Loading...

XML

Word

Printable

JSON

Type: Bug
Resolution: Unresolved
Priority: Major - P3
Fix Version/s: None
Affects Version/s: None
Component/s: None
Labels:
None

Assigned Teams:

Catalog and Routing
Operating System:
ALL
Sprint:
CAR Team 2026-03-30
CAR Domain/s:
None

Aha! Reference:
None
Tracking Level:
None
Risk Status:
None
Exec Notes:
None
Goal Name(s):
None
Goal Link:
None

Summary

The enableSharding built-in role does not grant the enableSharding privilege on the cluster resource { cluster: true }. As a result, users assigned the enableSharding role cannot run updateZoneKeyRange, even though that command is documented as requiring only the enableSharding privilege action.

Steps to Reproduce

1. Create a database user with only the MongoDB built-in enableSharding role on the admin database.
1. Connect to a mongos instance as that user.
1. Run:

sh.updateZoneKeyRange("db.collection", { key: MinKey }, { key: MaxKey }, "myZone")

1. Observe: MongoServerError: not authorized on admin to execute command

Expected Behavior

A user with the enableSharding built-in role should be able to run updateZoneKeyRange. The documentation for updateZoneKeyRange states the command requires the enableSharding privilege on the cluster resource.

Actual Behavior

Running rolesInfo with showPrivileges: true on the enableSharding built-in role reveals it only grants enableSharding on the namespace resource { db: '', collection: '' }, not on the cluster resource:

db.adminCommand({ rolesInfo: { role: "enableSharding", db: "admin" }, showPrivileges: true, showBuiltinRoles: true })
// privileges: [
//   {
//     resource: { db: '', collection: '' },
//     actions: [ 'analyzeShardKey', 'enableSharding', 'moveCollection',
//                'refineCollectionShardKey', 'reshardCollection', 'unshardCollection' ]
//   }
// ]
// Note: NO { resource: { cluster: true } } entry

Comparison to backup Built-In Role

The backup built-in role correctly defines privileges on both the namespace and cluster resources:

db.adminCommand({ rolesInfo: { role: "backup", db: "admin" }, showPrivileges: true, showBuiltinRoles: true })
// privileges: [
//   { resource: { db: '', collection: '' }, actions: [ 'find' ] },
//   {
//     resource: { cluster: true },
//     actions: [ 'appendOplogNote', 'getParameter', 'listDatabases', ... ]
//   },
//   ...
// ]

The enableSharding role should follow the same pattern and include an entry for {{{ resource:

{ cluster: true }

, actions: [ 'enableSharding' ] }}} to be consistent with what updateZoneKeyRange requires.

Workaround

Users can create a custom role that explicitly grants enableSharding on the cluster resource:

db.adminCommand({
  createRole: "zoneKeyRangeManager",
  privileges: [{ resource: { cluster: true }, actions: ["enableSharding"] }],
  roles: []
})

Assigning this custom role in addition to the built-in enableSharding role allows updateZoneKeyRange to succeed.

Assignee:: Allison Easton
Reporter:: Sarah Zhou
Participants:: Allison Easton, Sarah Zhou
Votes:: 0 Vote for this issue
Watchers:: 5 Start watching this issue

Created:: Mar 25 2026 07:53:50 PM UTC
Updated:: Mar 27 2026 08:01:07 PM UTC

Details

Description

Summary

Steps to Reproduce

Expected Behavior

Actual Behavior

Comparison to backup Built-In Role

Workaround

Attachments

Activity

People

Dates