summaryrefslogtreecommitdiff
diff options
context:
space:
mode:
Diffstat
-rw-r--r--jstests/auth/builtin_roles.js1
-rw-r--r--jstests/auth/lib/commands_lib.js81
-rw-r--r--src/mongo/db/auth/action_type.idl16
-rw-r--r--src/mongo/db/auth/builtin_roles.yml12
-rw-r--r--src/mongo/db/auth/builtin_roles_test.cpp1
5 files changed, 111 insertions, 0 deletions
diff --git a/jstests/auth/builtin_roles.js b/jstests/auth/builtin_roles.js
index 67590b1c606..354bd69c67a 100644
--- a/jstests/auth/builtin_roles.js
+++ b/jstests/auth/builtin_roles.js
@@ -64,6 +64,7 @@ function runTest(mongo) {
'killCursors',
'listCollections',
'listIndexes',
+ 'listSearchIndexes',
'planCacheRead'
];
const kAdminReadPrivs = [
diff --git a/jstests/auth/lib/commands_lib.js b/jstests/auth/lib/commands_lib.js
index c6c6f868db2..3904d800ee2 100644
--- a/jstests/auth/lib/commands_lib.js
+++ b/jstests/auth/lib/commands_lib.js
@@ -3650,6 +3650,26 @@ export const authCommandsLib = {
}]
},
{
+ testname: "createSearchIndex",
+ command: {createSearchIndex: "x", indexDefinition: {"testBlob": "blob"}},
+ skipSharded: true, // TODO (SERVER-73274): add mongos cmds
+ testcases: [{
+ runOnDb: firstDbName,
+ roles: Object.extend({
+ readWrite: 1,
+ readWriteAnyDatabase: 1,
+ dbAdmin: 1,
+ dbAdminAnyDatabase: 1,
+ dbOwner: 1,
+ restore: 1,
+ root: 1,
+ __system: 1
+ }),
+ privileges:
+ [{resource: {db: firstDbName, collection: "x"}, actions: ["createSearchIndex"]}],
+ }]
+ },
+ {
testname: "currentOp_$ownOps_false",
command: {currentOp: 1, $all: true, $ownOps: false},
testcases: [
@@ -4007,6 +4027,25 @@ export const authCommandsLib = {
]
},
{
+ testname: "dropSearchIndex",
+ command: {dropSearchIndex: "x", indexDefinition: {"testBlob": "blob"}},
+ skipSharded: true, // TODO (SERVER-73274): add mongos cmds
+ testcases: [
+ {
+ runOnDb: firstDbName,
+ roles: roles_writeDbAdmin,
+ privileges:
+ [{resource: {db: firstDbName, collection: "x"}, actions: ["dropSearchIndex"]}],
+ },
+ {
+ runOnDb: secondDbName,
+ roles: roles_writeDbAdminAny,
+ privileges:
+ [{resource: {db: secondDbName, collection: "x"}, actions: ["dropSearchIndex"]}],
+ }
+ ]
+ },
+ {
testname: "enableSharding",
command: {enableSharding: "x"},
skipUnlessSharded: true,
@@ -5095,6 +5134,28 @@ export const authCommandsLib = {
},
{
+ testname: "listSearchIndexes",
+ command: {listSearchIndexes: "x"},
+ skipSharded: true, // TODO (SERVER-73274): add mongos cmds
+ testcases: [{
+ runOnDb: firstDbName,
+ roles: {
+ read: 1,
+ readAnyDatabase: 1,
+ readWrite: 1,
+ readWriteAnyDatabase: 1,
+ dbAdmin: 1,
+ dbAdminAnyDatabase: 1,
+ dbOwner: 1,
+ backup: 1,
+ root: 1,
+ __system: 1,
+ },
+ privileges:
+ [{resource: {db: firstDbName, collection: ""}, actions: ["listSearchIndexes"]}],
+ }]
+ },
+ {
testname: "listShards",
command: {listShards: 1},
skipUnlessSharded: true,
@@ -5228,6 +5289,26 @@ export const authCommandsLib = {
]
},
{
+ testname: "modifySearchIndex",
+ command: {modifySearchIndex: "foo", indexDefinition: {"textBlob": "blob"}},
+ skipSharded: true, // TODO (SERVER-73274): add mongos cmds
+ testcases: [
+ {
+ runOnDb: firstDbName,
+ roles: Object.extend({restore: 1}, roles_dbAdmin),
+ privileges:
+ [{resource: {db: firstDbName, collection: "foo"}, actions: ["modifySearchIndex"]}],
+ expectFail: true,
+ },
+ {
+ runOnDb: secondDbName,
+ roles: Object.extend({restore: 1}, roles_dbAdminAny),
+ privileges:
+ [{resource: {db: secondDbName, collection: "foo"}, actions: ["modifySearchIndex"]}],
+ }
+ ]
+ },
+ {
testname: "s_moveChunk",
command: {moveChunk: "test.x", find:{}, to:"a"},
skipUnlessSharded: true,
diff --git a/src/mongo/db/auth/action_type.idl b/src/mongo/db/auth/action_type.idl
index 9ef3ca73a98..0dadf041703 100644
--- a/src/mongo/db/auth/action_type.idl
+++ b/src/mongo/db/auth/action_type.idl
@@ -78,6 +78,7 @@ enums:
createDatabase : "createDatabase" # ID only
createIndex : "createIndex" # ID only
createRole : "createRole"
+ createSearchIndex : "createSearchIndex"
