diff options
author | Spencer Jackson <spencer.jackson@mongodb.com> | 2018-08-09 14:14:14 -0400 |
---|---|---|
committer | Spencer Jackson <spencer.jackson@mongodb.com> | 2018-08-22 15:04:47 -0400 |
commit | 5f41ed605c9852d7e11275527bd7373dedd03704 (patch) | |
tree | 713560b521452695b0bf13004d139c60327431dc | |
parent | a8209bc6b221604ee0b646ed3427a4097fb8b44f (diff) | |
download | mongo-5f41ed605c9852d7e11275527bd7373dedd03704.tar.gz |
SERVER-36149: Make $setFeatureCompatibilityVersion a non-normal resource
-rw-r--r-- | jstests/auth/lib/commands_lib.js | 2 | ||||
-rw-r--r-- | src/mongo/db/auth/authorization_session.cpp | 7 |
2 files changed, 7 insertions, 2 deletions
diff --git a/jstests/auth/lib/commands_lib.js b/jstests/auth/lib/commands_lib.js index 092856a4170..97be3e19890 100644 --- a/jstests/auth/lib/commands_lib.js +++ b/jstests/auth/lib/commands_lib.js @@ -4874,7 +4874,7 @@ var authCommandsLib = { testcases: [ { runOnDb: adminDbName, - roles: Object.extend({readWriteAnyDatabase: 1}, roles_clusterManager), + roles: roles_clusterManager, privileges: [{ resource: {db: '$setFeatureCompatibilityVersion', collection: 'version'}, actions: ['update'] diff --git a/src/mongo/db/auth/authorization_session.cpp b/src/mongo/db/auth/authorization_session.cpp index 6b3e0800c2f..f755ed561d7 100644 --- a/src/mongo/db/auth/authorization_session.cpp +++ b/src/mongo/db/auth/authorization_session.cpp @@ -753,7 +753,12 @@ static int buildResourceSearchList(const ResourcePattern& target, // Some databases should not be matchable with ResourcePattern::forAnyNormalResource. // 'local' and 'config' are used to store special system collections, which user level // administrators should not be able to manipulate. - if (target.ns().db() != "local" && target.ns().db() != "config") { + // '$setFeatureCompatibilityVersion' is a virtual database that + // setFeatureCompatibilityVersion performs auth checks against. When this command was + // first written, there was a moratorium on creating new ActionTypes. SERVER-31983 + // introduced the ActionType after the moratorium expired. + if (target.ns().db() != "local" && target.ns().db() != "config" && + target.ns().db() != "$setFeatureCompatibilityVersion") { resourceSearchList[size++] = ResourcePattern::forAnyNormalResource(); } resourceSearchList[size++] = ResourcePattern::forDatabaseName(target.ns().db()); |