SERVER-44320 Allow users with enableSharding cluster AT to manipulate sharding zones

(cherry picked from commit b08f7a6989c3e6b3af944201f618c8c928cc4077)

3 files changed, 42 insertions, 17 deletions

diff --git a/src/mongo/s/commands/cluster_add_shard_to_zone_cmd.cpp b/src/mongo/s/commands/cluster_add_shard_to_zone_cmd.cpp
index b6c8e242aa3..f8de58244f8 100644
--- a/src/mongo/s/commands/cluster_add_shard_to_zone_cmd.cpp
+++ b/src/mongo/s/commands/cluster_add_shard_to_zone_cmd.cpp
@@ -89,12 +89,21 @@ public:
 
     Status checkAuthForCommand(Client* client,
                                const std::string& dbname,
-                               const BSONObj& cmdObj) override {
-        if (!AuthorizationSession::get(client)->isAuthorizedForActionsOnResource(
+                               const BSONObj& cmdObj) final {
+        auto* as = AuthorizationSession::get(client);
+
+        if (as->isAuthorizedForActionsOnResource(ResourcePattern::forClusterResource(),
+                                                 ActionType::enableSharding)) {
+            return Status::OK();
+        }
+
+        // Fallback on permissions to directly modify the shard config.
+        if (!as->isAuthorizedForActionsOnResource(
                 ResourcePattern::forExactNamespace(NamespaceString(ShardType::ConfigNS)),
                 ActionType::update)) {
-            return Status(ErrorCodes::Unauthorized, "Unauthorized");
+            return {ErrorCodes::Unauthorized, "Unauthorized"};
         }
+
         return Status::OK();
     }
 
diff --git a/src/mongo/s/commands/cluster_remove_shard_from_zone_cmd.cpp b/src/mongo/s/commands/cluster_remove_shard_from_zone_cmd.cpp
index 89241df2eaf..ec7c086ca70 100644
--- a/src/mongo/s/commands/cluster_remove_shard_from_zone_cmd.cpp
+++ b/src/mongo/s/commands/cluster_remove_shard_from_zone_cmd.cpp
@@ -89,17 +89,25 @@ public:
 
     Status checkAuthForCommand(Client* client,
                                const std::string& dbname,
-                               const BSONObj& cmdObj) override {
-        if (!AuthorizationSession::get(client)->isAuthorizedForActionsOnResource(
+                               const BSONObj& cmdObj) final {
+        auto* as = AuthorizationSession::get(client);
+
+        if (as->isAuthorizedForActionsOnResource(ResourcePattern::forClusterResource(),
+                                                 ActionType::enableSharding)) {
+            return Status::OK();
+        }
+
+        // Fallback on permissions to directly modify the shard config.
+        if (!as->isAuthorizedForActionsOnResource(
                 ResourcePattern::forExactNamespace(NamespaceString(ShardType::ConfigNS)),
                 ActionType::update)) {
-            return Status(ErrorCodes::Unauthorized, "Unauthorized");
+            return {ErrorCodes::Unauthorized, "Unauthorized"};
         }
 
-        if (!AuthorizationSession::get(client)->isAuthorizedForActionsOnResource(
+        if (!as->isAuthorizedForActionsOnResource(
                 ResourcePattern::forExactNamespace(NamespaceString(TagsType::ConfigNS)),
                 ActionType::find)) {
-            return Status(ErrorCodes::Unauthorized, "Unauthorized");
+            return {ErrorCodes::Unauthorized, "Unauthorized"};
         }
 
         return Status::OK();
diff --git a/src/mongo/s/commands/cluster_update_zone_key_range_cmd.cpp b/src/mongo/s/commands/cluster_update_zone_key_range_cmd.cpp
index e0d9eefc222..a6361377dfb 100644
--- a/src/mongo/s/commands/cluster_update_zone_key_range_cmd.cpp
+++ b/src/mongo/s/commands/cluster_update_zone_key_range_cmd.cpp
@@ -92,29 +92,37 @@ public:
 
     Status checkAuthForCommand(Client* client,
                                const std::string& dbname,
-                               const BSONObj& cmdObj) override {
-        if (!AuthorizationSession::get(client)->isAuthorizedForActionsOnResource(
+                               const BSONObj& cmdObj) final {
+        auto* as = AuthorizationSession::get(client);
+
+        if (as->isAuthorizedForActionsOnResource(ResourcePattern::forClusterResource(),
+                                                 ActionType::enableSharding)) {
+            return Status::OK();
+        }
+
+        // Fallback on permissions to directly modify the shard config.
+        if (!as->isAuthorizedForActionsOnResource(
                 ResourcePattern::forExactNamespace(NamespaceString(ShardType::ConfigNS)),
                 ActionType::find)) {
-            return Status(ErrorCodes::Unauthorized, "Unauthorized");
+            return {ErrorCodes::Unauthorized, "Unauthorized"};
         }
 
-        if (!AuthorizationSession::get(client)->isAuthorizedForActionsOnResource(
+        if (!as->isAuthorizedForActionsOnResource(
                 ResourcePattern::forExactNamespace(NamespaceString(TagsType::ConfigNS)),
                 ActionType::find)) {
-            return Status(ErrorCodes::Unauthorized, "Unauthorized");
+            return {ErrorCodes::Unauthorized, "Unauthorized"};
         }
 
-        if (!AuthorizationSession::get(client)->isAuthorizedForActionsOnResource(
+        if (!as->isAuthorizedForActionsOnResource(
                 ResourcePattern::forExactNamespace(NamespaceString(TagsType::ConfigNS)),
                 ActionType::update)) {
-            return Status(ErrorCodes::Unauthorized, "Unauthorized");
+            return {ErrorCodes::Unauthorized, "Unauthorized"};
         }
 
-        if (!AuthorizationSession::get(client)->isAuthorizedForActionsOnResource(
+        if (!as->isAuthorizedForActionsOnResource(
                 ResourcePattern::forExactNamespace(NamespaceString(TagsType::ConfigNS)),
                 ActionType::remove)) {
-            return Status(ErrorCodes::Unauthorized, "Unauthorized");
+            return {ErrorCodes::Unauthorized, "Unauthorized"};
         }
 
         return Status::OK();