createUser : "createUser"
dbCheck : "dbCheck"
dbHash : "dbHash"
@@ -89,6 +90,7 @@ enums:
dropDatabase : "dropDatabase"
dropIndex : "dropIndex"
dropRole : "dropRole"
+ dropSearchIndex : "dropSearchIndex"
dropUser : "dropUser"
emptycapped : "emptycapped"
enableProfiler : "enableProfiler"
@@ -127,9 +129,11 @@ enums:
listCursors : "listCursors"
listDatabases : "listDatabases"
listIndexes : "listIndexes"
+ listSearchIndexes : "listSearchIndexes"
listSessions : "listSessions"
listShards : "listShards"
logRotate : "logRotate"
+ modifySearchIndex : "modifySearchIndex"
moveChunk : "moveChunk"
netstat : "netstat"
oidcListKeys : "oidcListKeys"
@@ -238,11 +242,13 @@ enums:
- convertToCapped
- createCollection
- createIndex
+ - createSearchIndex
- dbCheck
- dbHash
- dbStats
- dropCollection
- dropIndex
+ - dropSearchIndex
- enableProfiler
- exportCollection
- find
@@ -252,6 +258,8 @@ enums:
- killCursors
- listCollections
- listIndexes
+ - listSearchIndexes
+ - modifySearchIndex
- planCacheIndexFilter
- planCacheRead
- planCacheWrite
@@ -282,11 +290,13 @@ enums:
- convertToCapped
- createCollection
- createIndex
+ - createSearchIndex
- dbCheck
- dbHash
- dbStats
- dropCollection
- dropIndex
+ - dropSearchIndex
- enableProfiler
- exportCollection
- find
@@ -296,6 +306,8 @@ enums:
- killCursors
- listCollections
- listIndexes
+ - listSearchIndexes
+ - modifySearchIndex
- planCacheIndexFilter
- planCacheRead
- planCacheWrite
@@ -350,12 +362,14 @@ enums:
- convertToCapped
- createCollection
- createIndex
+ - createSearchIndex
- dbCheck
- dbHash
- dbStats
- dropCollection
- dropDatabase
- dropIndex
+ - dropSearchIndex
- enableProfiler
- exportCollection
- find
@@ -365,6 +379,8 @@ enums:
- killCursors
- listCollections
- listIndexes
+ - listSearchIndexes
+ - modifySearchIndex
- planCacheIndexFilter
- planCacheRead
- planCacheWrite
diff --git a/src/mongo/db/auth/builtin_roles.yml b/src/mongo/db/auth/builtin_roles.yml
index 1ddd65b6d7c..f5d56942a6f 100644
--- a/src/mongo/db/auth/builtin_roles.yml
+++ b/src/mongo/db/auth/builtin_roles.yml
@@ -40,6 +40,7 @@ roles:
- killCursors
- listCollections
- listIndexes
+ - listSearchIndexes
- planCacheRead
- matchType: exact_namespace
collection: 'system.js'
@@ -54,8 +55,10 @@ roles:
- convertToCapped # db admin gets this also
- createCollection # db admin gets this also
- createIndex
+ - createSearchIndex
- dropCollection
- dropIndex
+ - dropSearchIndex
- insert
- remove
- renameCollectionSameDB # db admin gets this also
@@ -95,10 +98,14 @@ roles:
- dropCollection
- dropDatabase # clusterAdmin gets this also TODO(spencer): shold readWriteAnyDatabase?
- dropIndex
+ - dropSearchIndex
- createIndex
+ - createSearchIndex
- enableProfiler
- listCollections
- listIndexes
+ - listSearchIndexes
+ - modifySearchIndex
- planCacheIndexFilter
- planCacheRead
- planCacheWrite
@@ -178,7 +185,9 @@ roles:
actions: &readRoleAndIndexActions
- *readRoleActions
- createIndex
+ - createSearchIndex
- dropIndex
+ - dropSearchIndex
- matchType: exact_namespace
db: 'admin'
collection: 'system.roles'
@@ -412,6 +421,7 @@ roles:
- collStats
- listCollections
- listIndexes
+ - listSearchIndexes
- matchType: any_normal
actions:
- find
@@ -499,8 +509,10 @@ roles:
- convertToCapped
- createCollection
- createIndex
+ - createSearchIndex
- dropCollection
- insert
+ - modifySearchIndex
- matchType: database
db: 'config'
actions: *restoreRoleWriteActions
diff --git a/src/mongo/db/auth/builtin_roles_test.cpp b/src/mongo/db/auth/builtin_roles_test.cpp
index a7662650d21..6d84c11b52a 100644
--- a/src/mongo/db/auth/builtin_roles_test.cpp
+++ b/src/mongo/db/auth/builtin_roles_test.cpp
@@ -108,6 +108,7 @@ TEST(BuiltinRoles, addPrivilegesForBuiltinRole) {
ActionType::killCursors,
ActionType::listCollections,
ActionType::listIndexes,
+ ActionType::listSearchIndexes,
ActionType::planCacheRead,
});
const auto adminDB = ResourcePattern::forDatabaseName("admin");
View Lorry Controller Status