DOCS-2493 when auth is enabled, eval et als. require anyResource/anyAction access

source/includes/access-eval.rst

@@ -0,0 +1,7 @@
+.. per DOCS-2493 & SERVER-7489
+
+If authentication is enabled, a user must have extraordinary access to run
+|eval-object|. Providing such access is not recommended, but if your
+organization requires a user to run |eval-object|, create a role that
+grants :authaction:`anyAction` on :ref:`resource-anyresource`. Do not
+assign this role to any other user.

source/reference/built-in-roles.txt

@@ -4,8 +4,6 @@
 Built-In Roles
 ==============
 
-.. Engineering wants us to use Built-in Roles instead of System-Defined Roles. -BG 2013-12-19
-
 .. default-domain:: mongodb
 
 MongoDB grants access to data and commands through :ref:`role-based
@@ -487,9 +485,3 @@ Internal Role
    entitles its holder to take any action against any object in the database.
    **Do not** assign this role to user objects representing applications or
    human administrators, other than in exceptional circumstances.
-
-.. todo: does this still apply?
-
-.. :dbcommand:`applyOps`, :dbcommand:`eval`, and :method:`db.eval()` require
-   :authrole:`readWriteAnyDatabase`, :authrole:`userAdminAnyDatabase`,
-   :authrole:`dbAdminAnyDatabase` and :authrole:`clusterAdmin`.

source/reference/command/applyOps.txt

@@ -13,6 +13,9 @@ Definition
    instance. The :dbcommand:`applyOps` command is primarily an internal
    command to support :term:`sharded clusters <sharded cluster>`.
 
+   .. |eval-object| replace:: :dbcommand:`applyOps`
+   .. include:: /includes/access-eval.rst
+
    The :dbcommand:`applyOps` command has the following prototype form:
 
    .. code-block:: javascript
@@ -30,6 +33,6 @@ Definition
 
    .. include:: /includes/warning-blocking-global.rst
 
-.. write-lock
+   .. write-lock
 
-.. see: DOCS-133; SERVER-4259
+   .. see: DOCS-133; SERVER-4259

source/reference/command/eval.txt

@@ -10,7 +10,12 @@ eval
 .. dbcommand:: eval
 
    The :dbcommand:`eval` command evaluates JavaScript functions on the
-   database server and has the following form:
+   database server.
+
+   .. |eval-object| replace:: :dbcommand:`eval`
+   .. include:: /includes/access-eval.rst
+
+   The :dbcommand:`eval` command has the following form:
 
    .. code-block:: none
 
@@ -27,55 +32,58 @@ eval
    .. |javascript-using-operation| replace:: :dbcommand:`eval` uses
    .. include:: /includes/admonition-javascript-prevalence.rst
 
-   The following example uses :dbcommand:`eval` to
-   perform an increment and calculate the average on the server:
+Behavior
+--------
 
-      .. include:: /includes/examples-eval.rst
-         :start-after: eval-command-example
-         :end-before: .. eval-method-example
+The following example uses :dbcommand:`eval` to
+perform an increment and calculate the average on the server:
 
-   The ``db`` in the function refers to the current database.
+   .. include:: /includes/examples-eval.rst
+      :start-after: eval-command-example
+      :end-before: .. eval-method-example
 
-   The :program:`mongo` shell provides a helper method
-   :method:`db.eval()` [#eval-shell-helper]_, so you can express the
-   above as follows:
+The ``db`` in the function refers to the current database.
 
-   .. include:: /includes/examples-eval.rst
-      :start-after: .. eval-method-example
+The :program:`mongo` shell provides a helper method
+:method:`db.eval()` [#eval-shell-helper]_, so you can express the
+above as follows:
 
-   If you want to use the server's interpreter, you must run
-   :dbcommand:`eval`. Otherwise, the :program:`mongo` shell's
-   JavaScript interpreter evaluates functions entered directly into the
-   shell.
+.. include:: /includes/examples-eval.rst
+   :start-after: .. eval-method-example
 
-   If an error occurs, :dbcommand:`eval` throws an exception.
-   The following invalid function uses the variable ``x`` without
-   declaring it as an argument:
+If you want to use the server's interpreter, you must run
+:dbcommand:`eval`. Otherwise, the :program:`mongo` shell's
+JavaScript interpreter evaluates functions entered directly into the
+shell.
 
-   .. code-block:: javascript
+If an error occurs, :dbcommand:`eval` throws an exception.
+The following invalid function uses the variable ``x`` without
+declaring it as an argument:
 
-      db.runCommand(
-                     {
-                       eval: function() { return x + x; },
-                       args: [ 3 ]
-                     }
-                   )
+.. code-block:: javascript
 
-   The statement will result in the following exception:
+   db.runCommand(
+                  {
+                    eval: function() { return x + x; },
+                    args: [ 3 ]
+                  }
+                )
 
-   .. code-block:: javascript
+The statement will result in the following exception:
 
-      {
-         "errmsg" : "exception: JavaScript execution failed: ReferenceError: x is not defined near '{ return x + x; }' ",
-         "code" : 16722,
-         "ok" : 0
-      }
+.. code-block:: javascript
+
+   {
+      "errmsg" : "exception: JavaScript execution failed: ReferenceError: x is not defined near '{ return x + x; }' ",
+      "code" : 16722,
+      "ok" : 0
+   }
 
-   .. |object| replace:: :dbcommand:`eval`
-   .. |nolockobject| replace:: :dbcommand:`eval` command
-   .. include:: /includes/admonitions-eval.rst
+.. |object| replace:: :dbcommand:`eval`
+.. |nolockobject| replace:: :dbcommand:`eval` command
+.. include:: /includes/admonitions-eval.rst
 
-   .. seealso:: :doc:`/core/server-side-javascript`
+.. seealso:: :doc:`/core/server-side-javascript`
 
-   .. [#eval-shell-helper]
-      .. include:: /includes/fact-eval-helper-method.rst
+.. [#eval-shell-helper]
+   .. include:: /includes/fact-eval-helper-method.rst

source/reference/method/db.collection.copyTo.txt

@@ -13,16 +13,22 @@ Definition
    server-side JavaScript. If ``newCollection`` does not exist, MongoDB
    creates it.
 
+   .. |eval-object| replace:: :method:`db.collection.copyTo()`
+   .. include:: /includes/access-eval.rst
+
    .. include:: /reference/method/db.collection.copyTo-param.rst
 
    .. include:: /includes/warning-copyto-loss-of-type-fidelity.rst
 
 :method:`~db.collection.copyTo()` returns the number of documents
 copied. If the copy fails, it throws an exception.
 
-.. important:: Because :method:`~db.collection.copyTo()` uses
-   :dbcommand:`eval` internally, the copy operations will block all
-   other operations on the :program:`mongod` instance.
+Behavior
+--------
+
+Because :method:`~db.collection.copyTo()` uses
+:dbcommand:`eval` internally, the copy operations will block all
+other operations on the :program:`mongod` instance.
 
 Example
 -------

source/reference/method/db.eval.txt

@@ -14,6 +14,9 @@ Definition
 
    Provides the ability to run JavaScript code on the MongoDB server.
 
+   .. |eval-object| replace:: :method:`db.eval()`
+   .. include:: /includes/access-eval.rst
+
    .. |list| replace:: A list
 
    .. include:: /includes/fact-eval-helper-method.rst

source/reference/privilege-actions.txt

@@ -458,13 +458,10 @@ already described in this document:
 
    Provides access to the internal :dbcommand:`_transferMods` command.
 
-Special Actions
+Internal Action
 ---------------
 
-.. authaction:: anyResource
-
-   .. todo: definition needed
-
 .. authaction:: anyAction
 
-   .. todo: definition needed
+   Allows any action on a resource. **Do not** assign this action except
+   for exceptional circumstances.

source/reference/resource-document.txt

@@ -128,3 +128,13 @@ Examples of such actions are ``shutdown``, ``replSetReconfig``, and
 
 .. include:: /includes/resource-document-facts.rst
    :start-after: admin-resources
+
+.. _resource-anyresource:
+
+anyResource
+-----------
+
+The internal resource ``anyResource`` gives access to every resource in
+the system and is intended for internal use. **Do not** use this resource,
+other than in exceptional circumstances. The syntax for this resource is
+``{ anyResource: true }``.