diff options
| author | Vincent Do <do.vincent@live.com> | 2016-05-17 11:35:04 -0400 |
|---|---|---|
| committer | Vincent Do <vincent.do@mongodb.com> | 2016-05-26 16:55:19 -0400 |
| commit | cbb1f07f40d8487bfeb5dfce4ccfb5d461d9a2f6 (patch) | |
| tree | 79b74ab43064c00a968e008719a5306f10fa6d52 | |
| parent | 646cc051cae9a87d2b27c43a45a13dbf507faf60 (diff) | |
| download | mongo-cbb1f07f40d8487bfeb5dfce4ccfb5d461d9a2f6.tar.gz | |
SERVER-24160 Add auth and auth test for lockInfo command
| -rw-r--r-- | jstests/auth/lib/commands_lib.js | 14 | ||||
| -rw-r--r-- | src/mongo/db/auth/action_types.txt | 1 | ||||
| -rw-r--r-- | src/mongo/db/auth/role_graph_builtin_roles.cpp | 1 | ||||
| -rw-r--r-- | src/mongo/db/commands/lock_info.cpp | 10 |
4 files changed, 26 insertions, 0 deletions
diff --git a/jstests/auth/lib/commands_lib.js b/jstests/auth/lib/commands_lib.js index 2cc54f30eff..19e28ee502f 100644 --- a/jstests/auth/lib/commands_lib.js +++ b/jstests/auth/lib/commands_lib.js @@ -789,6 +789,20 @@ var authCommandsLib = { ] }, { + testname: 'lockInfo', + command: {lockInfo: 1}, + skipSharded: true, + testcases: [ + { + runOnDb: adminDbName, + roles: roles_monitoring, + privileges: [{resource: {cluster: true}, actions: ['lockInfo']}] + }, + {runOnDb: firstDbName, roles: {}, expectFail: true}, + {runOnDb: secondDbName, roles: {}, expectFail: true} + ] + }, + { testname: "dataSize_1", command: {dataSize: firstDbName + ".x"}, testcases: [{ diff --git a/src/mongo/db/auth/action_types.txt b/src/mongo/db/auth/action_types.txt index 3c560ccf9b8..c7da7062e16 100644 --- a/src/mongo/db/auth/action_types.txt +++ b/src/mongo/db/auth/action_types.txt @@ -70,6 +70,7 @@ "listIndexes", "listShards", "logRotate", +"lockInfo", "moveChunk", "netstat", "planCacheIndexFilter", # view/update index filters diff --git a/src/mongo/db/auth/role_graph_builtin_roles.cpp b/src/mongo/db/auth/role_graph_builtin_roles.cpp index 0c9160d912b..09fa1ee43f0 100644 --- a/src/mongo/db/auth/role_graph_builtin_roles.cpp +++ b/src/mongo/db/auth/role_graph_builtin_roles.cpp @@ -187,6 +187,7 @@ MONGO_INITIALIZER(AuthorizationBuiltinRoles)(InitializerContext* context) { << ActionType::hostInfo << ActionType::listDatabases << ActionType::listShards // clusterManager gets this also + << ActionType::lockInfo << ActionType::netstat << ActionType::replSetGetConfig // clusterManager gets this also << ActionType::replSetGetStatus // clusterManager gets this also diff --git a/src/mongo/db/commands/lock_info.cpp b/src/mongo/db/commands/lock_info.cpp index d689dd2acea..a025a34a7be 100644 --- a/src/mongo/db/commands/lock_info.cpp +++ b/src/mongo/db/commands/lock_info.cpp @@ -30,6 +30,8 @@ #include <map> +#include "mongo/db/auth/action_type.h" +#include "mongo/db/auth/authorization_session.h" #include "mongo/db/client.h" #include "mongo/db/commands.h" #include "mongo/db/concurrency/lock_manager_defs.h" @@ -67,6 +69,14 @@ public: help << "show all lock info on the server"; } + Status checkAuthForCommand(ClientBasic* client, + const std::string& dbname, + const BSONObj& cmdObj) final { + bool isAuthorized = AuthorizationSession::get(client)->isAuthorizedForActionsOnResource( + ResourcePattern::forClusterResource(), ActionType::lockInfo); + return isAuthorized ? Status::OK() : Status(ErrorCodes::Unauthorized, "Unauthorized"); + } + CmdLockInfo() : Command("lockInfo", true) {} bool run(OperationContext* txn, |