diff options
| author | Amalia Hawkins <amalia.hawkins@10gen.com> | 2014-07-28 16:25:27 -0400 |
|---|---|---|
| committer | Amalia Hawkins <amalia.hawkins@10gen.com> | 2014-07-28 16:41:26 -0400 |
| commit | 5e515de16fe1eac1f7079a2a95aa9e4f716ee3ec (patch) | |
| tree | 28cef4193c7f05aae3279b9d75fb661c6d3f85ec | |
| parent | ef9cebb5112b44c90abde54b67badf536503127d (diff) | |
| download | mongo-5e515de16fe1eac1f7079a2a95aa9e4f716ee3ec.tar.gz | |
SERVER-14701 backup auth role should allow running the collstats command for all resources
| -rw-r--r-- | jstests/auth/builtin_roles_system_colls.js | 31 | ||||
| -rw-r--r-- | src/mongo/db/auth/role_graph_builtin_roles.cpp | 8 |
2 files changed, 31 insertions, 8 deletions
diff --git a/jstests/auth/builtin_roles_system_colls.js b/jstests/auth/builtin_roles_system_colls.js index 5bdafdb745e..15b99c8af28 100644 --- a/jstests/auth/builtin_roles_system_colls.js +++ b/jstests/auth/builtin_roles_system_colls.js @@ -7,19 +7,42 @@ // create and drop indexes on the admin.system.users and // admin.system.roles collections, in order to make querying // the users collection easier if you have a lot of users, etc. -function testUserAdminAnyDatabaseSystemCollIndexing(conn) { - var adminDB = conn.getDB("admin"); +function testUserAdminAnyDatabaseSystemCollIndexing(adminDB) { + adminDB.auth("root", "pwd"); adminDB.createUser({ user: "king", pwd: "pwd", roles: ["userAdminAnyDatabase"] }); - adminDB.auth("king", "pwd"); + adminDB.logout(); + adminDB.auth("king", "pwd"); assert.commandWorked(adminDB.system.users.createIndex({ db: 1 })); assert.commandWorked(adminDB.system.roles.createIndex({ db: 1 })); assert.commandWorked(adminDB.system.users.dropIndex({ db: 1 })); assert.commandWorked(adminDB.system.roles.dropIndex({ db: 1 })); + adminDB.logout(); }; + +// SERVER-14701: the backup role should be able to run the +// collstats command on all resouces, including system resources. +function testBackupSystemCollStats(adminDB) { + adminDB.auth("root", "pwd"); + adminDB.createUser({ user: "backup-agent", pwd: "pwd", roles: ["backup"] }); + adminDB.system.js.save({ _id: "testFunction", value: function (x){ return x; }}); + adminDB.logout(); + + adminDB.auth("backup-agent", "pwd"); + assert.commandWorked(adminDB.runCommand({ collstats: "system.users" })); + assert.commandWorked(adminDB.runCommand({ collstats: "system.roles" })); + assert.commandWorked(adminDB.runCommand({ collstats: "system.js" })); + adminDB.logout(); +} + // ************************************************************ var conn = MongoRunner.runMongod({ auth: "" }); -testUserAdminAnyDatabaseSystemCollIndexing(conn); +var adminDB = conn.getDB("admin"); +adminDB.createUser({ user: "root", pwd: "pwd", roles: ["root"] }); + +testUserAdminAnyDatabaseSystemCollIndexing(adminDB); +testBackupSystemCollStats(adminDB); + MongoRunner.stopMongod(conn); diff --git a/src/mongo/db/auth/role_graph_builtin_roles.cpp b/src/mongo/db/auth/role_graph_builtin_roles.cpp index 009f95b6c72..d9518f32e50 100644 --- a/src/mongo/db/auth/role_graph_builtin_roles.cpp +++ b/src/mongo/db/auth/role_graph_builtin_roles.cpp @@ -477,12 +477,12 @@ namespace { } void addBackupPrivileges(PrivilegeVector* privileges) { - ActionSet normalResourceActions; - normalResourceActions << ActionType::find - << ActionType::collStats; Privilege::addPrivilegeToPrivilegeVector( privileges, - Privilege(ResourcePattern::forAnyNormalResource(), normalResourceActions)); + Privilege(ResourcePattern::forAnyResource(), ActionType::collStats)); + Privilege::addPrivilegeToPrivilegeVector( + privileges, + Privilege(ResourcePattern::forAnyNormalResource(), ActionType::find)); ActionSet clusterActions; clusterActions << ActionType::getParameter // To check authSchemaVersion |