diff options
| author | Rushan Chen <rushan.chen@mongodb.com> | 2021-12-15 12:36:17 +0000 |
|---|---|---|
| committer | Evergreen Agent <no-reply@evergreen.mongodb.com> | 2021-12-15 12:58:00 +0000 |
| commit | c24456d983d06ad8836cebcb91acaae19610a2bc (patch) | |
| tree | cd162fc90f159217cdae256d369f6278bd1a7139 | |
| parent | 5ea60d80e447afdb10eeb07347cd778112343cff (diff) | |
| download | mongo-c24456d983d06ad8836cebcb91acaae19610a2bc.tar.gz | |
SERVER-61931 add additional privileges on system_buckets collection for cluster manager role
| -rw-r--r-- | src/mongo/db/auth/builtin_roles.cpp | 3 | ||||
| -rw-r--r-- | src/mongo/db/auth/builtin_roles_test.cpp | 26 |
2 files changed, 28 insertions, 1 deletions
diff --git a/src/mongo/db/auth/builtin_roles.cpp b/src/mongo/db/auth/builtin_roles.cpp index d210914a6f9..74461687ad5 100644 --- a/src/mongo/db/auth/builtin_roles.cpp +++ b/src/mongo/db/auth/builtin_roles.cpp @@ -457,6 +457,9 @@ void addClusterManagerPrivileges(PrivilegeVector* privileges) { Privilege(ResourcePattern::forAnyNormalResource(), clusterManagerRoleDatabaseActions)); Privilege::addPrivilegeToPrivilegeVector( privileges, + Privilege(ResourcePattern::forAnySystemBuckets(), clusterManagerRoleDatabaseActions)); + Privilege::addPrivilegeToPrivilegeVector( + privileges, Privilege(ResourcePattern::forDatabaseName("config"), clusterManagerRoleDatabaseActions)); Privilege::addPrivilegeToPrivilegeVector( privileges, diff --git a/src/mongo/db/auth/builtin_roles_test.cpp b/src/mongo/db/auth/builtin_roles_test.cpp index 283c7f57df7..3ae43f1c2a6 100644 --- a/src/mongo/db/auth/builtin_roles_test.cpp +++ b/src/mongo/db/auth/builtin_roles_test.cpp @@ -92,7 +92,7 @@ TEST(BuiltinRoles, getBuiltinRolesForDB) { ASSERT_GTE(adminRoles.size(), testRoles.size()); } -TEST(BuiltinRoles, addPrivilegsForBuiltinRole) { +TEST(BuiltinRoles, addPrivilegesForBuiltinRole) { PrivilegeVector privs; ASSERT(auth::addPrivilegesForBuiltinRole(RoleName("read", "admin"), &privs)); ASSERT_EQ(privs.size(), 2); @@ -120,5 +120,29 @@ TEST(BuiltinRoles, addPrivilegsForBuiltinRole) { } } +TEST(BuiltinRoles, addSystemBucketsPrivilegesForBuiltinRoleClusterManager) { + PrivilegeVector privs; + ASSERT(auth::addPrivilegesForBuiltinRole(RoleName("clusterManager", "admin"), &privs)); + ASSERT_EQ(privs.size(), 9); + + const auto systemBucketsResourcePattern = ResourcePattern::forAnySystemBuckets(); + + const ActionSet clusterManagerRoleDatabaseActionSet({ + ActionType::clearJumboFlag, + ActionType::splitChunk, + ActionType::moveChunk, + ActionType::enableSharding, + ActionType::splitVector, + ActionType::refineCollectionShardKey, + ActionType::reshardCollection, + }); + + for (const auto& priv : privs) { + auto resourcePattern = priv.getResourcePattern(); + if (resourcePattern == systemBucketsResourcePattern) { + ASSERT(priv.getActions() == clusterManagerRoleDatabaseActionSet); + } + } +} } // namespace } // namespace mongo |