diff options
| author | Spencer Jackson <spencer.jackson@mongodb.com> | 2015-12-14 12:22:16 -0500 |
|---|---|---|
| committer | Spencer Jackson <spencer.jackson@mongodb.com> | 2016-01-07 17:01:09 -0500 |
| commit | 22b6f8af8c770f51f68b81059af2541429ae880e (patch) | |
| tree | 506e0ccebba1d6b758a926da6c69e8b3398fbac2 | |
| parent | e47291432ae065ff8103e8e598fa6402e4352245 (diff) | |
| download | mongo-22b6f8af8c770f51f68b81059af2541429ae880e.tar.gz | |
SERVER-21724 Let backup role read system.profile
(cherry picked from commit 21bcf6b127c1bb24e74845327e8d20df26e560bc)
| -rw-r--r-- | jstests/auth/lib/commands_lib.js | 2 | ||||
| -rw-r--r-- | jstests/tool/dumpauth.js | 35 | ||||
| -rw-r--r-- | src/mongo/db/auth/role_graph_builtin_roles.cpp | 4 |
3 files changed, 27 insertions, 14 deletions
diff --git a/jstests/auth/lib/commands_lib.js b/jstests/auth/lib/commands_lib.js index dc8719c4304..b42959d95c4 100644 --- a/jstests/auth/lib/commands_lib.js +++ b/jstests/auth/lib/commands_lib.js @@ -1822,6 +1822,7 @@ var authCommandsLib = { { runOnDb: firstDbName, roles: { + backup: 1, dbAdmin: 1, dbAdminAnyDatabase: 1, dbOwner: 1, @@ -1838,6 +1839,7 @@ var authCommandsLib = { { runOnDb: secondDbName, roles: { + backup: 1, dbAdminAnyDatabase: 1, clusterMonitor: 1, clusterAdmin: 1, diff --git a/jstests/tool/dumpauth.js b/jstests/tool/dumpauth.js index 5edfe1e9f52..ba8ee9a5f81 100644 --- a/jstests/tool/dumpauth.js +++ b/jstests/tool/dumpauth.js @@ -4,6 +4,8 @@ var m = MongoRunner.runMongod({auth: "", bind_ip: "127.0.0.1"}); var dbName = "admin" var colName = "testcol" +var profileName = "system.profile" +var dumpDir = MongoRunner.dataPath + "jstests_tool_dumprestore_dump_system_profile/"; db = m.getDB(dbName); db.createUser({user: "testuser" , pwd: "testuser", roles: jsTest.adminUserRoles}); @@ -11,27 +13,32 @@ assert( db.auth( "testuser" , "testuser" ) , "auth failed" ); t = db[colName]; t.drop(); +profile = db[profileName]; +profile.drop(); +// Activate profiling, to ensure that system.profile can be dumped with the backup role +db.setProfilingLevel(2); + +// Populate the database for(var i = 0; i < 100; i++) { t.save({ "x": i }); } +assert.gt(profile.count(), 0, "admin.system.profile should have documents"); +assert.eq(t.count(), 100, "testcol should have documents"); + +// Create a user with backup permissions +db.createUser({user: "backup" , pwd: "password", roles: ["backup"]}); +// Backup the database with the backup user x = runMongoProgram( "mongodump", "--db", dbName, + "--out", dumpDir, "--authenticationDatabase=admin", - "-u", "testuser", - "-p", "testuser", - "-h", "127.0.0.1:"+m.port, - "--collection", colName); + "-u", "backup", + "-p", "password", + "-h", "127.0.0.1:"+m.port); assert.eq(x, 0, "mongodump should succeed with authentication"); -// SERVER-5233: mongodump with authentication breaks when using "--out -" -x = runMongoProgram( "mongodump", - "--db", dbName, - "--authenticationDatabase=admin", - "-u", "testuser", - "-p", "testuser", - "-h", "127.0.0.1:"+m.port, - "--collection", colName, - "--out", "-" ); -assert.eq(x, 0, "mongodump should succeed with authentication while using '--out'"); +// Assert that a BSON document for admin.system.profile has been produced +x = runMongoProgram( "bsondump", dumpDir + "/" + dbName + "/" + profileName + ".bson" ); +assert.eq(x, 0, "bsondump should succeed parsing the profile data"); diff --git a/src/mongo/db/auth/role_graph_builtin_roles.cpp b/src/mongo/db/auth/role_graph_builtin_roles.cpp index e55353681ee..73f1afe3f76 100644 --- a/src/mongo/db/auth/role_graph_builtin_roles.cpp +++ b/src/mongo/db/auth/role_graph_builtin_roles.cpp @@ -444,6 +444,10 @@ void addBackupPrivileges(PrivilegeVector* privileges) { Privilege::addPrivilegeToPrivilegeVector( privileges, + Privilege(ResourcePattern::forCollectionName("system.profile"), ActionType::find)); + + Privilege::addPrivilegeToPrivilegeVector( + privileges, Privilege( ResourcePattern::forExactNamespace(AuthorizationManager::usersAltCollectionNamespace), ActionType::find)); |