[DOCS-4176] moveChunk privilege applies to db/collection resource, not cluster Created: 14/Oct/14  Updated: 16/Mar/15  Resolved: 15/Oct/14

Status: Closed
Project: Documentation
Component/s: manual
Affects Version/s: None
Fix Version/s: v1.3.12

Type: Bug Priority: Major - P3
Reporter: Andrew Ryder (Inactive) Assignee: Michael Paik
Resolution: Done Votes: 0
Labels: None
Remaining Estimate: Not Specified
Time Spent: Not Specified
Original Estimate: Not Specified

Issue Links:
Related
Participants:
Days since reply: 9 years, 18 weeks ago

 Description   

This page: http://docs.mongodb.org/manual/reference/privilege-actions/#authr.moveChunk
The moveChunk privilege should be applied to the db and collection resources not cluster resource.



 Comments   
Comment by Githook User [ 15/Oct/14 ]

Author:

{u'username': u'mpaik', u'name': u'Michael Paik', u'email': u'michael.paik@10gen.com'}

Message: DOCS-4176 - fix moveChunk description

Signed-off-by: Sam Kleinman <samk@10gen.com>
Branch: master
https://github.com/mongodb/docs/commit/43b9e4756d80bab021f4b037c920fe76d0d85658

Comment by Spencer Brody (Inactive) [ 15/Oct/14 ]

That is correct. I do not believe the spreadsheet is being updated anymore, though perhaps someone else has been doing it.

Comment by Andreas Nilsson [ 15/Oct/14 ]

The spreadsheet is not authoritative (the code is) but they should be in sync. michael.paik I added u as an editor. I made this particular change but feel free to edit any other issues identified.

Comment by Michael Paik [ 15/Oct/14 ]

So just to be clear, moveChunk privilege is not applied to the cluster resource, but to the collection or database resource, depending on whether the movePrimary or moveChunk operation is being called. If so, I'll make the relevant changes, but someone will need to update that Google spreadsheet (assuming it's even maintained).

Comment by Spencer Brody (Inactive) [ 15/Oct/14 ]

This was by design. We can discuss whether we still agree with that design and if we want to change it, but the idea was that the moveChunk action is responsible for all ways one can move data within the cluster.

Comment by Andreas Nilsson [ 15/Oct/14 ]

So here is how it works today:

The movePrimary command requires moveChunk on the database
The moveChunk command requires moveChunk on the collection (or database)

The clusterManager role gives moveChunk on the database and hence includes both commands above by default.

I can't really tell if this is expected/desired, I will ask spencer to weigh in on that.

Comment by Andrew Ryder (Inactive) [ 15/Oct/14 ]

Linda has noted that movePrimary has no corresponding action, the command is ganged to the moveChunk action. Thus, items 2 & 3 above are incorrect but should instead be read as a single item, thusly:

clusterManager does not need to cover movePrimary (because it isn't an action), but the definition of the moveChunk action should specify that it applies to both moveChunk and movePrimary commands.

Comment by Andrew Ryder (Inactive) [ 15/Oct/14 ]

Ok, testing here confirms that the resource required is db and collection for both movePrimary and moveChunk. So the documentation seems at least to be incorrect on moveChunk and omits movePrimary entirely. The google doc appears to be the source of the mistake.

I think there are three documentation actions needed:

  1. Modify the moveChunk reference to indicate it requires resource db / collection (not cluster).
  2. Add to the clusterManager built-in role that it grants movePrimary access as well.
  3. Add a privilege action that indicates movePrimary and moveChunk are the same privilege. Granting one, grants both.

spencer (most recent editor) and/or andreas.nilsson@10gen.com (document owner) please check my outrageous claims above.

Generated at Thu Feb 08 07:47:22 UTC 2024 using Jira 9.7.1#970001-sha1:2222b88b221c4928ef0de3161136cc90c8356a66.