Files
mongo/db/security.h

114 lines
3.2 KiB
C
Raw Normal View History

2009-01-18 19:13:12 -05:00
// security.h
/**
* Copyright (C) 2009 10gen Inc.
*
2009-01-09 18:15:30 -05:00
* This program is free software: you can redistribute it and/or modify
* it under the terms of the GNU Affero General Public License, version 3,
* as published by the Free Software Foundation.
*
* This program is distributed in the hope that it will be useful,
* but WITHOUT ANY WARRANTY; without even the implied warranty of
* MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
* GNU Affero General Public License for more details.
*
* You should have received a copy of the GNU Affero General Public License
* along with this program. If not, see <http://www.gnu.org/licenses/>.
*/
2009-01-14 17:17:24 -05:00
#pragma once
2009-01-23 11:28:29 -05:00
#include "nonce.h"
#include "concurrency.h"
#include "security_common.h"
2011-05-10 14:23:07 -04:00
#include "../util/concurrency/spin_lock.h"
2009-01-14 17:09:51 -05:00
// this is used by both mongos and mongod
2009-01-14 17:09:51 -05:00
namespace mongo {
2011-05-10 14:23:07 -04:00
/*
* for a particular db
* levels
* 0 : none
* 1 : read
* 2 : write
*/
struct Auth {
enum Level { NONE = 0 , READ = 1 , WRITE = 2 };
Auth() { level = NONE; }
Level level;
string user;
};
class AuthenticationInfo : boost::noncopyable {
public:
2011-01-04 00:40:41 -05:00
bool isLocalHost;
2011-05-10 14:23:07 -04:00
AuthenticationInfo(){ isLocalHost = false; }
~AuthenticationInfo() {}
// -- modifiers ----
2011-01-04 00:40:41 -05:00
void logout(const string& dbname ) {
2011-05-10 14:23:07 -04:00
scoped_spinlock lk(_lock);
_dbs.erase(dbname);
2011-01-04 00:40:41 -05:00
}
void authorize(const string& dbname , const string& user ) {
2011-05-10 14:23:07 -04:00
scoped_spinlock lk(_lock);
_dbs[dbname].level = Auth::WRITE;
_dbs[dbname].user = user;
2009-01-18 20:31:33 -05:00
}
void authorizeReadOnly(const string& dbname , const string& user ) {
2011-05-10 14:23:07 -04:00
scoped_spinlock lk(_lock);
_dbs[dbname].level = Auth::READ;
_dbs[dbname].user = user;
2011-05-10 14:23:07 -04:00
}
// -- accessors ---
2011-05-10 14:23:07 -04:00
bool isAuthorized(const string& dbname) const {
return _isAuthorized( dbname, Auth::WRITE );
}
bool isAuthorizedReads(const string& dbname) const {
return _isAuthorized( dbname, Auth::READ );
}
/**
* @param lockType - this is from dbmutex 1 is write, 0 is read
*/
2011-05-10 14:23:07 -04:00
bool isAuthorizedForLock(const string& dbname, int lockType ) const {
return _isAuthorized( dbname , lockType > 0 ? Auth::WRITE : Auth::READ );
}
bool isAuthorizedForLevel( const string& dbname , Auth::Level level ) const {
return _isAuthorized( dbname , level );
2010-01-26 17:04:09 -08:00
}
2011-01-04 00:40:41 -05:00
string getUser( const string& dbname ) const;
2011-05-10 14:23:07 -04:00
void print() const;
2010-01-26 17:04:09 -08:00
protected:
2011-05-10 14:23:07 -04:00
/** takes a lock */
bool _isAuthorized(const string& dbname, Auth::Level level) const;
2011-05-10 14:23:07 -04:00
bool _isAuthorizedSingle_inlock(const string& dbname, Auth::Level level) const;
2011-05-10 14:23:07 -04:00
/** cannot call this locked */
bool _isAuthorizedSpecialChecks( const string& dbname ) const ;
2011-05-10 14:23:07 -04:00
private:
mutable SpinLock _lock;
typedef map<string,Auth> MA;
MA _dbs; // dbname -> auth
2011-05-10 14:23:07 -04:00
static bool _warned;
};
2009-01-14 17:17:24 -05:00
} // namespace mongo