[SERVER-44320] Allow zoned sharding commands to be authorized via actiontypes Created: 30/Oct/19 Updated: 29/Oct/23 Resolved: 13/Nov/19 |
|
| Status: | Closed |
| Project: | Core Server |
| Component/s: | Security |
| Affects Version/s: | None |
| Fix Version/s: | 3.6.16, 4.2.2, 4.0.14, 4.3.2 |
| Type: | Bug | Priority: | Major - P3 |
| Reporter: | Spencer Jackson | Assignee: | Sara Golemon |
| Resolution: | Fixed | Votes: | 0 |
| Labels: | None | ||
| Remaining Estimate: | Not Specified | ||
| Time Spent: | Not Specified | ||
| Original Estimate: | Not Specified | ||
| Issue Links: |
|
||||||||||||||||
| Backwards Compatibility: | Minor Change | ||||||||||||||||
| Operating System: | ALL | ||||||||||||||||
| Backport Requested: |
v4.2, v4.0, v3.6
|
||||||||||||||||
| Sprint: | Security 2019-11-18 | ||||||||||||||||
| Participants: | |||||||||||||||||
| Description |
|
The following zoned sharding commands are currently authorized by validating whether the authenticated client is authorized to manipulate internal sharding catalog collections:
They would be much more convenient to use if they were able to be used with specific actiontypes, like how shardCollection works. |
| Comments |
| Comment by Andrew Davidson [ 27/Nov/19 ] |
|
ysokolov@informatica.com This capability is anticipated to arrive in MongoDB Atlas when 4.2.2, 4.0.14 and 3.6.16 are deployed in Atlas, respectively; ETA within the next two months. |
| Comment by Yuri Sokolovski [ 27/Nov/19 ] |
|
@Andrew Davidson - is there a plan to implement it in Atlas and in what timeframe? Thanks! |
| Comment by Sara Golemon [ 13/Nov/19 ] |
|
Added `enableSharding` as acceptable permission for the requested commands and backported to 3.6. Followup ticket filed asĀ SERVER-44616 for breaking out permissions into more granular options (if we decide to). |
| Comment by Githook User [ 13/Nov/19 ] |
|
Author: {'username': 'sgolemon', 'email': 'sara.golemon@mongodb.com', 'name': 'Sara Golemon'}Message: (cherry picked from commit b08f7a6989c3e6b3af944201f618c8c928cc4077) |
| Comment by Githook User [ 13/Nov/19 ] |
|
Author: {'username': 'sgolemon', 'email': 'sara.golemon@mongodb.com', 'name': 'Sara Golemon'}Message: (cherry picked from commit b08f7a6989c3e6b3af944201f618c8c928cc4077) |
| Comment by Githook User [ 13/Nov/19 ] |
|
Author: {'name': 'Sara Golemon', 'username': 'sgolemon', 'email': 'sara.golemon@mongodb.com'}Message: (cherry picked from commit b08f7a6989c3e6b3af944201f618c8c928cc4077) |
| Comment by Githook User [ 13/Nov/19 ] |
|
Author: {'name': 'Sara Golemon', 'username': 'sgolemon', 'email': 'sara.golemon@mongodb.com'}Message: |
| Comment by Andrew Davidson [ 01/Nov/19 ] |
|
We support this change on the Atlas side. This is not a pattern we expect many users to want to use for grenfield projects built in the Atlas paradigm. However for customers bringing a self-managed pattern with them who do not want to refactor to a multi cluster model, this remains one of the gaps that block migrations. |