[DRIVERS-1996] Grant "backup" and "restore" roles to users created by Mongo Orchestration Created: 29/Nov/21  Updated: 28/Oct/23  Resolved: 16/Dec/21

Status: Closed
Project: Drivers
Component/s: Mongo Orchestration
Fix Version/s: None

Type: Task Priority: Unknown
Reporter: Jeremy Mikola Assignee: Jeremy Mikola
Resolution: Fixed Votes: 0
Labels: None
Remaining Estimate: Not Specified
Time Spent: Not Specified
Original Estimate: Not Specified

Issue Links:
Depends
is depended on by PHPC-2008 writeresult-getserver-002 fails to dr... Closed
Driver Changes: Not Needed

 Description   

Summary

In mongo_orchestration/common.py, mongo-orchestration currently grants users the following roles on the admin database:

  • userAdminAnyDatabase
  • clusterAdmin
  • dbAdminAnyDatabase
  • readWriteAnyDatabase

This omits the "restore" and "backup" roles, the former of which is required to drop non-system collections in the "local" database. This is responsible for at least one test failure in the PHP driver (PHPC-2008).

Motivation

Who is the affected end user?

Drivers.

How does this affect the end user?

Unexpected test failure, which likely cannot be addressed with changes to an MO configuration file alone.

How likely is it that this problem or use case will occur?

Very likely if a driver test suite is working with the "local" database.

If the problem does occur, what are the consequences and how severe are they?

Failed tests.

Is this issue urgent?

Somewhat.

Is this ticket required by a downstream team?

Needed by PHPC.

Is this ticket only for tests?

Yes.



 Comments   
Comment by Jeremy Mikola [ 16/Dec/21 ]

https://github.com/10gen/mongo-orchestration/commit/4e1ab405fe880ab278617b980476c6e1dacdd5cf

Comment by Jeremy Mikola [ 15/Dec/21 ]

https://github.com/10gen/mongo-orchestration/pull/288

Comment by Shane Harvey [ 29/Nov/21 ]

One reason to avoid giving the MO user the root role is that it could prevent us from catching certain permission regressions in the server. I think it should have the least permissions needed since it's the user we auth with in driver tests.

Comment by Jeremy Mikola [ 29/Nov/21 ]

For context, the current roles granted by MO date back to 10gen/mongo-orchestration@c9e5ec6 and have not been touched in the past seven years.

Generated at Thu Feb 08 08:24:27 UTC 2024 using Jira 9.7.1#970001-sha1:2222b88b221c4928ef0de3161136cc90c8356a66.