diff options
-rw-r--r-- | jstests/auth/builtin_roles_system_colls.js | 25 | ||||
-rw-r--r-- | src/mongo/db/auth/role_graph_builtin_roles.cpp | 10 |
2 files changed, 33 insertions, 2 deletions
diff --git a/jstests/auth/builtin_roles_system_colls.js b/jstests/auth/builtin_roles_system_colls.js new file mode 100644 index 00000000000..5bdafdb745e --- /dev/null +++ b/jstests/auth/builtin_roles_system_colls.js @@ -0,0 +1,25 @@ +// These tests cover any additional built-in role privileges +// that do not easily fit into the commands_lib.js framework. +// Specifically, they test the running of commands on the system +// collections such as system.users, etc. + +// SERVER-13833: userAdminAnyDatabase role should be able to +// create and drop indexes on the admin.system.users and +// admin.system.roles collections, in order to make querying +// the users collection easier if you have a lot of users, etc. +function testUserAdminAnyDatabaseSystemCollIndexing(conn) { + var adminDB = conn.getDB("admin"); + adminDB.createUser({ user: "king", pwd: "pwd", roles: ["userAdminAnyDatabase"] }); + adminDB.auth("king", "pwd"); + + assert.commandWorked(adminDB.system.users.createIndex({ db: 1 })); + assert.commandWorked(adminDB.system.roles.createIndex({ db: 1 })); + assert.commandWorked(adminDB.system.users.dropIndex({ db: 1 })); + assert.commandWorked(adminDB.system.roles.dropIndex({ db: 1 })); +}; + +// ************************************************************ + +var conn = MongoRunner.runMongod({ auth: "" }); +testUserAdminAnyDatabaseSystemCollIndexing(conn); +MongoRunner.stopMongod(conn); diff --git a/src/mongo/db/auth/role_graph_builtin_roles.cpp b/src/mongo/db/auth/role_graph_builtin_roles.cpp index f04cb71430a..a057c3d2881 100644 --- a/src/mongo/db/auth/role_graph_builtin_roles.cpp +++ b/src/mongo/db/auth/role_graph_builtin_roles.cpp @@ -355,6 +355,12 @@ namespace { Privilege::addPrivilegeToPrivilegeVector( privileges, Privilege(ResourcePattern::forClusterResource(), ActionType::invalidateUserCache)); + + + ActionSet readRoleAndIndexActions; + readRoleAndIndexActions += readRoleActions; + readRoleAndIndexActions << ActionType::createIndex << ActionType::dropIndex; + Privilege::addPrivilegeToPrivilegeVector( privileges, Privilege(ResourcePattern::forCollectionName("system.users"), @@ -363,12 +369,12 @@ namespace { privileges, Privilege(ResourcePattern::forExactNamespace( AuthorizationManager::usersCollectionNamespace), - readRoleActions)); + readRoleAndIndexActions)); Privilege::addPrivilegeToPrivilegeVector( privileges, Privilege(ResourcePattern::forExactNamespace( AuthorizationManager::rolesCollectionNamespace), - readRoleActions)); + readRoleAndIndexActions)); Privilege::addPrivilegeToPrivilegeVector( privileges, Privilege(ResourcePattern::forExactNamespace( |