[SERVER-61931] Allow ClusterManager role to operate against system.buckets.* collections Created: 06/Dec/21  Updated: 29/Oct/23  Resolved: 14/Dec/21

Status: Closed
Project: Core Server
Component/s: None
Affects Version/s: 5.0.4, 5.1.1
Fix Version/s: 5.3.0, 5.2.0, 5.1.2, 5.0.6

Type: Bug Priority: Major - P3
Reporter: James Wahlin Assignee: Rushan Chen
Resolution: Fixed Votes: 0
Labels: None
Remaining Estimate: Not Specified
Time Spent: Not Specified
Original Estimate: Not Specified

Issue Links:
Backports
Depends
Documented
Backwards Compatibility: Fully Compatible
Operating System: ALL
Backport Requested:
v5.2, v5.1, v5.0
Sprint: QE 2021-12-13, QE 2021-12-27
Participants:

 Description   

The ClusterManager role currently does not allow for operations against time-series buckets collections. I believe we need to add the following privilege to allow:

Privilege(ResourcePattern::forAnySystemBuckets(), clusterManagerRoleDatabaseActions)



 Comments   
Comment by Githook User [ 15/Dec/21 ]

Author:

{'name': 'Rushan Chen', 'email': 'rushan.chen@mongodb.com', 'username': 'ruchen'}

Message: SERVER-61931 add additional privileges on system_buckets collection for cluster manager role
Branch: v5.0
https://github.com/mongodb/mongo/commit/c24456d983d06ad8836cebcb91acaae19610a2bc

Comment by Githook User [ 15/Dec/21 ]

Author:

{'name': 'Rushan Chen', 'email': 'rushan.chen@mongodb.com', 'username': 'ruchen'}

Message: SERVER-61931 add additional privileges on system_buckets collection for cluster manager role
Branch: v5.1
https://github.com/mongodb/mongo/commit/e0d5fbeb1075e0ab903a190e514d19239c5e9c0d

Comment by Githook User [ 14/Dec/21 ]

Author:

{'name': 'Rushan Chen', 'email': 'rushan.chen@mongodb.com', 'username': 'ruchen'}

Message: SERVER-61931 add additional privileges on system_buckets collection for cluster manager role
Branch: v5.2
https://github.com/mongodb/mongo/commit/1aab812d10be119f034a2b8aa728a18b7675c9d9

Comment by Githook User [ 13/Dec/21 ]

Author:

{'name': 'Rushan Chen', 'email': 'rushan.chen@mongodb.com', 'username': 'ruchen'}

Message: SERVER-61931 add additional privileges on system_buckets collections for clusterManager role
Branch: master
https://github.com/mongodb/mongo/commit/5c954dcda6d929ba13a44c3fc20c4dd031fba392

Comment by Rushan Chen [ 07/Dec/21 ]

Some background from a slack discussion thread on this:

An internal user is trying to split time series bucket collection but not able to because the splitChunk privilege granted to ClusterManager role only applies to "forAnyNormalResource()". https://github.com/mongodb/mongo/blob/master/src/mongo/db/auth/builtin_roles.cpp#L457-L463

So the same set of privileges should also be granted on system bucket collections. And those are covered by forAnySystemBuckets().

https://docs.mongodb.com/manual/reference/privilege-actions/#mongodb-authaction-splitChunk

Generated at Thu Feb 08 05:53:42 UTC 2024 using Jira 9.7.1#970001-sha1:2222b88b221c4928ef0de3161136cc90c8356a66.