SERVER-31571 add advanceClusterTime action type

7 files changed, 62 insertions, 6 deletions

diff --git a/buildscripts/resmokeconfig/suites/sharding_auth.yml b/buildscripts/resmokeconfig/suites/sharding_auth.yml
index 96fda18bfcb..320eb022a80 100644
--- a/buildscripts/resmokeconfig/suites/sharding_auth.yml
+++ b/buildscripts/resmokeconfig/suites/sharding_auth.yml
@@ -11,6 +11,7 @@ selector:
   exclude_files:
   # Skip any tests that run with auth explicitly.
   - jstests/sharding/*[aA]uth*.js
+  - jstests/sharding/advance_cluster_time_action_type.js
   - jstests/sharding/aggregation_currentop.js # SERVER-19318
   - jstests/sharding/kill_sessions.js
   # Skip these additional tests when running with auth enabled.
diff --git a/buildscripts/resmokeconfig/suites/sharding_auth_audit.yml b/buildscripts/resmokeconfig/suites/sharding_auth_audit.yml
index 764552cd3ef..80991abb93e 100644
--- a/buildscripts/resmokeconfig/suites/sharding_auth_audit.yml
+++ b/buildscripts/resmokeconfig/suites/sharding_auth_audit.yml
@@ -11,6 +11,7 @@ selector:
   exclude_files:
   # Skip any tests that run with auth explicitly.
   - jstests/sharding/*[aA]uth*.js
+  - jstests/sharding/advance_cluster_time_action_type.js
   - jstests/sharding/aggregation_currentop.js # SERVER-19318
   - jstests/sharding/kill_sessions.js
   # Skip these additional tests when running with auth enabled.
diff --git a/buildscripts/resmokeconfig/suites/sharding_continuous_config_stepdown.yml b/buildscripts/resmokeconfig/suites/sharding_continuous_config_stepdown.yml
index 4e791e023ae..d028cae92eb 100644
--- a/buildscripts/resmokeconfig/suites/sharding_continuous_config_stepdown.yml
+++ b/buildscripts/resmokeconfig/suites/sharding_continuous_config_stepdown.yml
@@ -12,6 +12,7 @@ selector:
   - jstests/sharding/mongos_rs_auth_shard_failure_tolerance.js
   - jstests/sharding/mrShardedOutputAuth.js
   - jstests/sharding/aggregation_currentop.js
+  - jstests/sharding/advance_cluster_time_action_type.js
   # Count/write/aggregate/group commands against the config shard do not support retries yet
   - jstests/sharding/addshard1.js
   - jstests/sharding/addshard2.js
diff --git a/buildscripts/resmokeconfig/suites/sharding_last_stable_mongos_and_mixed_shards.yml b/buildscripts/resmokeconfig/suites/sharding_last_stable_mongos_and_mixed_shards.yml
index 91b19e11968..b34190b9ce0 100644
--- a/buildscripts/resmokeconfig/suites/sharding_last_stable_mongos_and_mixed_shards.yml
+++ b/buildscripts/resmokeconfig/suites/sharding_last_stable_mongos_and_mixed_shards.yml
@@ -30,6 +30,7 @@ selector:
   # New feature in v3.6 mongos
   - jstests/sharding/logical_time_metadata.js
   # New feature in v3.6 mongos and mongod.
+  - jstests/sharding/advance_cluster_time_action_type.js
   - jstests/sharding/advance_logical_time_with_valid_signature.js
   - jstests/sharding/after_cluster_time.js
   - jstests/sharding/lookup_change_stream_post_image_id_shard_key.js
diff --git a/jstests/sharding/advance_cluster_time_action_type.js b/jstests/sharding/advance_cluster_time_action_type.js
new file mode 100644
index 00000000000..1497cb4e67e
--- /dev/null
+++ b/jstests/sharding/advance_cluster_time_action_type.js
@@ -0,0 +1,52 @@
+/**
+ * Test a role with an advanceClusterTime action type.
+ */
+
+(function() {
+    "use strict";
+
+    let st = new ShardingTest(
+        {mongos: 1, config: 1, shards: 1, keyFile: 'jstests/libs/key1', mongosWaitsForKeys: true});
+    let adminDB = st.s.getDB('admin');
+
+    assert.commandWorked(adminDB.runCommand({createUser: "admin", pwd: "admin", roles: ["root"]}));
+    assert.eq(1, adminDB.auth("admin", "admin"));
+
+    assert.commandWorked(adminDB.runCommand({
+        createRole: "advanceClusterTimeRole",
+        privileges: [{resource: {cluster: true}, actions: ["advanceClusterTime"]}],
+        roles: []
+    }));
+
+    let testDB = adminDB.getSiblingDB("testDB");
+
+    assert.commandWorked(
+        testDB.runCommand({createUser: 'NotTrusted', pwd: 'pwd', roles: ['readWrite']}));
+    assert.commandWorked(testDB.runCommand({
+        createUser: 'Trusted',
+        pwd: 'pwd',
+        roles: [{role: 'advanceClusterTimeRole', db: 'admin'}, 'readWrite']
+    }));
+    assert.eq(1, testDB.auth("NotTrusted", "pwd"));
+
+    let res = testDB.runCommand({insert: "foo", documents: [{_id: 0}]});
+    assert.commandWorked(res);
+
+    let clusterTime = res.$clusterTime;
+    let clusterTimeTS = new Timestamp(clusterTime.clusterTime.getTime() + 1000, 0);
+    clusterTime.clusterTime = clusterTimeTS;
+
+    const cmdObj = {find: "foo", limit: 1, singleBatch: true, $clusterTime: clusterTime};
+    jsTestLog("running NonTrusted. command: " + tojson(cmdObj));
+    res = testDB.runCommand(cmdObj);
+    assert.commandFailed(res, "Command request was: " + tojsononeline(cmdObj));
+
+    assert.eq(1, testDB.auth("Trusted", "pwd"));
+    jsTestLog("running Trusted. command: " + tojson(cmdObj));
+    res = testDB.runCommand(cmdObj);
+    assert.commandWorked(res, "Command request was: " + tojsononeline(cmdObj));
+
+    testDB.logout();
+
+    st.stop();
+})();
diff --git a/src/mongo/db/auth/action_types.txt b/src/mongo/db/auth/action_types.txt
index 45eedf4312f..b08591a9c10 100644
--- a/src/mongo/db/auth/action_types.txt
+++ b/src/mongo/db/auth/action_types.txt
@@ -5,7 +5,7 @@
 # This means that the integer value assigned to each ActionType and used internally in ActionSet
 # also may change between versions.
 ["addShard",
-"advanceLogicalTime",
+"advanceClusterTime",
 "anyAction", # Special ActionType that represents *all* actions
 "appendOplogNote",
 "applicationMessage",
diff --git a/src/mongo/db/logical_time_validator.cpp b/src/mongo/db/logical_time_validator.cpp
index 2b336a5e561..98b217fb401 100644
--- a/src/mongo/db/logical_time_validator.cpp
+++ b/src/mongo/db/logical_time_validator.cpp
@@ -51,12 +51,12 @@ const auto getLogicalClockValidator =
 
