SERVER-17856: Allow mongod users to currentOp and killOp own operations

author: Spencer Jackson <spencer.jackson@mongodb.com> 2016-07-11 13:50:21 -0400
committer: Spencer Jackson <spencer.jackson@mongodb.com> 2016-07-29 15:51:21 -0400
commit: 9380a1c12a19a061eaafabb5f6b9e87f16a28179 (patch)
tree: 9d2dec0ecb977c7555f9d74108da3a4c68586cad /src/mongo/db/commands/current_op.cpp
parent: 3cca3da0ad890c8272f56e18f8066c472b2a25f4 (diff)
download: mongo-9380a1c12a19a061eaafabb5f6b9e87f16a28179.tar.gz
1 files changed, 21 insertions, 3 deletions
diff --git a/src/mongo/db/commands/current_op.cpp b/src/mongo/db/commands/current_op.cpp
index 0e25e16f443..10cf0f81272 100644
--- a/src/mongo/db/commands/current_op.cpp
+++ b/src/mongo/db/commands/current_op.cpp
@@ -69,9 +69,18 @@ public:
     Status checkAuthForCommand(ClientBasic* client,
                                const std::string& dbname,
                                const BSONObj& cmdObj) final {
-        bool isAuthorized = AuthorizationSession::get(client)->isAuthorizedForActionsOnResource(
-            ResourcePattern::forClusterResource(), ActionType::inprog);
-        return isAuthorized ? Status::OK() : Status(ErrorCodes::Unauthorized, "Unauthorized");
+        AuthorizationSession* authzSession = AuthorizationSession::get(client);
+        if (authzSession->isAuthorizedForActionsOnResource(ResourcePattern::forClusterResource(),
+                                                           ActionType::inprog)) {
+            return Status::OK();
+        }
+
+        bool isAuthenticated = authzSession->getAuthenticatedUserNames().more();
+        if (isAuthenticated && cmdObj["$ownOps"].trueValue()) {
+            return Status::OK();
+        }
+
+        return Status(ErrorCodes::Unauthorized, "Unauthorized");
     }
 
     bool run(OperationContext* txn,
@@ -81,6 +90,7 @@ public:
              std::string& errmsg,
              BSONObjBuilder& result) final {
         const bool includeAll = cmdObj["$all"].trueValue();
+        const bool ownOpsOnly = cmdObj["$ownOps"].trueValue();
 
         // Filter the output
         BSONObj filter;
@@ -93,6 +103,8 @@ public:
                 BSONElement e = i.next();
                 if (str::equals("$all", e.fieldName())) {
                     continue;
+                } else if (str::equals("$ownOps", e.fieldName())) {
+                    continue;
                 }
 
                 b.append(e);
@@ -115,6 +127,12 @@ public:
             invariant(client);
 
             stdx::lock_guard<Client> lk(*client);
+
+            if (ownOpsOnly &&
+                !AuthorizationSession::get(txn->getClient())->isCoauthorizedWithClient(client)) {
+                continue;
+            }
+
             const OperationContext* opCtx = client->getOperationContext();
 
             if (!includeAll) {
author	Spencer Jackson <spencer.jackson@mongodb.com>	2016-07-11 13:50:21 -0400
committer	Spencer Jackson <spencer.jackson@mongodb.com>	2016-07-29 15:51:21 -0400
commit	9380a1c12a19a061eaafabb5f6b9e87f16a28179 (patch)
tree	9d2dec0ecb977c7555f9d74108da3a4c68586cad /src/mongo/db/commands/current_op.cpp
parent	3cca3da0ad890c8272f56e18f8066c472b2a25f4 (diff)
download	mongo-9380a1c12a19a061eaafabb5f6b9e87f16a28179.tar.gz