mongo/db/auth/privilege.h"
 #include "mongo/db/database.h"
 #include "mongo/db/dbhelpers.h"