Browse files

SERVER-12035 Allow clusterMonitor role to get the current profiling l…

…evel
  • Loading branch information...
1 parent dfdfcef commit c3aff7ead075d1ed955d072e083b8527b4bc07fe @stbrody stbrody committed Jan 7, 2014
Showing with 60 additions and 7 deletions.
  1. +38 −1 jstests/auth/lib/commands_lib.js
  2. +22 −6 src/mongo/db/dbcommands.cpp
View
39 jstests/auth/lib/commands_lib.js
@@ -1610,7 +1610,7 @@ var authCommandsLib = {
]
},
{
- testname: "profile",
+ testname: "profile",
command: {profile: 0},
skipSharded: true,
testcases: [
@@ -1631,6 +1631,43 @@ var authCommandsLib = {
]
},
{
+ testname: "profileGetLevel",
+ command: {profile: -1},
+ skipSharded: true,
+ testcases: [
+ {
+ runOnDb: firstDbName,
+ roles: {
+ dbAdmin: 1,
+ dbAdminAnyDatabase: 1,
+ dbOwner: 1,
+ clusterMonitor: 1,
+ clusterAdmin: 1,
+ root: 1,
+ __system: 1
+ },
+ privileges: [
+ { resource: {db: firstDbName, collection: "system.profile"},
+ actions: ["find"] }
+ ]
+ },
+ {
+ runOnDb: secondDbName,
+ roles: {
+ dbAdminAnyDatabase: 1,
+ clusterMonitor: 1,
+ clusterAdmin: 1,
+ root: 1,
+ __system: 1
+ },
+ privileges: [
+ { resource: {db: secondDbName, collection: "system.profile"},
+ actions: ["find"] }
+ ]
+ }
+ ]
+ },
+ {
testname: "renameCollection_sameDb",
command: {renameCollection: firstDbName + ".x",
to: firstDbName + ".y",
View
28 src/mongo/db/dbcommands.cpp
@@ -272,12 +272,28 @@ namespace mongo {
help << "http://dochub.mongodb.org/core/databaseprofiler";
}
virtual LockType locktype() const { return WRITE; }
- virtual void addRequiredPrivileges(const std::string& dbname,
- const BSONObj& cmdObj,
- std::vector<Privilege>* out) {
- ActionSet actions;
- actions.addAction(ActionType::enableProfiler);
- out->push_back(Privilege(ResourcePattern::forDatabaseName(dbname), actions));
+ virtual Status checkAuthForCommand(ClientBasic* client,
+ const std::string& dbname,
+ const BSONObj& cmdObj) {
+ AuthorizationSession* authzSession = client->getAuthorizationSession();
+
+ if (cmdObj.firstElement().numberInt() == -1 && !cmdObj.hasField("slowms")) {
+ // If you just want to get the current profiling level you can do so with just
+ // read access to system.profile, even if you can't change the profiling level.
+ if (authzSession->isAuthorizedForActionsOnResource(
+ ResourcePattern::forExactNamespace(NamespaceString(dbname,
+ "system.profile")),
+ ActionType::find)) {
+ return Status::OK();
+ }
+ }
+
+ if (authzSession->isAuthorizedForActionsOnResource(
+ ResourcePattern::forDatabaseName(dbname), ActionType::enableProfiler)) {
+ return Status::OK();
+ }
+
+ return Status(ErrorCodes::Unauthorized, "unauthorized");
}
CmdProfile() : Command("profile") {}
bool run(const string& dbname, BSONObj& cmdObj, int, string& errmsg, BSONObjBuilder& result, bool fromRepl) {

0 comments on commit c3aff7e

Please sign in to comment.