Uploaded image for project: 'Core Server'
  1. Core Server
  2. SERVER-72667

Add authorization checks for cluster checkMetadataConsistency command

    XMLWordPrintableJSON

Details

    • Icon: Task Task
    • Resolution: Fixed
    • Icon: Major - P3 Major - P3
    • 7.0.0-rc0
    • None
    • None
    • None
    • Sharding EMEA
    • Fully Compatible
    • Sharding EMEA 2023-03-06

    Description

      Investigate and add the authorization checks for the new checkMetadataConsistency command.

      https://github.com/10gen/mongo/blob/c892ad5a89e92acfe9847cdd31469fba93e21363/src/mongo/s/commands/cluster_check_metadata_consistency_cmd.cpp#L107-L109

       

      The goal of this ticket is to add a new specific action type "checkMetadataConsistency" and include it in the following built-in roles:

      • clusterManager (by def, clusterAdmin has all privileges that clusterManager have)

      Additionally, we should add tests to ensure that users without this privilege are not authorized to run the new command.

       

      To sum up, as we have 3 level modes to run the command, we will have 3 different levels of privileges:

      Cluster level mode:

      • Cmd: db.getSiblingDB('admin').runCommnad({'checkMetadataConsistency': 1})
      • Privileges: ResourcePattern::forClusterResource() and ActionType::checkMetadataConsistency

      Database level mode:

      • Cmd: db.runCommnad({'checkMetadataConsistency': 1})
      • Privileges: (ResourcePattern::forClusterResource() or ResourcePattern::forDatabaseName(db)) and ActionType::checkMetadataConsistency

      Collection level mode:

      • Cmd: db.runCommand({'checkMetadataConsistency': 'myColl'})
      • Privileges: (ResourcePattern::forClusterResource() or ResourcePattern:: forExactNamespace(nss)) and ActionType::checkMetadataConsistency

      Attachments

        Activity

          People

            pol.pinol@mongodb.com Pol Pinol
            pol.pinol@mongodb.com Pol Pinol
            Votes:
            0 Vote for this issue
            Watchers:
            3 Start watching this issue

            Dates

              Created:
              Updated:
              Resolved: