diff options
-rw-r--r-- | jstests/auth/builtin_roles.js | 1 | ||||
-rw-r--r-- | jstests/auth/lib/commands_lib.js | 81 | ||||
-rw-r--r-- | src/mongo/db/auth/action_type.idl | 16 | ||||
-rw-r--r-- | src/mongo/db/auth/builtin_roles.yml | 12 | ||||
-rw-r--r-- | src/mongo/db/auth/builtin_roles_test.cpp | 1 |
5 files changed, 111 insertions, 0 deletions
diff --git a/jstests/auth/builtin_roles.js b/jstests/auth/builtin_roles.js index 67590b1c606..354bd69c67a 100644 --- a/jstests/auth/builtin_roles.js +++ b/jstests/auth/builtin_roles.js @@ -64,6 +64,7 @@ function runTest(mongo) { 'killCursors', 'listCollections', 'listIndexes', + 'listSearchIndexes', 'planCacheRead' ]; const kAdminReadPrivs = [ diff --git a/jstests/auth/lib/commands_lib.js b/jstests/auth/lib/commands_lib.js index c6c6f868db2..3904d800ee2 100644 --- a/jstests/auth/lib/commands_lib.js +++ b/jstests/auth/lib/commands_lib.js @@ -3650,6 +3650,26 @@ export const authCommandsLib = { }] }, { + testname: "createSearchIndex", + command: {createSearchIndex: "x", indexDefinition: {"testBlob": "blob"}}, + skipSharded: true, // TODO (SERVER-73274): add mongos cmds + testcases: [{ + runOnDb: firstDbName, + roles: Object.extend({ + readWrite: 1, + readWriteAnyDatabase: 1, + dbAdmin: 1, + dbAdminAnyDatabase: 1, + dbOwner: 1, + restore: 1, + root: 1, + __system: 1 + }), + privileges: + [{resource: {db: firstDbName, collection: "x"}, actions: ["createSearchIndex"]}], + }] + }, + { testname: "currentOp_$ownOps_false", command: {currentOp: 1, $all: true, $ownOps: false}, testcases: [ @@ -4007,6 +4027,25 @@ export const authCommandsLib = { ] }, { + testname: "dropSearchIndex", + command: {dropSearchIndex: "x", indexDefinition: {"testBlob": "blob"}}, + skipSharded: true, // TODO (SERVER-73274): add mongos cmds + testcases: [ + { + runOnDb: firstDbName, + roles: roles_writeDbAdmin, + privileges: + [{resource: {db: firstDbName, collection: "x"}, actions: ["dropSearchIndex"]}], + }, + { + runOnDb: secondDbName, + roles: roles_writeDbAdminAny, + privileges: + [{resource: {db: secondDbName, collection: "x"}, actions: ["dropSearchIndex"]}], + } + ] + }, + { testname: "enableSharding", command: {enableSharding: "x"}, skipUnlessSharded: true, @@ -5095,6 +5134,28 @@ export const authCommandsLib = { }, { + testname: "listSearchIndexes", + command: {listSearchIndexes: "x"}, + skipSharded: true, // TODO (SERVER-73274): add mongos cmds + testcases: [{ + runOnDb: firstDbName, + roles: { + read: 1, + readAnyDatabase: 1, + readWrite: 1, + readWriteAnyDatabase: 1, + dbAdmin: 1, + dbAdminAnyDatabase: 1, + dbOwner: 1, + backup: 1, + root: 1, + __system: 1, + }, + privileges: + [{resource: {db: firstDbName, collection: ""}, actions: ["listSearchIndexes"]}], + }] + }, + { testname: "listShards", command: {listShards: 1}, skipUnlessSharded: true, @@ -5228,6 +5289,26 @@ export const authCommandsLib = { ] }, { + testname: "modifySearchIndex", + command: {modifySearchIndex: "foo", indexDefinition: {"textBlob": "blob"}}, + skipSharded: true, // TODO (SERVER-73274): add mongos cmds + testcases: [ + { + runOnDb: firstDbName, + roles: Object.extend({restore: 1}, roles_dbAdmin), + privileges: + [{resource: {db: firstDbName, collection: "foo"}, actions: ["modifySearchIndex"]}], + expectFail: true, + }, + { + runOnDb: secondDbName, + roles: Object.extend({restore: 1}, roles_dbAdminAny), + privileges: + [{resource: {db: secondDbName, collection: "foo"}, actions: ["modifySearchIndex"]}], + } + ] + }, + { testname: "s_moveChunk", command: {moveChunk: "test.x", find:{}, to:"a"}, skipUnlessSharded: true, diff --git a/src/mongo/db/auth/action_type.idl b/src/mongo/db/auth/action_type.idl index 9ef3ca73a98..0dadf041703 100644 --- a/src/mongo/db/auth/action_type.idl +++ b/src/mongo/db/auth/action_type.idl @@ -78,6 +78,7 @@ enums: createDatabase : "createDatabase" # ID only createIndex : "createIndex" # ID only createRole : "createRole" + createSearchIndex : "createSearchIndex" createUser : "createUser" dbCheck : "dbCheck" dbHash : "dbHash" @@ -89,6 +90,7 @@ enums: dropDatabase : "dropDatabase" dropIndex : "dropIndex" dropRole : "dropRole" + dropSearchIndex : "dropSearchIndex" dropUser : "dropUser" emptycapped : "emptycapped" enableProfiler : "enableProfiler" @@ -127,9 +129,11 @@ enums: listCursors : "listCursors" listDatabases : "listDatabases" listIndexes : "listIndexes" + listSearchIndexes : "listSearchIndexes" listSessions : "listSessions" listShards : "listShards" logRotate : "logRotate" + modifySearchIndex : "modifySearchIndex" moveChunk : "moveChunk" netstat : "netstat" oidcListKeys : "oidcListKeys" @@ -238,11 +242,13 @@ enums: - convertToCapped - createCollection - createIndex + - createSearchIndex - dbCheck - dbHash - dbStats - dropCollection - dropIndex + - dropSearchIndex - enableProfiler - exportCollection - find @@ -252,6 +258,8 @@ enums: - killCursors - listCollections - listIndexes + - listSearchIndexes + - modifySearchIndex - planCacheIndexFilter - planCacheRead - planCacheWrite @@ -282,11 +290,13 @@ enums: - convertToCapped - createCollection - createIndex + - createSearchIndex - dbCheck - dbHash - dbStats - dropCollection - dropIndex + - dropSearchIndex - enableProfiler - exportCollection - find @@ -296,6 +306,8 @@ enums: - killCursors - listCollections - listIndexes + - listSearchIndexes + - modifySearchIndex - planCacheIndexFilter - planCacheRead - planCacheWrite @@ -350,12 +362,14 @@ enums: - convertToCapped - createCollection - createIndex + - createSearchIndex - dbCheck - dbHash - dbStats - dropCollection - dropDatabase - dropIndex + - dropSearchIndex - enableProfiler - exportCollection - find @@ -365,6 +379,8 @@ enums: - killCursors - listCollections - listIndexes + - listSearchIndexes + - modifySearchIndex - planCacheIndexFilter - planCacheRead - planCacheWrite diff --git a/src/mongo/db/auth/builtin_roles.yml b/src/mongo/db/auth/builtin_roles.yml index 1ddd65b6d7c..f5d56942a6f 100644 --- a/src/mongo/db/auth/builtin_roles.yml +++ b/src/mongo/db/auth/builtin_roles.yml @@ -40,6 +40,7 @@ roles: - killCursors - listCollections - listIndexes + - listSearchIndexes - planCacheRead - matchType: exact_namespace collection: 'system.js' @@ -54,8 +55,10 @@ roles: - convertToCapped # db admin gets this also - createCollection # db admin gets this also - createIndex + - createSearchIndex - dropCollection - dropIndex + - dropSearchIndex - insert - remove - renameCollectionSameDB # db admin gets this also @@ -95,10 +98,14 @@ roles: - dropCollection - dropDatabase # clusterAdmin gets this also TODO(spencer): shold readWriteAnyDatabase? - dropIndex + - dropSearchIndex - createIndex + - createSearchIndex - enableProfiler - listCollections - listIndexes + - listSearchIndexes + - modifySearchIndex - planCacheIndexFilter - planCacheRead - planCacheWrite @@ -178,7 +185,9 @@ roles: actions: &readRoleAndIndexActions - *readRoleActions - createIndex + - createSearchIndex - dropIndex + - dropSearchIndex - matchType: exact_namespace db: 'admin' collection: 'system.roles' @@ -412,6 +421,7 @@ roles: - collStats - listCollections - listIndexes + - listSearchIndexes - matchType: any_normal actions: - find @@ -499,8 +509,10 @@ roles: - convertToCapped - createCollection - createIndex + - createSearchIndex - dropCollection - insert + - modifySearchIndex - matchType: database db: 'config' actions: *restoreRoleWriteActions diff --git a/src/mongo/db/auth/builtin_roles_test.cpp b/src/mongo/db/auth/builtin_roles_test.cpp index a7662650d21..6d84c11b52a 100644 --- a/src/mongo/db/auth/builtin_roles_test.cpp +++ b/src/mongo/db/auth/builtin_roles_test.cpp @@ -108,6 +108,7 @@ TEST(BuiltinRoles, addPrivilegesForBuiltinRole) { ActionType::killCursors, ActionType::listCollections, ActionType::listIndexes, + ActionType::listSearchIndexes, ActionType::planCacheRead, }); const auto adminDB = ResourcePattern::forDatabaseName("admin"); |