diff options
author | Andrew Shuvalov <andrew.shuvalov@mongodb.com> | 2021-02-23 17:35:28 +0000 |
---|---|---|
committer | Evergreen Agent <no-reply@evergreen.mongodb.com> | 2021-03-10 02:39:26 +0000 |
commit | f12e33e8bcc2de31d9018383c5a80400432e156a (patch) | |
tree | 704048e7123c6f2681559fb33af19544c5074124 | |
parent | 0cde744f93ba588956d13fafa9cd74b0ded9334a (diff) | |
download | mongo-f12e33e8bcc2de31d9018383c5a80400432e156a.tar.gz |
SERVER-54650: Make recipientSyncData and recipientForgetMigration require runTenantMigration action type
-rw-r--r-- | jstests/auth/lib/commands_lib.js | 46 | ||||
-rw-r--r-- | src/mongo/db/commands/tenant_migration_donor_cmds.cpp | 8 | ||||
-rw-r--r-- | src/mongo/db/commands/tenant_migration_recipient_cmds.cpp | 21 |
3 files changed, 67 insertions, 8 deletions
diff --git a/jstests/auth/lib/commands_lib.js b/jstests/auth/lib/commands_lib.js index c1a279bc5f7..d55d75dc499 100644 --- a/jstests/auth/lib/commands_lib.js +++ b/jstests/auth/lib/commands_lib.js @@ -3420,6 +3420,52 @@ var authCommandsLib = { ] }, { + testname: "recipientSyncData", + command: { + recipientSyncData: 1, + migrationId: UUID(), + donorConnectionString: "donor-rs/localhost:1234", + tenantId: "testTenantId", + readPreference: {mode: "primary"}, + startMigrationDonorTimestamp: Timestamp(1, 1), + recipientCertificateForDonor: migrationCertificates.recipientCertificateForDonor, + }, + skipSharded: true, + testcases: [ + { + runOnDb: adminDbName, + roles: roles_clusterManager, + privileges: [{resource: {cluster: true}, actions: ["runTenantMigration"]}], + // Cannot start tenant migration on a standalone mongod. + expectFail: true, + }, + {runOnDb: firstDbName, roles: {}}, + {runOnDb: secondDbName, roles: {}} + ] + }, + { + testname: "recipientForgetMigration", + command: { + recipientForgetMigration: 1, + migrationId: UUID(), + donorConnectionString: "donor-rs/localhost:1234", + tenantId: "testTenantId", + readPreference: {mode: "primary"}, + }, + skipSharded: true, + testcases: [ + { + runOnDb: adminDbName, + roles: roles_clusterManager, + privileges: [{resource: {cluster: true}, actions: ["runTenantMigration"]}], + // This is expected to fail with InvalidOptions without cluster certificate. + expectFail: true, + }, + {runOnDb: firstDbName, roles: {}}, + {runOnDb: secondDbName, roles: {}} + ] + }, + { testname: "drop", command: {drop: "x"}, setup: function(db) { diff --git a/src/mongo/db/commands/tenant_migration_donor_cmds.cpp b/src/mongo/db/commands/tenant_migration_donor_cmds.cpp index 6814c2a2db5..99901b57108 100644 --- a/src/mongo/db/commands/tenant_migration_donor_cmds.cpp +++ b/src/mongo/db/commands/tenant_migration_donor_cmds.cpp @@ -125,7 +125,8 @@ public: return response; } - void doCheckAuthorization(OperationContext* opCtx) const { + private: + void doCheckAuthorization(OperationContext* opCtx) const final { uassert(ErrorCodes::Unauthorized, "Unauthorized", AuthorizationSession::get(opCtx->getClient()) @@ -133,7 +134,6 @@ public: ActionType::runTenantMigration)); } - private: bool supportsWriteConcern() const override { return false; } @@ -195,7 +195,7 @@ public: } private: - void doCheckAuthorization(OperationContext* opCtx) const { + void doCheckAuthorization(OperationContext* opCtx) const final { uassert(ErrorCodes::Unauthorized, "Unauthorized", AuthorizationSession::get(opCtx->getClient()) @@ -283,7 +283,7 @@ public: } private: - void doCheckAuthorization(OperationContext* opCtx) const { + void doCheckAuthorization(OperationContext* opCtx) const final { uassert(ErrorCodes::Unauthorized, "Unauthorized", AuthorizationSession::get(opCtx->getClient()) diff --git a/src/mongo/db/commands/tenant_migration_recipient_cmds.cpp b/src/mongo/db/commands/tenant_migration_recipient_cmds.cpp index d8a917e5c3d..6a26c8c9fec 100644 --- a/src/mongo/db/commands/tenant_migration_recipient_cmds.cpp +++ b/src/mongo/db/commands/tenant_migration_recipient_cmds.cpp @@ -28,6 +28,7 @@ */ #define MONGO_LOGV2_DEFAULT_COMPONENT ::mongo::logv2::LogComponent::kCommand +#include "mongo/db/auth/authorization_session.h" #include "mongo/db/commands.h" #include "mongo/db/commands/feature_compatibility_version_parser.h" #include "mongo/db/commands/tenant_migration_donor_cmds_gen.h" @@ -128,9 +129,15 @@ public: } } - void doCheckAuthorization(OperationContext* opCtx) const {} - private: + void doCheckAuthorization(OperationContext* opCtx) const final { + uassert(ErrorCodes::Unauthorized, + "Unauthorized", + AuthorizationSession::get(opCtx->getClient()) + ->isAuthorizedForActionsOnResource(ResourcePattern::forClusterResource(), + ActionType::runTenantMigration)); + } + bool supportsWriteConcern() const override { return false; } @@ -204,9 +211,15 @@ public: recipientInstance->getCompletionFuture().get(opCtx); } - void doCheckAuthorization(OperationContext* opCtx) const {} - private: + void doCheckAuthorization(OperationContext* opCtx) const final { + uassert(ErrorCodes::Unauthorized, + "Unauthorized", + AuthorizationSession::get(opCtx->getClient()) + ->isAuthorizedForActionsOnResource(ResourcePattern::forClusterResource(), + ActionType::runTenantMigration)); + } + bool supportsWriteConcern() const override { return false; } |