SERVER-54650: Make recipientSyncData and recipientForgetMigration require runTenantMigration action type

3 files changed, 67 insertions, 8 deletions

diff --git a/jstests/auth/lib/commands_lib.js b/jstests/auth/lib/commands_lib.js
index c1a279bc5f7..d55d75dc499 100644
--- a/jstests/auth/lib/commands_lib.js
+++ b/jstests/auth/lib/commands_lib.js
@@ -3420,6 +3420,52 @@ var authCommandsLib = {
           ]
         },
         {
+          testname: "recipientSyncData",
+          command: {
+              recipientSyncData: 1,
+              migrationId: UUID(),
+              donorConnectionString: "donor-rs/localhost:1234",
+              tenantId: "testTenantId",
+              readPreference: {mode: "primary"},
+              startMigrationDonorTimestamp: Timestamp(1, 1),
+              recipientCertificateForDonor: migrationCertificates.recipientCertificateForDonor,
+          },
+          skipSharded: true,
+          testcases: [
+              {
+                  runOnDb: adminDbName,
+                  roles: roles_clusterManager,
+                  privileges: [{resource: {cluster: true}, actions: ["runTenantMigration"]}],
+                  // Cannot start tenant migration on a standalone mongod.
+                  expectFail: true,
+              },
+              {runOnDb: firstDbName, roles: {}},
+              {runOnDb: secondDbName, roles: {}}
+          ]
+        },
+        {
+          testname: "recipientForgetMigration",
+          command: {
+              recipientForgetMigration: 1,
+              migrationId: UUID(),
+              donorConnectionString: "donor-rs/localhost:1234",
+              tenantId: "testTenantId",
+              readPreference: {mode: "primary"},
+          },
+          skipSharded: true,
+          testcases: [
+              {
+                  runOnDb: adminDbName,
+                  roles: roles_clusterManager,
+                  privileges: [{resource: {cluster: true}, actions: ["runTenantMigration"]}],
+                  // This is expected to fail with InvalidOptions without cluster certificate.
+                  expectFail: true,
+              },
+              {runOnDb: firstDbName, roles: {}},
+              {runOnDb: secondDbName, roles: {}}
+          ]
+        },
+        {
           testname: "drop",
           command: {drop: "x"},
           setup: function(db) {
diff --git a/src/mongo/db/commands/tenant_migration_donor_cmds.cpp b/src/mongo/db/commands/tenant_migration_donor_cmds.cpp
index 6814c2a2db5..99901b57108 100644
--- a/src/mongo/db/commands/tenant_migration_donor_cmds.cpp
+++ b/src/mongo/db/commands/tenant_migration_donor_cmds.cpp
@@ -125,7 +125,8 @@ public:
             return response;
         }
 
-        void doCheckAuthorization(OperationContext* opCtx) const {
+    private:
+        void doCheckAuthorization(OperationContext* opCtx) const final {
             uassert(ErrorCodes::Unauthorized,
                     "Unauthorized",
                     AuthorizationSession::get(opCtx->getClient())
@@ -133,7 +134,6 @@ public:
                                                            ActionType::runTenantMigration));
         }
 
-    private:
         bool supportsWriteConcern() const override {
             return false;
         }
@@ -195,7 +195,7 @@ public:
         }
 
     private:
-        void doCheckAuthorization(OperationContext* opCtx) const {
+        void doCheckAuthorization(OperationContext* opCtx) const final {
             uassert(ErrorCodes::Unauthorized,
                     "Unauthorized",
                     AuthorizationSession::get(opCtx->getClient())
@@ -283,7 +283,7 @@ public:
         }
 
     private:
-        void doCheckAuthorization(OperationContext* opCtx) const {
+        void doCheckAuthorization(OperationContext* opCtx) const final {
             uassert(ErrorCodes::Unauthorized,
                     "Unauthorized",
                     AuthorizationSession::get(opCtx->getClient())
diff --git a/src/mongo/db/commands/tenant_migration_recipient_cmds.cpp b/src/mongo/db/commands/tenant_migration_recipient_cmds.cpp
index d8a917e5c3d..6a26c8c9fec 100644
--- a/src/mongo/db/commands/tenant_migration_recipient_cmds.cpp
+++ b/src/mongo/db/commands/tenant_migration_recipient_cmds.cpp
@@ -28,6 +28,7 @@
  */
 #define MONGO_LOGV2_DEFAULT_COMPONENT ::mongo::logv2::LogComponent::kCommand
 
+#include "mongo/db/auth/authorization_session.h"
 #include "mongo/db/commands.h"
 #include "mongo/db/commands/feature_compatibility_version_parser.h"
 #include "mongo/db/commands/tenant_migration_donor_cmds_gen.h"
@@ -128,9 +129,15 @@ public:
             }
         }
 
-        void doCheckAuthorization(OperationContext* opCtx) const {}
-
     private:
+        void doCheckAuthorization(OperationContext* opCtx) const final {
+            uassert(ErrorCodes::Unauthorized,
+                    "Unauthorized",
+                    AuthorizationSession::get(opCtx->getClient())
+                        ->isAuthorizedForActionsOnResource(ResourcePattern::forClusterResource(),
+                                                           ActionType::runTenantMigration));
+        }
+
         bool supportsWriteConcern() const override {
             return false;
         }
@@ -204,9 +211,15 @@ public:
             recipientInstance->getCompletionFuture().get(opCtx);
         }
 
-        void doCheckAuthorization(OperationContext* opCtx) const {}
-
     private:
+        void doCheckAuthorization(OperationContext* opCtx) const final {
+            uassert(ErrorCodes::Unauthorized,
+                    "Unauthorized",
+                    AuthorizationSession::get(opCtx->getClient())
+                        ->isAuthorizedForActionsOnResource(ResourcePattern::forClusterResource(),
+                                                           ActionType::runTenantMigration));
+        }
+
         bool supportsWriteConcern() const override {
             return false;
         }