diff options
-rw-r--r-- | src/mongo/db/auth/role_graph_builtin_roles.cpp | 27 | ||||
-rw-r--r-- | src/mongo/db/auth/role_graph_test.cpp | 1 |
2 files changed, 25 insertions, 3 deletions
diff --git a/src/mongo/db/auth/role_graph_builtin_roles.cpp b/src/mongo/db/auth/role_graph_builtin_roles.cpp index 47ba56ce752..31e8e1234ec 100644 --- a/src/mongo/db/auth/role_graph_builtin_roles.cpp +++ b/src/mongo/db/auth/role_graph_builtin_roles.cpp @@ -62,6 +62,7 @@ const std::string BUILTIN_ROLE_CLUSTER_MANAGEMENT = "clusterManager"; const std::string BUILTIN_ROLE_BACKUP = "backup"; const std::string BUILTIN_ROLE_RESTORE = "restore"; const std::string BUILTIN_ROLE_ENABLE_SHARDING = "enableSharding"; +const std::string BUILTIN_ROLE_QUERYABLE_BACKUP = "__queryableBackup"; /// Actions that the "read" role may perform on a normal resources of a specific database, and /// that the "readAnyDatabase" role may perform on normal resources of any database. @@ -485,7 +486,8 @@ void addClusterAdminPrivileges(PrivilegeVector* privileges) { privileges, Privilege(ResourcePattern::forAnyNormalResource(), ActionType::dropDatabase)); } -void addBackupPrivileges(PrivilegeVector* privileges) { + +void addQueryableBackupPrivileges(PrivilegeVector* privileges) { Privilege::addPrivilegeToPrivilegeVector( privileges, Privilege(ResourcePattern::forAnyResource(), ActionType::collStats)); Privilege::addPrivilegeToPrivilegeVector( @@ -497,7 +499,7 @@ void addBackupPrivileges(PrivilegeVector* privileges) { ActionSet clusterActions; clusterActions << ActionType::getParameter // To check authSchemaVersion - << ActionType::listDatabases << ActionType::appendOplogNote; // For BRS + << ActionType::listDatabases; Privilege::addPrivilegeToPrivilegeVector( privileges, Privilege(ResourcePattern::forClusterResource(), clusterActions)); @@ -550,12 +552,26 @@ void addBackupPrivileges(PrivilegeVector* privileges) { ResourcePattern::forExactNamespace(AuthorizationManager::versionCollectionNamespace), ActionType::find)); + Privilege::addPrivilegeToPrivilegeVector( + privileges, + Privilege(ResourcePattern::forExactNamespace(NamespaceString("config", "settings")), + ActionType::find)); +} + +void addBackupPrivileges(PrivilegeVector* privileges) { + ActionSet clusterActions; + clusterActions << ActionType::appendOplogNote; // For BRS + Privilege::addPrivilegeToPrivilegeVector( + privileges, Privilege(ResourcePattern::forClusterResource(), clusterActions)); + ActionSet configSettingsActions; - configSettingsActions << ActionType::insert << ActionType::update << ActionType::find; + configSettingsActions << ActionType::insert << ActionType::update; Privilege::addPrivilegeToPrivilegeVector( privileges, Privilege(ResourcePattern::forExactNamespace(NamespaceString("config", "settings")), configSettingsActions)); + + addQueryableBackupPrivileges(privileges); } void addRestorePrivileges(PrivilegeVector* privileges) { @@ -683,6 +699,8 @@ bool RoleGraph::addPrivilegesForBuiltinRole(const RoleName& roleName, PrivilegeV addClusterManagerPrivileges(result); } else if (isAdminDB && roleName.getRole() == BUILTIN_ROLE_CLUSTER_ADMIN) { addClusterAdminPrivileges(result); + } else if (isAdminDB && roleName.getRole() == BUILTIN_ROLE_QUERYABLE_BACKUP) { + addQueryableBackupPrivileges(result); } else if (isAdminDB && roleName.getRole() == BUILTIN_ROLE_BACKUP) { addBackupPrivileges(result); } else if (isAdminDB && roleName.getRole() == BUILTIN_ROLE_RESTORE) { @@ -750,6 +768,8 @@ bool RoleGraph::isBuiltinRole(const RoleName& role) { return true; } else if (isAdminDB && role.getRole() == BUILTIN_ROLE_INTERNAL) { return true; + } else if (isAdminDB && role.getRole() == BUILTIN_ROLE_QUERYABLE_BACKUP) { + return true; } return false; } @@ -775,6 +795,7 @@ void RoleGraph::_createBuiltinRolesForDBIfNeeded(const std::string& dbname) { _createBuiltinRoleIfNeeded(RoleName(BUILTIN_ROLE_RESTORE, dbname)); _createBuiltinRoleIfNeeded(RoleName(BUILTIN_ROLE_ROOT, dbname)); _createBuiltinRoleIfNeeded(RoleName(BUILTIN_ROLE_INTERNAL, dbname)); + _createBuiltinRoleIfNeeded(RoleName(BUILTIN_ROLE_QUERYABLE_BACKUP, dbname)); } } diff --git a/src/mongo/db/auth/role_graph_test.cpp b/src/mongo/db/auth/role_graph_test.cpp index 2e7a1ba0eb7..5301ab6f6aa 100644 --- a/src/mongo/db/auth/role_graph_test.cpp +++ b/src/mongo/db/auth/role_graph_test.cpp @@ -674,6 +674,7 @@ TEST(RoleGraphTest, getRolesForDatabase) { // Admin DB it = graph.getRolesForDatabase("admin"); + ASSERT_EQUALS(RoleName("__queryableBackup", "admin"), it.next()); ASSERT_EQUALS(RoleName("__system", "admin"), it.next()); ASSERT_EQUALS(RoleName("backup", "admin"), it.next()); ASSERT_EQUALS(RoleName("clusterAdmin", "admin"), it.next()); |