PSMDB-1922 Require authorization for auditGetOptions command

igorsol · igorsol · commit 4531cab7a16a · 2026-01-30T10:21:30.000Z
diff --git a/jstests/audit/audit_getoptions_command.js b/jstests/audit/audit_getoptions_command.js
@@ -0,0 +1,33 @@
+// test that auditGetOptions command works as expected
+
+if (TestData.testData !== undefined) {
+    load(TestData.testData + '/audit/_audit_helpers.js');
+} else {
+    load('jstests/audit/_audit_helpers.js');
+}
+
+const testDBName = "audit_getoptions_command";
+
+auditTest('auditGetOptions', function(m) {
+    let adminDB = m.getDB('admin');
+    let testDB = m.getDB(testDBName);
+    createAdminUserForAudit(m);
+    createNoPermissionUserForAudit(m, adminDB);
+
+    // Admin user logs in
+    adminDB.auth('admin', 'admin');
+    // Should fail if not executed on 'admin' database
+    assert.commandFailedWithCode(testDB.runCommand({'auditGetOptions': 1}),
+                                 ErrorCodes.Unauthorized);
+    assert.commandWorked(adminDB.runCommand({'auditGetOptions': 1}));
+    adminDB.logout();
+
+    // User (tom) with no permissions logs in.
+    assert(adminDB.auth('tom', 'tom'));
+    // Should fail if current user has no 'getParameter' privilege
+    assert.commandFailedWithCode(testDB.runCommand({'auditGetOptions': 1}),
+                                 ErrorCodes.Unauthorized);
+    assert.commandFailedWithCode(adminDB.runCommand({'auditGetOptions': 1}),
+                                 ErrorCodes.Unauthorized);
+    adminDB.logout();
+}, {auth: ""});
diff --git a/src/mongo/db/audit/audit_commands.cpp b/src/mongo/db/audit/audit_commands.cpp
@@ -133,9 +133,19 @@ class AuditGetOptionsCommand : public AuditCommand {
                "Example: { auditGetOptions: 1 }";
     }
 
-    Status checkAuthForOperation(OperationContext*,
-                                 const DatabaseName&,
+    bool adminOnly() const override {
+        return true;
+    }
+
+    Status checkAuthForOperation(OperationContext* opCtx,
+                                 const DatabaseName& dbName,
                                  const BSONObj&) const override {
+        auto* as = AuthorizationSession::get(opCtx->getClient());
+        if (!as->isAuthorizedForActionsOnResource(ResourcePattern::forClusterResource(),
+                                                  ActionType::getParameter)) {
+            return {ErrorCodes::Unauthorized, "unauthorized"};
+        }
+
         return Status::OK();
     }
 
