Uploaded image for project: 'MongoDB Database Tools'
  1. MongoDB Database Tools
  2. TOOLS-2886

Investigate changes in PM-2297: Using mongodump, mongorestore, and mongomirror tools for Time Series

    XMLWordPrintable

    Details

    • Type: Investigation
    • Status: Closed
    • Priority: Major - P3
    • Resolution: Done
    • Affects Version/s: None
    • Fix Version/s: No versions
    • Component/s: None
    • Labels:
      None

      Description

      Downstream Change Summary

      Four new resource patterns that mirror the existing combinations for dbs and collections. These can be specified by users in createRole/updateRole/etc.

      resource:

      Unknown macro: { system_bucket}


      meaning: Any collection with a prefix of system.buckets. in any db

      resource:

      Unknown macro: { db}


      meaning: A collection named system.buckets.example in any db

      resource:

      Unknown macro: { db}

      meaning: Any collection with a prefix of system.buckets. in test db

      resource:

      Unknown macro: { db}

      meaning: A collected named system.buckets.example in test db

      Privileges were also added to the existing roles in support for mongomirror, mongodump and mongorestore in Atlas.

      Modified builtin roles:

      1. for readAnyDatabase, user can read any system_buckets collection in any database
      Privileges: changeStream, collStats, dbHash, dbStats, find, killCursors, listCollections, listIndexes, planCacheRead

      2. for readWriteAnyDatabase, user can read or write any system_buckets collection in any database
      Privileges: changeStream, collStats, convertToCapped, createCollection, createIndex, dbHash, dbStats, dropCollection, dropIndex, emptycapped, find, insert, killCursors, listCollections, listIndexes, planCacheRead, remove, renameCollectionSameDB, update

      3. for dbAdminAnyDatabase, user can admin any system_buckets collection in any database
      Privileges: bypassDocumentValidation, collMod, collStats, compact, convertToCapped, createCollection, dbStats, dropCollection, dropDatabase, dropIndex, createIndex, enableProfiler, listCollections, listIndexes, planCacheIndexFilter, planCacheRead, planCacheWrite, reIndex, renameCollectionSameDB, storageDetails, validate

      4. for restore, user can restore any system_buckets collection in any database
      Privileges: bypassDocumentValidation, collMod, convertToCapped, createCollection, createIndex, dropCollection, insert

      5. for backup, user can backup any system_buckets collection in any database
      Privileges: find

      Description of Linked Ticket

      Epic Summary

      Summary

      Extend the MongoDB authorization model to support backup and restore of timeseries collections with officially supported tools.

      Motivation

      Timeseries collections are represented by a view on a bucket collection. Users will interact with the view, and observe what appears to be normally structured data. However, documents inserted into the view are physically stored in the bucket collection. Because bucket collections have a name prefixed by "system.bucket.", they are not a "normal resource" in the authorization system and users with the readWrite role are not able to directly manipulate them. While it is possible to create a custom role which grants explicit access to a particular bucket collection, it is not possible to grant a user access to all buckets because privileges cannot be defined for all collections whose names begin with a prefix.

      We will need to add server support to allow users to access these collections with the MongoDB Tools. mongodump and mongorestore will need to be able to directly access bucket collections with the `backup` and `restore` roles. mongomirror will need to be able to replicate operations performed in buckets on on-prem clusters to clusters in Atlas.

      Cast of Characters

      • Product Owner:
      • Project Lead:
      • Program Manager:
      • Drivers Contact:

      Documentation

      Scope Document
      Technical Design Document
      Product Description

        Attachments

          Activity

            People

            Assignee:
            tim.fogarty Tim Fogarty
            Reporter:
            backlog-server-pm Backlog - Core Eng Program Management Team
            Votes:
            0 Vote for this issue
            Watchers:
            2 Start watching this issue

              Dates

              Created:
              Updated:
              Resolved: