Four new resource patterns that mirror the existing combinations for dbs and collections. These can be specified by users in createRole/updateRole/etc.

resource:

meaning: Any collection with a prefix of system.buckets. in any db

resource:

meaning: A collection named system.buckets.example in any db

resource:

meaning: Any collection with a prefix of system.buckets. in test db

resource:

meaning: A collected named system.buckets.example in test db

Privileges were also added to the existing roles in support for mongomirror, mongodump and mongorestore in Atlas.

Modified builtin roles:

1. for readAnyDatabase, user can read any system_buckets collection in any database
Privileges: changeStream, collStats, dbHash, dbStats, find, killCursors, listCollections, listIndexes, planCacheRead

2. for readWriteAnyDatabase, user can read or write any system_buckets collection in any database
Privileges: changeStream, collStats, convertToCapped, createCollection, createIndex, dbHash, dbStats, dropCollection, dropIndex, emptycapped, find, insert, killCursors, listCollections, listIndexes, planCacheRead, remove, renameCollectionSameDB, update

3. for dbAdminAnyDatabase, user can admin any system_buckets collection in any database
Privileges: bypassDocumentValidation, collMod, collStats, compact, convertToCapped, createCollection, dbStats, dropCollection, dropDatabase, dropIndex, createIndex, enableProfiler, listCollections, listIndexes, planCacheIndexFilter, planCacheRead, planCacheWrite, reIndex, renameCollectionSameDB, storageDetails, validate

4. for restore, user can restore any system_buckets collection in any database
Privileges: bypassDocumentValidation, collMod, convertToCapped, createCollection, createIndex, dropCollection, insert

5. for backup, user can backup any system_buckets collection in any database
Privileges: find

Summary

Extend the MongoDB authorization model to support backup and restore of timeseries collections with officially supported tools.

Motivation

Timeseries collections are represented by a view on a bucket collection. Users will interact with the view, and observe what appears to be normally structured data. However, documents inserted into the view are physically stored in the bucket collection. Because bucket collections have a name prefixed by "system.bucket.", they are not a "normal resource" in the authorization system and users with the readWrite role are not able to directly manipulate them. While it is possible to create a custom role which grants explicit access to a particular bucket collection, it is not possible to grant a user access to all buckets because privileges cannot be defined for all collections whose names begin with a prefix.

We will need to add server support to allow users to access these collections with the MongoDB Tools. mongodump and mongorestore will need to be able to directly access bucket collections with the `backup` and `restore` roles. mongomirror will need to be able to replicate operations performed in buckets on on-prem clusters to clusters in Atlas.

Cast of Characters

• Product Owner:
• Project Lead:
• Program Manager:
• Drivers Contact:

Documentation

Scope Document
Technical Design Document
Product Description