Uploaded image for project: 'Core Server'
  1. Core Server
  2. SERVER-16657

Implement authorization check for getMore/killCursors on cursors owned by global cursor manager

    XMLWordPrintableJSON

Details

    • Icon: Task Task
    • Resolution: Done
    • Icon: Blocker - P1 Blocker - P1
    • 2.8.0-rc5
    • None
    • Storage
    • None
    • Fully Compatible

    Description

      src/mongo/db/instance.cpp-                const NamespaceString nsString( ns );
      src/mongo/db/instance.cpp-                uassert( 16258, str::stream() << "Invalid ns [" << ns << "]", nsString.isValid() );
      src/mongo/db/instance.cpp-
      src/mongo/db/instance.cpp-                Status status = Status::OK();
      src/mongo/db/instance.cpp-                if (CursorManager::getGlobalCursorManager()->ownsCursorId(cursorid)) {
      src/mongo/db/instance.cpp:                    // TODO Implement auth check for global cursors.  SERVER-16657.
      src/mongo/db/instance.cpp-                }
      src/mongo/db/instance.cpp-                else {
      src/mongo/db/instance.cpp-                    status = txn->getClient()->getAuthorizationSession()->checkAuthForGetMore(
      src/mongo/db/instance.cpp-                            nsString, cursorid);
      src/mongo/db/instance.cpp-                }
      --
      src/mongo/db/query/find.cpp-        }
      src/mongo/db/query/find.cpp-        else {
      src/mongo/db/query/find.cpp-            // Check for spoofing of the ns such that it does not match the one originally
      src/mongo/db/query/find.cpp-            // there for the cursor.
      src/mongo/db/query/find.cpp-            if (globalCursorManager->ownsCursorId(cursorid)) {
      src/mongo/db/query/find.cpp:                // TODO Implement auth check for global cursors.  SERVER-16657.
      src/mongo/db/query/find.cpp-            }
      src/mongo/db/query/find.cpp-            else {
      src/mongo/db/query/find.cpp-                uassert(17011, "auth error", str::equals(ns, cc->ns().c_str()));
      src/mongo/db/query/find.cpp-            }
      src/mongo/db/query/find.cpp-            *isCursorAuthorized = true;

      Attachments

        Activity

          People

            greg.mckeon@mongodb.com Gregory McKeon (Inactive)
            rassi J Rassi
            Votes:
            0 Vote for this issue
            Watchers:
            4 Start watching this issue

            Dates

              Created:
              Updated:
              Resolved: