[SERVER-61931] Allow ClusterManager role to operate against system.buckets.* collections Created: 06/Dec/21 Updated: 29/Oct/23 Resolved: 14/Dec/21 |
|
| Status: | Closed |
| Project: | Core Server |
| Component/s: | None |
| Affects Version/s: | 5.0.4, 5.1.1 |
| Fix Version/s: | 5.3.0, 5.2.0, 5.1.2, 5.0.6 |
| Type: | Bug | Priority: | Major - P3 |
| Reporter: | James Wahlin | Assignee: | Rushan Chen |
| Resolution: | Fixed | Votes: | 0 |
| Labels: | None | ||
| Remaining Estimate: | Not Specified | ||
| Time Spent: | Not Specified | ||
| Original Estimate: | Not Specified | ||
| Issue Links: |
|
||||||||||||
| Backwards Compatibility: | Fully Compatible | ||||||||||||
| Operating System: | ALL | ||||||||||||
| Backport Requested: |
v5.2, v5.1, v5.0
|
||||||||||||
| Sprint: | QE 2021-12-13, QE 2021-12-27 | ||||||||||||
| Participants: | |||||||||||||
| Description |
|
The ClusterManager role currently does not allow for operations against time-series buckets collections. I believe we need to add the following privilege to allow:
|
| Comments |
| Comment by Githook User [ 15/Dec/21 ] |
|
Author: {'name': 'Rushan Chen', 'email': 'rushan.chen@mongodb.com', 'username': 'ruchen'}Message: |
| Comment by Githook User [ 15/Dec/21 ] |
|
Author: {'name': 'Rushan Chen', 'email': 'rushan.chen@mongodb.com', 'username': 'ruchen'}Message: |
| Comment by Githook User [ 14/Dec/21 ] |
|
Author: {'name': 'Rushan Chen', 'email': 'rushan.chen@mongodb.com', 'username': 'ruchen'}Message: |
| Comment by Githook User [ 13/Dec/21 ] |
|
Author: {'name': 'Rushan Chen', 'email': 'rushan.chen@mongodb.com', 'username': 'ruchen'}Message: |
| Comment by Rushan Chen [ 07/Dec/21 ] |
|
Some background from a slack discussion thread on this: An internal user is trying to split time series bucket collection but not able to because the splitChunk privilege granted to ClusterManager role only applies to "forAnyNormalResource()". https://github.com/mongodb/mongo/blob/master/src/mongo/db/auth/builtin_roles.cpp#L457-L463 So the same set of privileges should also be granted on system bucket collections. And those are covered by forAnySystemBuckets(). https://docs.mongodb.com/manual/reference/privilege-actions/#mongodb-authaction-splitChunk |