-
Type: Investigation
-
Resolution: Done
-
Priority: Major - P3
-
None
-
Affects Version/s: None
-
Component/s: None
-
Labels:None
Four new resource patterns that mirror the existing combinations for dbs and collections. These can be specified by users in createRole/updateRole/etc.
resource:
meaning: Any collection with a prefix of system.buckets. in any db
resource:
meaning: A collection named system.buckets.example in any db
resource:
meaning: Any collection with a prefix of system.buckets. in test db
resource:
meaning: A collected named system.buckets.example in test db
Privileges were also added to the existing roles in support for mongomirror, mongodump and mongorestore in Atlas.
Modified builtin roles:
1. for readAnyDatabase, user can read any system_buckets collection in any database
Privileges: changeStream, collStats, dbHash, dbStats, find, killCursors, listCollections, listIndexes, planCacheRead
2. for readWriteAnyDatabase, user can read or write any system_buckets collection in any database
Privileges: changeStream, collStats, convertToCapped, createCollection, createIndex, dbHash, dbStats, dropCollection, dropIndex, emptycapped, find, insert, killCursors, listCollections, listIndexes, planCacheRead, remove, renameCollectionSameDB, update
3. for dbAdminAnyDatabase, user can admin any system_buckets collection in any database
Privileges: bypassDocumentValidation, collMod, collStats, compact, convertToCapped, createCollection, dbStats, dropCollection, dropDatabase, dropIndex, createIndex, enableProfiler, listCollections, listIndexes, planCacheIndexFilter, planCacheRead, planCacheWrite, reIndex, renameCollectionSameDB, storageDetails, validate
4. for restore, user can restore any system_buckets collection in any database
Privileges: bypassDocumentValidation, collMod, convertToCapped, createCollection, createIndex, dropCollection, insert
5. for backup, user can backup any system_buckets collection in any database
Privileges: find
Description of Linked Ticket
Summary
Extend the MongoDB authorization model to support backup and restore of timeseries collections with officially supported tools.
Motivation
Timeseries collections are represented by a view on a bucket collection. Users will interact with the view, and observe what appears to be normally structured data. However, documents inserted into the view are physically stored in the bucket collection. Because bucket collections have a name prefixed by "system.bucket.", they are not a "normal resource" in the authorization system and users with the readWrite role are not able to directly manipulate them. While it is possible to create a custom role which grants explicit access to a particular bucket collection, it is not possible to grant a user access to all buckets because privileges cannot be defined for all collections whose names begin with a prefix.
We will need to add server support to allow users to access these collections with the MongoDB Tools. mongodump and mongorestore will need to be able to directly access bucket collections with the `backup` and `restore` roles. mongomirror will need to be able to replicate operations performed in buckets on on-prem clusters to clusters in Atlas.
Cast of Characters
- Product Owner:
- Project Lead:
- Program Manager:
- Drivers Contact:
Documentation
Scope Document
Technical Design Document
Product Description