From d157291e03f8bcbaef497a78da93af1daae89fc4 Mon Sep 17 00:00:00 2001 From: Erwin Pe Date: Tue, 5 Oct 2021 17:27:33 +0000 Subject: SERVER-59294 Check action type for oidReset (cherry picked from commit 9961fac1b2090484ec3ceaedc921ce2794e2fc79) --- jstests/auth/lib/commands_lib.js | 20 ++++++++++++++++++-- src/mongo/db/auth/action_types.txt | 1 + src/mongo/db/auth/role_graph_builtin_roles.cpp | 1 + src/mongo/db/commands/generic_servers.cpp | 8 +++++++- 4 files changed, 27 insertions(+), 3 deletions(-) diff --git a/jstests/auth/lib/commands_lib.js b/jstests/auth/lib/commands_lib.js index 8f872c547aa..196e291830d 100644 --- a/jstests/auth/lib/commands_lib.js +++ b/jstests/auth/lib/commands_lib.js @@ -3378,8 +3378,24 @@ var authCommandsLib = { testname: "features", command: {features: 1}, testcases: [ - {runOnDb: firstDbName, roles: roles_all, privilegesRequired: []}, - {runOnDb: secondDbName, roles: roles_all, privilegesRequired: []} + {runOnDb: firstDbName, roles: roles_all, privileges: []}, + {runOnDb: secondDbName, roles: roles_all, privileges: []} + ] + }, + { + testname: "features_oidReset", + command: {features: 1, oidReset: true}, + testcases: [ + { + runOnDb: firstDbName, + roles: roles_hostManager, + privileges: [{resource: {cluster: true}, actions: ["oidReset"]}], + }, + { + runOnDb: secondDbName, + roles: roles_hostManager, + privileges: [{resource: {cluster: true}, actions: ["oidReset"]}], + } ] }, { diff --git a/src/mongo/db/auth/action_types.txt b/src/mongo/db/auth/action_types.txt index 4ecac2e6dbe..69c877357fb 100644 --- a/src/mongo/db/auth/action_types.txt +++ b/src/mongo/db/auth/action_types.txt @@ -84,6 +84,7 @@ "logRotate", "moveChunk", "netstat", +"oidReset", # machine ID reset via the features command "planCacheIndexFilter", # view/update index filters "planCacheRead", # view contents of plan cache "planCacheWrite", # clear cache, drop cache entry, pin/unpin/shun plans diff --git a/src/mongo/db/auth/role_graph_builtin_roles.cpp b/src/mongo/db/auth/role_graph_builtin_roles.cpp index 1469c0eb162..7ee2c70c7dc 100644 --- a/src/mongo/db/auth/role_graph_builtin_roles.cpp +++ b/src/mongo/db/auth/role_graph_builtin_roles.cpp @@ -210,6 +210,7 @@ MONGO_INITIALIZER(AuthorizationBuiltinRoles)(InitializerContext* context) { << ActionType::cpuProfiler << ActionType::dropConnections << ActionType::logRotate + << ActionType::oidReset << ActionType::setParameter << ActionType::shutdown << ActionType::touch diff --git a/src/mongo/db/commands/generic_servers.cpp b/src/mongo/db/commands/generic_servers.cpp index c39c95b4cfd..3311b19ada4 100644 --- a/src/mongo/db/commands/generic_servers.cpp +++ b/src/mongo/db/commands/generic_servers.cpp @@ -70,7 +70,13 @@ public: } virtual void addRequiredPrivileges(const std::string& dbname, const BSONObj& cmdObj, - std::vector* out) const {} // No auth required + std::vector* out) const { + if (cmdObj["oidReset"].trueValue()) { + ActionSet actions; + actions.addAction(ActionType::oidReset); + out->push_back(Privilege(ResourcePattern::forClusterResource(), actions)); + } + } virtual bool run(OperationContext* opCtx, const string& ns, const BSONObj& cmdObj, -- cgit v1.2.1