1 files changed, 62 insertions, 1 deletions

diff --git a/jstests/replsets/libs/tenant_migration_util.js b/jstests/replsets/libs/tenant_migration_util.js
index de4ca29b447..0ab2c45b09d 100644
--- a/jstests/replsets/libs/tenant_migration_util.js
+++ b/jstests/replsets/libs/tenant_migration_util.js
@@ -332,6 +332,64 @@ var TenantMigrationUtil = (function() {
         }
     }
 
+    /**
+     * Creates a role for tenant migration donor if it doesn't exist.
+     */
+    function createTenantMigrationDonorRoleIfNotExist(rst) {
+        const adminDB = rst.getPrimary().getDB("admin");
+
+        if (roleExists(adminDB, "tenantMigrationDonorRole")) {
+            return;
+        }
+
+        assert.commandWorked(adminDB.runCommand({
+            createRole: "tenantMigrationDonorRole",
+            privileges: [
+                {resource: {cluster: true}, actions: ["runTenantMigration"]},
+                {resource: {db: "admin", collection: "system.keys"}, actions: ["find"]}
+            ],
+            roles: []
+        }));
+    }
+
+    /**
+     * Creates a role for tenant migration recipient if it doesn't exist.
+     */
+    function createTenantMigrationRecipientRoleIfNotExist(rst) {
+        const adminDB = rst.getPrimary().getDB("admin");
+
+        if (roleExists(adminDB, "tenantMigrationRecipientRole")) {
+            return;
+        }
+
+        assert.commandWorked(adminDB.runCommand({
+            createRole: "tenantMigrationRecipientRole",
+            privileges: [
+                {resource: {cluster: true}, actions: ["listDatabases", "useUUID"]},
+                {resource: {db: "", collection: ""}, actions: ["listCollections"]},
+                {
+                    resource: {anyResource: true},
+                    actions: ["dbStats", "collStats", "find", "listIndexes"]
+                }
+            ],
+            roles: []
+        }));
+    }
+
+    /**
+     * Returns true if the given database role already exists.
+     */
+    function roleExists(db, roleName) {
+        const roles = db.getRoles({rolesInfo: 1, showPrivileges: false, showBuiltinRoles: false});
+        const fullRoleName = `${db.getName()}.${roleName}`;
+        for (let role of roles) {
+            if (role._id == fullRoleName) {
+                return true;
+            }
+        }
+        return false;
+    }
+
     return {
         kExternalKeysNs,
         getExternalKeys,
@@ -351,6 +409,9 @@ var TenantMigrationUtil = (function() {
         getNumBlockedReads,
         getNumBlockedWrites,
         isNamespaceForTenant,
-        checkTenantDBHashes
+        checkTenantDBHashes,
+        createTenantMigrationDonorRoleIfNotExist,
+        createTenantMigrationRecipientRoleIfNotExist,
+        roleExists
     };
 })();