SERVER-66651 restore builtin role needs applyOps permissions

(cherry picked from commit 0ba2a32577ed1d8b2bcf33ca195dce5516a484be)

2 files changed, 70 insertions, 7 deletions

diff --git a/jstests/auth/lib/commands_lib.js b/jstests/auth/lib/commands_lib.js
index 4c0c26e8e7a..a9b2a6960cc 100644
--- a/jstests/auth/lib/commands_lib.js
+++ b/jstests/auth/lib/commands_lib.js
@@ -371,7 +371,8 @@ var authCommandsLib = {
                 roles: {
                     dbAdminAnyDatabase: 1,
                     root: 1,
-                    __system: 1
+                    __system: 1,
+                    restore: 1,
                 },
                 privileges: [
                     {resource: {db: firstDbName, collection: "x"}, actions: ["createCollection"]},
@@ -400,7 +401,7 @@ var authCommandsLib = {
           testcases: [
               {
                 runOnDb: adminDbName,
-                roles: {__system: 1, root: 1},
+                roles: {__system: 1, root: 1, restore: 1},
                 privileges: [
                     {resource: {db: firstDbName, collection: "x"}, actions: ["createCollection"]},
                     {resource: {cluster: true}, actions: ["useUUID", "forceUUID", "applyOps"]},
@@ -458,7 +459,8 @@ var authCommandsLib = {
                 roles: {
                     dbAdminAnyDatabase: 1,
                     root: 1,
-                    __system: 1
+                    __system: 1,
+                    restore: 1,
                 },
                 privileges: [
                     {resource: {db: firstDbName, collection: "x"}, actions: ["dropCollection"]},
@@ -497,7 +499,7 @@ var authCommandsLib = {
           testcases: [
               {
                 runOnDb: adminDbName,
-                roles: {__system: 1, root: 1},
+                roles: {__system: 1, root: 1, restore: 1},
                 privileges: [
                     {resource: {db: firstDbName, collection: "x"}, actions: ["dropCollection"]},
                     {resource: {cluster: true}, actions: ["useUUID", "applyOps"]},
@@ -623,7 +625,7 @@ var authCommandsLib = {
           testcases: [
               {
                 runOnDb: adminDbName,
-                roles: {__system: 1, root: 1},
+                roles: {__system: 1, root: 1, restore: 1},
                 privileges: [
                     {resource: {db: firstDbName, collection: "x"}, actions: ["insert"]},
                     {resource: {cluster: true}, actions: ["applyOps"]},
@@ -659,7 +661,7 @@ var authCommandsLib = {
           testcases: [
               {
                 runOnDb: adminDbName,
-                roles: {__system: 1, root: 1},
+                roles: {__system: 1, root: 1, restore: 1},
                 privileges: [
                     {resource: {db: firstDbName, collection: "x"}, actions: ["insert"]},
                     {resource: {cluster: true}, actions: ["useUUID", "applyOps"]},
@@ -699,7 +701,7 @@ var authCommandsLib = {
                 // failure.
                 expectFail: true,
                 runOnDb: adminDbName,
-                roles: {__system: 1, root: 1},
+                roles: {__system: 1, root: 1, restore: 1},
                 privileges: [
                     {resource: {db: firstDbName, collection: "x"}, actions: ["insert"]},
                     {resource: {cluster: true}, actions: ["useUUID", "applyOps"]},
diff --git a/jstests/auth/restore_role_create_collection_via_apply_ops.js b/jstests/auth/restore_role_create_collection_via_apply_ops.js
new file mode 100644
index 00000000000..be30be7db47
--- /dev/null
+++ b/jstests/auth/restore_role_create_collection_via_apply_ops.js
@@ -0,0 +1,61 @@
+// Verify that mongorestore can create a collection via applyOps
+
+(function() {
+'use strict';
+
+function makeCreateOp(collName, uuid = undefined) {
+    const op = {
+        op: 'c',
+        ns: 'test.$cmd',
+        o: {
+            create: collName,
+            idIndex: {
+                key: {_id: 1},
+                v: 2,
+                name: "_id_",
+                ns: "test." + collName,
+            },
+        },
+    };
+    if (uuid) {
+        op.ui = uuid;
+    }
+    return op;
+}
+
+function assertHasCollection(db, collName, expectUUID = undefined) {
+    const colls = db.getCollectionInfos({name: collName});
+    assert.eq(colls.length, 1, colls);
+    if (expectUUID !== undefined) {
+        assert.eq(colls[0].info.uuid, expectUUID, colls);
+    }
+}
+
+function runTest(conn) {
+    const admin = conn.getDB('admin');
+    const test = conn.getDB('test');
+    assert.commandWorked(admin.runCommand({createUser: 'admin', pwd: 'admin', roles: ['root']}));
+    assert(admin.auth('admin', 'admin'));
+
+    assert.commandWorked(
+        admin.runCommand({createUser: 'restore1', pwd: 'pwd', roles: ['restore']}));
+    admin.logout();
+
+    assert(admin.auth('restore1', 'pwd'));
+
+    // Simple create collection op.
+    assert.commandWorked(admin.runCommand({applyOps: [makeCreateOp('test1')]}));
+    assertHasCollection(test, 'test1');
+
+    // Create collection with UUID.
+    const kSpecificUUID = UUID();
+    assert.commandWorked(admin.runCommand({applyOps: [makeCreateOp('test2', kSpecificUUID)]}));
+    assertHasCollection(test, 'test2', kSpecificUUID);
+
+    admin.logout();
+}
+
+const standalone = MongoRunner.runMongod({auth: ''});
+runTest(standalone);
+MongoRunner.stopMongod(standalone);
+})();
\ No newline at end of file