From f99421466679478b8aba02344fa2c9b126946350 Mon Sep 17 00:00:00 2001 From: Spencer Jackson Date: Mon, 14 Dec 2015 12:22:16 -0500 Subject: SERVER-21724 Let backup role read system.profile (cherry picked from commit 21bcf6b127c1bb24e74845327e8d20df26e560bc) --- jstests/auth/lib/commands_lib.js | 2 ++ jstests/tool/dumpauth.js | 26 ++++++++++++++++++++++---- src/mongo/db/auth/role_graph_builtin_roles.cpp | 4 ++++ 3 files changed, 28 insertions(+), 4 deletions(-) diff --git a/jstests/auth/lib/commands_lib.js b/jstests/auth/lib/commands_lib.js index 8f427c680c5..9dbfe56bd6a 100644 --- a/jstests/auth/lib/commands_lib.js +++ b/jstests/auth/lib/commands_lib.js @@ -2031,6 +2031,7 @@ var authCommandsLib = { { runOnDb: firstDbName, roles: { + backup: 1, dbAdmin: 1, dbAdminAnyDatabase: 1, dbOwner: 1, @@ -2047,6 +2048,7 @@ var authCommandsLib = { { runOnDb: secondDbName, roles: { + backup: 1, dbAdminAnyDatabase: 1, clusterMonitor: 1, clusterAdmin: 1, diff --git a/jstests/tool/dumpauth.js b/jstests/tool/dumpauth.js index 17cf5c19de7..ba8ee9a5f81 100644 --- a/jstests/tool/dumpauth.js +++ b/jstests/tool/dumpauth.js @@ -4,6 +4,8 @@ var m = MongoRunner.runMongod({auth: "", bind_ip: "127.0.0.1"}); var dbName = "admin" var colName = "testcol" +var profileName = "system.profile" +var dumpDir = MongoRunner.dataPath + "jstests_tool_dumprestore_dump_system_profile/"; db = m.getDB(dbName); db.createUser({user: "testuser" , pwd: "testuser", roles: jsTest.adminUserRoles}); @@ -11,16 +13,32 @@ assert( db.auth( "testuser" , "testuser" ) , "auth failed" ); t = db[colName]; t.drop(); +profile = db[profileName]; +profile.drop(); +// Activate profiling, to ensure that system.profile can be dumped with the backup role +db.setProfilingLevel(2); + +// Populate the database for(var i = 0; i < 100; i++) { t.save({ "x": i }); } +assert.gt(profile.count(), 0, "admin.system.profile should have documents"); +assert.eq(t.count(), 100, "testcol should have documents"); + +// Create a user with backup permissions +db.createUser({user: "backup" , pwd: "password", roles: ["backup"]}); +// Backup the database with the backup user x = runMongoProgram( "mongodump", "--db", dbName, + "--out", dumpDir, "--authenticationDatabase=admin", - "-u", "testuser", - "-p", "testuser", - "-h", "127.0.0.1:"+m.port, - "--collection", colName); + "-u", "backup", + "-p", "password", + "-h", "127.0.0.1:"+m.port); assert.eq(x, 0, "mongodump should succeed with authentication"); + +// Assert that a BSON document for admin.system.profile has been produced +x = runMongoProgram( "bsondump", dumpDir + "/" + dbName + "/" + profileName + ".bson" ); +assert.eq(x, 0, "bsondump should succeed parsing the profile data"); diff --git a/src/mongo/db/auth/role_graph_builtin_roles.cpp b/src/mongo/db/auth/role_graph_builtin_roles.cpp index 94e3b157346..7d1c6178ecc 100644 --- a/src/mongo/db/auth/role_graph_builtin_roles.cpp +++ b/src/mongo/db/auth/role_graph_builtin_roles.cpp @@ -440,6 +440,10 @@ void addBackupPrivileges(PrivilegeVector* privileges) { privileges, Privilege(ResourcePattern::forCollectionName("system.users"), ActionType::find)); + Privilege::addPrivilegeToPrivilegeVector( + privileges, + Privilege(ResourcePattern::forCollectionName("system.profile"), ActionType::find)); + Privilege::addPrivilegeToPrivilegeVector( privileges, Privilege( -- cgit v1.2.1