[DOCS-16322] Investigate changes in SERVER-77551: Ensure only users with allowed permissions may invoke query settings commands Created: 17/Aug/23  Updated: 22/Jan/24

Status: Backlog
Project: Documentation
Component/s: manual, Server
Affects Version/s: None
Fix Version/s: 8.0 Targeted

Type: Task Priority: Minor - P4
Reporter: Backlog - Core Eng Program Management Team Assignee: Alison Huh
Resolution: Unresolved Votes: 0
Labels: backlog, feature, query
Remaining Estimate: Not Specified
Time Spent: Not Specified
Original Estimate: Not Specified

Issue Links:
Documented
documents SERVER-77551 Ensure only users with allowed permis... Closed
Participants:
Days since reply: 12 weeks, 6 days ago

 Description   
Original Downstream Change Summary

We have introduced a new action and built-in role called "querySettings".

Description of Linked Ticket

We need to ensure that only users with the allowed permissions are able to invoke the query settings commands and agg stage.

One way of doing it is through modification of the idl definition.

 

What we need to is:

  • introduce a new action_type query_settings in action_type.idl file
  • modify the query settings commands idl file to include the permission check as described in the code snippet

# in query_settings_cmds.idl
 
- "mongo/db/auth/access_checks.idl"
- "mongo/db/auth/action_type.idl"
...
    access_check:
      simple:
        privilege:
          resource_pattern: cluster
          action_type: query_settings 

 

  • perform the authorisation check as described in the following code snippet

 

auto authzSession = AuthorizationSession::get(Client::getCurrent()); 
authzSession->verifyContract(&SetQuerySettingsCommandRequest::kAuthorizationContract); 

 

  • for agg stage the privilege has to be defined in aggregate_command.idl as follows

 

...
- privilege: # $querySettings
  resource_pattern: cluster
  action_type: query_settings

 

  • adjust the privilege vector definition for the $querySettings agg stage
  • extend the existing permission tests to ensure that authorization is performed accordingly in commands_lib.js


 Comments   
Comment by Alison Huh [ 09/Nov/23 ]

Per discussion with denis.grebennicov@mongodb.com, this has been pushed back to 8.0. Moving back to backlog.

Generated at Thu Feb 08 08:15:07 UTC 2024 using Jira 9.7.1#970001-sha1:2222b88b221c4928ef0de3161136cc90c8356a66.