SERVER-16844 dbAdminAnyDatabase should be able to do anything dbAdmin can

2024-12-01 01:21:03 +01:00 · 2015-03-03 15:19:45 -05:00 · 2015-03-03 15:19:45 -05:00 · 95dc9c1cc5
commit 95dc9c1cc5
parent 3272a36242
2 changed files with 11 additions and 0 deletions
--- a/jstests/auth/profile_access.js
+++ b/jstests/auth/profile_access.js
@ -10,6 +10,8 @@ adminDb.createUser({user:'admin',
 adminDb.auth('admin','password');
 testDb.createUser({user:'readUser',pwd:'password',roles:['read']});
 testDb.createUser({user:'dbAdminUser',pwd:'password',roles:['dbAdmin']});
+testDb.createUser({user:'dbAdminAnyDBUser',pwd:'password',roles:[{role: 'dbAdminAnyDatabase',
+                                                                  db: 'admin'}]});
 testDb.setProfilingLevel(2);
 testDb.foo.findOne();
 adminDb.logout();
@ -21,4 +23,11 @@ testDb.logout();
 testDb.auth('dbAdminUser','password');
 testDb.setProfilingLevel(0);
 testDb.system.profile.drop();
+assert.commandWorked(testDb.createCollection("system.profile", {capped: true, size: 1024}));
+testDb.logout();
+
+// SERVER-16944
+testDb.auth('dbAdminAnyDBUser','password');
+testDb.setProfilingLevel(0);
+testDb.system.profile.drop();
 assert.commandWorked(testDb.createCollection("system.profile", {capped: true, size: 1024}));
--- a/src/mongo/db/auth/role_graph_builtin_roles.cpp
+++ b/src/mongo/db/auth/role_graph_builtin_roles.cpp
@ -410,6 +410,8 @@ namespace {
                Privilege(ResourcePattern::forCollectionName("system.namespaces"),
                          readRoleActions));
        ActionSet profileActions = readRoleActions;
+        profileActions.addAction(ActionType::convertToCapped);
+        profileActions.addAction(ActionType::createCollection);
        profileActions.addAction(ActionType::dropCollection);
        Privilege::addPrivilegeToPrivilegeVector(
                privileges,