[SERVER-44320] Allow zoned sharding commands to be authorized via actiontypes Created: 30/Oct/19  Updated: 29/Oct/23  Resolved: 13/Nov/19

Status: Closed
Project: Core Server
Component/s: Security
Affects Version/s: None
Fix Version/s: 3.6.16, 4.2.2, 4.0.14, 4.3.2

Type: Bug Priority: Major - P3
Reporter: Spencer Jackson Assignee: Sara Golemon
Resolution: Fixed Votes: 0
Labels: None
Remaining Estimate: Not Specified
Time Spent: Not Specified
Original Estimate: Not Specified

Issue Links:
Backports
Depends
Documented
is documented by DOCS-13220 Investigate changes in SERVER-44320: ... Closed
Backwards Compatibility: Minor Change
Operating System: ALL
Backport Requested:
v4.2, v4.0, v3.6
Sprint: Security 2019-11-18
Participants:

 Description   

The following zoned sharding commands are currently authorized by validating whether the authenticated client is authorized to manipulate internal sharding catalog collections:

addShardToZone
updateZoneKeyRange
removeShardFromZone

They would be much more convenient to use if they were able to be used with specific actiontypes, like how shardCollection works.



 Comments   
Comment by Andrew Davidson [ 27/Nov/19 ]

ysokolov@informatica.com This capability is anticipated to arrive in MongoDB Atlas when 4.2.2, 4.0.14 and 3.6.16 are deployed in Atlas, respectively; ETA within the next two months.

Comment by Yuri Sokolovski [ 27/Nov/19 ]

@Andrew Davidson - is there a plan to implement it in Atlas and in what timeframe? Thanks!

Comment by Sara Golemon [ 13/Nov/19 ]

Added `enableSharding` as acceptable permission for the requested commands and backported to 3.6.

Followup ticket filed asĀ SERVER-44616 for breaking out permissions into more granular options (if we decide to).

Comment by Githook User [ 13/Nov/19 ]

Author:

{'username': 'sgolemon', 'email': 'sara.golemon@mongodb.com', 'name': 'Sara Golemon'}

Message: SERVER-44320 Allow users with enableSharding cluster AT to manipulate sharding zones

(cherry picked from commit b08f7a6989c3e6b3af944201f618c8c928cc4077)
Branch: v3.6
https://github.com/mongodb/mongo/commit/77ee1adf0405b5b3e95030dd8f57a4562121ace7

Comment by Githook User [ 13/Nov/19 ]

Author:

{'username': 'sgolemon', 'email': 'sara.golemon@mongodb.com', 'name': 'Sara Golemon'}

Message: SERVER-44320 Allow users with enableSharding cluster AT to manipulate sharding zones

(cherry picked from commit b08f7a6989c3e6b3af944201f618c8c928cc4077)
Branch: v4.0
https://github.com/mongodb/mongo/commit/3ffd21eb0555cf729daf6f5ee9281137058ac9b8

Comment by Githook User [ 13/Nov/19 ]

Author:

{'name': 'Sara Golemon', 'username': 'sgolemon', 'email': 'sara.golemon@mongodb.com'}

Message: SERVER-44320 Allow users with enableSharding cluster AT to manipulate sharding zones

(cherry picked from commit b08f7a6989c3e6b3af944201f618c8c928cc4077)
Branch: v4.2
https://github.com/mongodb/mongo/commit/8ff625e98afd2753dba39670e2031af491720ead

Comment by Githook User [ 13/Nov/19 ]

Author:

{'name': 'Sara Golemon', 'username': 'sgolemon', 'email': 'sara.golemon@mongodb.com'}

Message: SERVER-44320 Allow users with enableSharding cluster AT to manipulate sharding zones
Branch: master
https://github.com/mongodb/mongo/commit/b08f7a6989c3e6b3af944201f618c8c928cc4077

Comment by Andrew Davidson [ 01/Nov/19 ]

We support this change on the Atlas side.

This is not a pattern we expect many users to want to use for grenfield projects built in the Atlas paradigm.

However for customers bringing a self-managed pattern with them who do not want to refactor to a multi cluster model, this remains one of the gaps that block migrations.

Generated at Thu Feb 08 05:05:40 UTC 2024 using Jira 9.7.1#970001-sha1:2222b88b221c4928ef0de3161136cc90c8356a66.