2 files changed, 25 insertions, 3 deletions
diff --git a/src/mongo/db/auth/role_graph_builtin_roles.cpp b/src/mongo/db/auth/role_graph_builtin_roles.cpp
index 47ba56ce752..31e8e1234ec 100644
--- a/src/mongo/db/auth/role_graph_builtin_roles.cpp
+++ b/src/mongo/db/auth/role_graph_builtin_roles.cpp
@@ -62,6 +62,7 @@ const std::string BUILTIN_ROLE_CLUSTER_MANAGEMENT = "clusterManager";
 const std::string BUILTIN_ROLE_BACKUP = "backup";
 const std::string BUILTIN_ROLE_RESTORE = "restore";
 const std::string BUILTIN_ROLE_ENABLE_SHARDING = "enableSharding";
+const std::string BUILTIN_ROLE_QUERYABLE_BACKUP = "__queryableBackup";
 
 /// Actions that the "read" role may perform on a normal resources of a specific database, and
 /// that the "readAnyDatabase" role may perform on normal resources of any database.
@@ -485,7 +486,8 @@ void addClusterAdminPrivileges(PrivilegeVector* privileges) {
         privileges, Privilege(ResourcePattern::forAnyNormalResource(), ActionType::dropDatabase));
 }
 
-void addBackupPrivileges(PrivilegeVector* privileges) {
+
+void addQueryableBackupPrivileges(PrivilegeVector* privileges) {
     Privilege::addPrivilegeToPrivilegeVector(
         privileges, Privilege(ResourcePattern::forAnyResource(), ActionType::collStats));
     Privilege::addPrivilegeToPrivilegeVector(
@@ -497,7 +499,7 @@ void addBackupPrivileges(PrivilegeVector* privileges) {
 
     ActionSet clusterActions;
     clusterActions << ActionType::getParameter  // To check authSchemaVersion
-                   << ActionType::listDatabases << ActionType::appendOplogNote;  // For BRS
+                   << ActionType::listDatabases;
     Privilege::addPrivilegeToPrivilegeVector(
         privileges, Privilege(ResourcePattern::forClusterResource(), clusterActions));
 
@@ -550,12 +552,26 @@ void addBackupPrivileges(PrivilegeVector* privileges) {
             ResourcePattern::forExactNamespace(AuthorizationManager::versionCollectionNamespace),
             ActionType::find));
 
+    Privilege::addPrivilegeToPrivilegeVector(
+        privileges,
+        Privilege(ResourcePattern::forExactNamespace(NamespaceString("config", "settings")),
+                  ActionType::find));
+}
+
+void addBackupPrivileges(PrivilegeVector* privileges) {
+    ActionSet clusterActions;
+    clusterActions << ActionType::appendOplogNote;  // For BRS
+    Privilege::addPrivilegeToPrivilegeVector(
+        privileges, Privilege(ResourcePattern::forClusterResource(), clusterActions));
+
     ActionSet configSettingsActions;
-    configSettingsActions << ActionType::insert << ActionType::update << ActionType::find;
+    configSettingsActions << ActionType::insert << ActionType::update;
     Privilege::addPrivilegeToPrivilegeVector(
         privileges,
         Privilege(ResourcePattern::forExactNamespace(NamespaceString("config", "settings")),
                   configSettingsActions));
+
+    addQueryableBackupPrivileges(privileges);
 }
 
 void addRestorePrivileges(PrivilegeVector* privileges) {
@@ -683,6 +699,8 @@ bool RoleGraph::addPrivilegesForBuiltinRole(const RoleName& roleName, PrivilegeV
         addClusterManagerPrivileges(result);
     } else if (isAdminDB && roleName.getRole() == BUILTIN_ROLE_CLUSTER_ADMIN) {
         addClusterAdminPrivileges(result);
+    } else if (isAdminDB && roleName.getRole() == BUILTIN_ROLE_QUERYABLE_BACKUP) {
+        addQueryableBackupPrivileges(result);
     } else if (isAdminDB && roleName.getRole() == BUILTIN_ROLE_BACKUP) {
         addBackupPrivileges(result);
     } else if (isAdminDB && roleName.getRole() == BUILTIN_ROLE_RESTORE) {
@@ -750,6 +768,8 @@ bool RoleGraph::isBuiltinRole(const RoleName& role) {
         return true;
     } else if (isAdminDB && role.getRole() == BUILTIN_ROLE_INTERNAL) {
         return true;
+    } else if (isAdminDB && role.getRole() == BUILTIN_ROLE_QUERYABLE_BACKUP) {
+        return true;
     }
     return false;
 }
@@ -775,6 +795,7 @@ void RoleGraph::_createBuiltinRolesForDBIfNeeded(const std::string& dbname) {
         _createBuiltinRoleIfNeeded(RoleName(BUILTIN_ROLE_RESTORE, dbname));
         _createBuiltinRoleIfNeeded(RoleName(BUILTIN_ROLE_ROOT, dbname));
         _createBuiltinRoleIfNeeded(RoleName(BUILTIN_ROLE_INTERNAL, dbname));
+        _createBuiltinRoleIfNeeded(RoleName(BUILTIN_ROLE_QUERYABLE_BACKUP, dbname));
     }
 }
 
diff --git a/src/mongo/db/auth/role_graph_test.cpp b/src/mongo/db/auth/role_graph_test.cpp
index 2e7a1ba0eb7..5301ab6f6aa 100644
--- a/src/mongo/db/auth/role_graph_test.cpp
+++ b/src/mongo/db/auth/role_graph_test.cpp
@@ -674,6 +674,7 @@ TEST(RoleGraphTest, getRolesForDatabase) {
 
     // Admin DB
     it = graph.getRolesForDatabase("admin");
+    ASSERT_EQUALS(RoleName("__queryableBackup", "admin"), it.next());
     ASSERT_EQUALS(RoleName("__system", "admin"), it.next());
     ASSERT_EQUALS(RoleName("backup", "admin"), it.next());
     ASSERT_EQUALS(RoleName("clusterAdmin", "admin"), it.next());