SERVER-28334 startSession command

2 files changed, 9 insertions, 0 deletions

diff --git a/src/mongo/db/auth/action_types.txt b/src/mongo/db/auth/action_types.txt
index 3800e3c5382..dd9e6a9c8cc 100644
--- a/src/mongo/db/auth/action_types.txt
+++ b/src/mongo/db/auth/action_types.txt
@@ -101,6 +101,7 @@
 "shutdown",
 "splitChunk",
 "splitVector",
+"startSession",
 "storageDetails",
 "top",
 "touch",
diff --git a/src/mongo/db/auth/role_graph_builtin_roles.cpp b/src/mongo/db/auth/role_graph_builtin_roles.cpp
index 6273f4505f5..a9ee381c277 100644
--- a/src/mongo/db/auth/role_graph_builtin_roles.cpp
+++ b/src/mongo/db/auth/role_graph_builtin_roles.cpp
@@ -648,6 +648,11 @@ void addInternalRolePrivileges(PrivilegeVector* privileges) {
     RoleGraph::generateUniversalPrivileges(privileges);
 }
 
+void addAnyBuiltinRolePrivileges(PrivilegeVector* privileges) {
+    Privilege::addPrivilegeToPrivilegeVector(
+        privileges, Privilege(ResourcePattern::forClusterResource(), ActionType::startSession));
+}
+
 }  // namespace
 
 bool RoleGraph::addPrivilegesForBuiltinRole(const RoleName& roleName, PrivilegeVector* result) {
@@ -692,6 +697,9 @@ bool RoleGraph::addPrivilegesForBuiltinRole(const RoleName& roleName, PrivilegeV
     } else {
         return false;
     }
+
+    // One of the roles has matched, otherwise we would have returned already.
+    addAnyBuiltinRolePrivileges(result);
     return true;
 }