[DOCS-14282] Investigate changes in SERVER-36263: Bypassing operation validation in applyOps should require special privilege Created: 10/Mar/21  Updated: 13/Nov/23  Resolved: 04/Aug/21

Status: Closed
Project: Documentation
Component/s: manual, Server
Affects Version/s: None
Fix Version/s: 4.9.0, 4.2.16, 4.0.27, 4.4.9, Server_Docs_20231030, Server_Docs_20231106, Server_Docs_20231105, Server_Docs_20231113

Type: Task Priority: Major - P3
Reporter: Backlog - Core Eng Program Management Team Assignee: Ian Fogelman
Resolution: Fixed Votes: 0
Labels: None
Remaining Estimate: Not Specified
Time Spent: Not Specified
Original Estimate: Not Specified

Issue Links:
Documented
documents SERVER-36263 Bypassing operation validation in app... Closed
Participants:
Days since reply: 2 years, 27 weeks, 1 day ago
Epic Link: DOCSP-15042
Story Points: 2

 Description   

Description

Downstream Change Summary

We are adding a new privilege that must be acquired to be able to perform
"applyOps" command.
ActionType-> applyOps
Resource-> cluster

Description of Linked Ticket

As of SERVER-25994, a user can run applyOps if they have the privileges to perform each individual operation specified in the the applyOps command. However, applyOps is more powerful than other commands in that it avoids certain input validation (see SERVER-27096SERVER-32941SERVER-32952, and SERVER-32305). This is done intentionally, since applyOps is supposed to behave similarly to oplog application, where the primary does all validation and the secondary applies the changes exactly as the primary specified without validation. This feature is important to products that mimic oplog application, such as mongomirror and mongorestore. However, users should not be able to bypass validation simply because they have permission to write to a collection. Instead, applyOps should require a special privilege for bypassing validation.

We will create a new privilege bypassing system-level invariants in applyOps. Today, this privilege will be required in order to run applyOps at all, since we have not implemented a version of applyOps that performs validation. The privilege will be included in dbAdminAnyDatabase, which is included in the custom role atlasAdmin and the temporary user that we create for Live Imports (mongomirror).

Scope of changes

Add new privilege to https://docs.mongodb.com/manual/reference/privilege-actions/

See what roles have this privilege and add the privilege to the corresponding roles on https://docs.mongodb.com/manual/reference/built-in-roles/.

Impact to Other Docs

MVP (Work and Date)

Resources (Scope or Design Docs, Invision, etc.)



 Comments   
Comment by Githook User [ 03/Aug/21 ]

Author:

{'name': 'ian fogelman', 'email': 'ian.fogelman@mongodb.com', 'username': 'ianf-mongodb'}

Message: DOCS-14282: Bypassing operation validation in applyOps should require special privilege
Branch: master
https://github.com/mongodb/docs/commit/23d78f2761d25e35d1462b960fe2f55d9871007a

Generated at Thu Feb 08 08:10:00 UTC 2024 using Jira 9.7.1#970001-sha1:2222b88b221c4928ef0de3161136cc90c8356a66.