From b29c35ee63c1eb1fead39db7293e751e9ae173d8 Mon Sep 17 00:00:00 2001
From: Sergi Mateo Bellido <sergi.mateo-bellido@mongodb.com>
Date: Mon, 3 Apr 2023 14:44:19 +0000
Subject: SERVER-74527 Adding security infrastructure for directShardOperations

---
 src/mongo/db/auth/action_type.idl                | 1 +
 src/mongo/db/auth/authorization_session_impl.cpp | 4 ++++
 src/mongo/db/auth/builtin_roles.yml              | 6 +++++-
 3 files changed, 10 insertions(+), 1 deletion(-)

diff --git a/src/mongo/db/auth/action_type.idl b/src/mongo/db/auth/action_type.idl
index 6d102ae5d5a..5ae0b8466fa 100644
--- a/src/mongo/db/auth/action_type.idl
+++ b/src/mongo/db/auth/action_type.idl
@@ -121,6 +121,7 @@ enums:
            insert :  "insert"
            internal :  "internal"  # Special action type that represents internal actions
            invalidateUserCache :  "invalidateUserCache"
+           issueDirectShardOperations: "issueDirectShardOperations"
            killAnyCursor :  "killAnyCursor"
            killAnySession :  "killAnySession"
            killCursors :  "killCursors"  # Deprecated in favor of killAnyCursor
diff --git a/src/mongo/db/auth/authorization_session_impl.cpp b/src/mongo/db/auth/authorization_session_impl.cpp
index 0582c058ac7..30fd4871510 100644
--- a/src/mongo/db/auth/authorization_session_impl.cpp
+++ b/src/mongo/db/auth/authorization_session_impl.cpp
@@ -1108,6 +1108,10 @@ void AuthorizationSessionImpl::verifyContract(const AuthorizationContract* contr
     // Implicitly checked often to keep mayBypassWriteBlockingMode() fast
     tempContract.addPrivilege(kBypassWriteBlockingModeOnClusterPrivilege);
 
+    // Needed for internal sessions started by the server.
+    tempContract.addPrivilege(
+        Privilege(ResourcePattern::forClusterResource(), ActionType::issueDirectShardOperations));
+
     uassert(5452401,
             "Authorization Session contains more authorization checks then permitted by contract.",
             tempContract.contains(_contract));
diff --git a/src/mongo/db/auth/builtin_roles.yml b/src/mongo/db/auth/builtin_roles.yml
index 422ee9b76fe..7b9745e69b8 100644
--- a/src/mongo/db/auth/builtin_roles.yml
+++ b/src/mongo/db/auth/builtin_roles.yml
@@ -583,6 +583,7 @@ roles:
             - readWriteAnyDatabase
             - backup
             - restore
+            - directShardOperations
         privileges:
             - matchType: any
               actions:
@@ -610,7 +611,10 @@ roles:
     # privileges to write directly to shards.
     directShardOperations:
         adminOnly: true
-        privileges: []
+        privileges:
+              - matchType: cluster
+                actions:
+                     - issueDirectShardOperations
 
     # Builtin role 'admin.__system' has its privileges special cased in builtin_roles.tpl.cpp
     __system:
-- 
cgit v1.2.1