[SERVER-19940] ensure find/getmore replData term is protected by a privilege check Created: 13/Aug/15  Updated: 21/Jan/20  Resolved: 04/Sep/15

Status: Closed
Project: Core Server
Component/s: Replication
Affects Version/s: None
Fix Version/s: 3.1.8

Type: Improvement Priority: Major - P3
Reporter: Eric Milkie Assignee: Benety Goh
Resolution: Done Votes: 0
Labels: None
Remaining Estimate: Not Specified
Time Spent: Not Specified
Original Estimate: Not Specified

Issue Links:
Duplicate
is duplicated by SERVER-45264 "term" from find/getMore commands can... Closed
Backwards Compatibility: Fully Compatible
Sprint: RPL 9 (09/18/15)
Participants:

 Description   

As part of liveness detection, the internal replication use of the find and getMore commands can pass a term number as part of the request metadata. In order to prevent lay users from presenting bogus metadata to the server, we need to check that the user running such a find/getMore possesses the same privilege as is required for the other internal replication commands, namely:

 ResourcePattern::forClusterResource(), ActionType::internal 



 Comments   
Comment by Githook User [ 04/Sep/15 ]

Author:

{u'username': u'benety', u'name': u'Benety Goh', u'email': u'benety@mongodb.com'}

Message: SERVER-19940 extended auth checking for find and getMore commands to allow use of term only from internal clients.

The term field was added to the find/getMore commands to support replication protocol version 1 and is meant to be used by replica set nodes to communicate metadata to their sync sources.
Branch: master
https://github.com/mongodb/mongo/commit/769ef392ffef89e61ed0c001250cc52b04e0c8f4

Generated at Thu Feb 08 03:52:38 UTC 2024 using Jira 9.7.1#970001-sha1:2222b88b221c4928ef0de3161136cc90c8356a66.