diff options
author | Erwin Pe <erwin.pe@mongodb.com> | 2021-10-05 16:11:55 +0000 |
---|---|---|
committer | Evergreen Agent <no-reply@evergreen.mongodb.com> | 2021-10-05 16:35:22 +0000 |
commit | 0cd03a0192bb8ab880476bdc8d95c9620771264d (patch) | |
tree | 59c1c29308fc4ab759eb47580c5c5defdefbe22a | |
parent | ec3acbdb7580d99f524f2893abe153d6aae62e75 (diff) | |
download | mongo-0cd03a0192bb8ab880476bdc8d95c9620771264d.tar.gz |
SERVER-59294 Check action type for oidReset
(cherry picked from commit 9961fac1b2090484ec3ceaedc921ce2794e2fc79)
-rw-r--r-- | jstests/auth/lib/commands_lib.js | 20 | ||||
-rw-r--r-- | src/mongo/db/auth/action_types.txt | 1 | ||||
-rw-r--r-- | src/mongo/db/auth/role_graph_builtin_roles.cpp | 1 | ||||
-rw-r--r-- | src/mongo/db/commands/generic_servers.cpp | 8 |
4 files changed, 27 insertions, 3 deletions
diff --git a/jstests/auth/lib/commands_lib.js b/jstests/auth/lib/commands_lib.js index ae0e645a356..4169036623f 100644 --- a/jstests/auth/lib/commands_lib.js +++ b/jstests/auth/lib/commands_lib.js @@ -3501,8 +3501,24 @@ var authCommandsLib = { testname: "features", command: {features: 1}, testcases: [ - {runOnDb: firstDbName, roles: roles_all, privilegesRequired: []}, - {runOnDb: secondDbName, roles: roles_all, privilegesRequired: []} + {runOnDb: firstDbName, roles: roles_all, privileges: []}, + {runOnDb: secondDbName, roles: roles_all, privileges: []} + ] + }, + { + testname: "features_oidReset", + command: {features: 1, oidReset: true}, + testcases: [ + { + runOnDb: firstDbName, + roles: roles_hostManager, + privileges: [{resource: {cluster: true}, actions: ["oidReset"]}], + }, + { + runOnDb: secondDbName, + roles: roles_hostManager, + privileges: [{resource: {cluster: true}, actions: ["oidReset"]}], + } ] }, { diff --git a/src/mongo/db/auth/action_types.txt b/src/mongo/db/auth/action_types.txt index 185e31a04f1..24aa0990bdf 100644 --- a/src/mongo/db/auth/action_types.txt +++ b/src/mongo/db/auth/action_types.txt @@ -85,6 +85,7 @@ "logRotate", "moveChunk", "netstat", +"oidReset", # machine ID reset via the features command "planCacheIndexFilter", # view/update index filters "planCacheRead", # view contents of plan cache "planCacheWrite", # clear cache, drop cache entry, pin/unpin/shun plans diff --git a/src/mongo/db/auth/role_graph_builtin_roles.cpp b/src/mongo/db/auth/role_graph_builtin_roles.cpp index b218324130c..0ff5b8a51d5 100644 --- a/src/mongo/db/auth/role_graph_builtin_roles.cpp +++ b/src/mongo/db/auth/role_graph_builtin_roles.cpp @@ -210,6 +210,7 @@ MONGO_INITIALIZER(AuthorizationBuiltinRoles)(InitializerContext* context) { << ActionType::connPoolSync << ActionType::dropConnections << ActionType::logRotate + << ActionType::oidReset << ActionType::setParameter << ActionType::shutdown << ActionType::touch diff --git a/src/mongo/db/commands/generic_servers.cpp b/src/mongo/db/commands/generic_servers.cpp index b626177d484..cde9a61764c 100644 --- a/src/mongo/db/commands/generic_servers.cpp +++ b/src/mongo/db/commands/generic_servers.cpp @@ -69,7 +69,13 @@ public: } virtual void addRequiredPrivileges(const std::string& dbname, const BSONObj& cmdObj, - std::vector<Privilege>* out) const {} // No auth required + std::vector<Privilege>* out) const { + if (cmdObj["oidReset"].trueValue()) { + ActionSet actions; + actions.addAction(ActionType::oidReset); + out->push_back(Privilege(ResourcePattern::forClusterResource(), actions)); + } + } virtual bool run(OperationContext* opCtx, const std::string& ns, const BSONObj& cmdObj, |