SERVER-53020 Ensure only the atlasAdmin user can run donorStartMigration and donorForgetMigration

3 files changed, 17 insertions, 2 deletions

diff --git a/src/mongo/db/auth/action_type.h b/src/mongo/db/auth/action_type.h
index 56c6e744631..b332aa9e80b 100644
--- a/src/mongo/db/auth/action_type.h
+++ b/src/mongo/db/auth/action_type.h
@@ -160,6 +160,7 @@ namespace mongo {
     X(revokeRolesFromUser)      /* ID only */                                         \
     X(rotateCertificates)                                                             \
     X(runAsLessPrivilegedUser)                                                        \
+    X(runTenantMigration)                                                             \
     X(serverStatus)                                                                   \
     X(setAuthenticationRestriction)                                                   \
     X(setDefaultRWConcern)                                                            \
diff --git a/src/mongo/db/auth/builtin_roles.cpp b/src/mongo/db/auth/builtin_roles.cpp
index 037f7765c35..b9662b581d6 100644
--- a/src/mongo/db/auth/builtin_roles.cpp
+++ b/src/mongo/db/auth/builtin_roles.cpp
@@ -247,6 +247,7 @@ MONGO_INITIALIZER(AuthorizationBuiltinRoles)(InitializerContext* context) {
         << ActionType::flushRouterConfig  // hostManager gets this also
         << ActionType::cleanupOrphaned
         << ActionType::getDefaultRWConcern // clusterMonitor gets this also
+        << ActionType::runTenantMigration
         << ActionType::setDefaultRWConcern
         << ActionType::setFeatureCompatibilityVersion
         << ActionType::setFreeMonitoring;
diff --git a/src/mongo/db/commands/tenant_migration_donor_cmds.cpp b/src/mongo/db/commands/tenant_migration_donor_cmds.cpp
index 658f1733c54..a4a838277b3 100644
--- a/src/mongo/db/commands/tenant_migration_donor_cmds.cpp
+++ b/src/mongo/db/commands/tenant_migration_donor_cmds.cpp
@@ -27,6 +27,7 @@
  *    it in the license file.
  */
 
+#include "mongo/db/auth/authorization_session.h"
 #include "mongo/db/commands.h"
 #include "mongo/db/commands/tenant_migration_donor_cmds_gen.h"
 #include "mongo/db/repl/primary_only_service.h"
@@ -97,7 +98,13 @@ public:
             return response;
         }
 
-        void doCheckAuthorization(OperationContext* opCtx) const {}
+        void doCheckAuthorization(OperationContext* opCtx) const {
+            uassert(ErrorCodes::Unauthorized,
+                    "Unauthorized",
+                    AuthorizationSession::get(opCtx->getClient())
+                        ->isAuthorizedForActionsOnResource(ResourcePattern::forClusterResource(),
+                                                           ActionType::runTenantMigration));
+        }
 
     private:
         bool supportsWriteConcern() const override {
@@ -162,7 +169,13 @@ public:
         }
 
     private:
-        void doCheckAuthorization(OperationContext* opCtx) const {}
+        void doCheckAuthorization(OperationContext* opCtx) const {
+            uassert(ErrorCodes::Unauthorized,
+                    "Unauthorized",
+                    AuthorizationSession::get(opCtx->getClient())
+                        ->isAuthorizedForActionsOnResource(ResourcePattern::forClusterResource(),
+                                                           ActionType::runTenantMigration));
+        }
 
         bool supportsWriteConcern() const override {
             return false;