[SERVER-31810] applyOps command with UUID containing op must require internal privileges Created: 02/Nov/17  Updated: 30/Oct/23  Resolved: 15/Nov/17

Status: Closed
Project: Core Server
Component/s: Internal Code
Affects Version/s: None
Fix Version/s: 3.6.0-rc5, 3.7.1

Type: Improvement Priority: Major - P3
Reporter: Spencer Jackson Assignee: Spencer Jackson
Resolution: Fixed Votes: 0
Labels: bkp
Remaining Estimate: Not Specified
Time Spent: Not Specified
Original Estimate: Not Specified

Issue Links:
Backports
Documented
is documented by DOCS-11024 applyOps command with UUID containing... Closed
Gantt Dependency
has to be done before SERVER-31864 applyOps command with UUID containing... Closed
Related
Backwards Compatibility: Fully Compatible
Backport Requested:
v3.6
Sprint: Platforms 2017-11-13, Platforms 2017-12-04
Participants:

 Description   

Tools performing restores will strip UUIDs out of the oplog tokens they are applying to produce a point in time snapshot. Because there is non-user facing behavior around application of oplog tokens containing UUIDs, the server must require users applying them to possess internal privileges.



 Comments   
Comment by Githook User [ 15/Nov/17 ]

Author:

{'name': 'Spencer Jackson', 'username': 'spencerjackson', 'email': 'spencer.jackson@mongodb.com'}

Message: SERVER-31810: Make applyOps require privileges for UUIDs

(cherry picked from commit afc2467c150c75dc201daacb9ac4e1f76e6fea6f)
Branch: v3.6
https://github.com/mongodb/mongo/commit/aa0ff8f79c51d68cda45b83baa970c782ff11a24

Comment by Githook User [ 15/Nov/17 ]

Author:

{'name': 'Spencer Jackson', 'username': 'spencerjackson', 'email': 'spencer.jackson@mongodb.com'}

Message: SERVER-31810: Make applyOps require privileges for UUIDs
Branch: master
https://github.com/mongodb/mongo/commit/afc2467c150c75dc201daacb9ac4e1f76e6fea6f

Comment by Andy Schwerin [ 02/Nov/17 ]

The "restore" role needs to be able to use applyOps to apply oplog entries with uuids.

Comment by William Banfield [ 02/Nov/17 ]

cc: shane.harvey

Recent discussions re: mongomirror make this a bit troubling. Our plan for mongomirror is to use uuid's to create collections and then to pass along all oplog entries unchanged to produce a mirrored version of the replica set. mongomirror will error if it sees a collection rename during the applyops as well.

Requiring privilege here will present a large roadblock to this design.

Generated at Thu Feb 08 04:28:15 UTC 2024 using Jira 9.7.1#970001-sha1:2222b88b221c4928ef0de3161136cc90c8356a66.