 stdx::mutex validatorMutex;  // protects access to decoration instance of LogicalTimeValidator.
 
-std::vector<Privilege> advanceLogicalClockPrivilege;
+std::vector<Privilege> advanceClusterTimePrivilege;
 
-MONGO_INITIALIZER(InitializeAdvanceLogicalClockPrivilegeVector)(InitializerContext* const) {
+MONGO_INITIALIZER(InitializeAdvanceClusterTimePrivilegeVector)(InitializerContext* const) {
     ActionSet actions;
-    actions.addAction(ActionType::internal);
-    advanceLogicalClockPrivilege.emplace_back(ResourcePattern::forClusterResource(), actions);
+    actions.addAction(ActionType::advanceClusterTime);
+    advanceClusterTimePrivilege.emplace_back(ResourcePattern::forClusterResource(), actions);
     return Status::OK();
 }
 
@@ -184,7 +184,7 @@ bool LogicalTimeValidator::isAuthorizedToAdvanceClock(OperationContext* opCtx) {
     // Note: returns true if auth is off, courtesy of
     // AuthzSessionExternalStateServerCommon::shouldIgnoreAuthChecks.
     return AuthorizationSession::get(client)->isAuthorizedForPrivileges(
-        advanceLogicalClockPrivilege);
+        advanceClusterTimePrivilege);
 }
 
 bool LogicalTimeValidator::shouldGossipLogicalTime() {