[SERVER-72291] Make RolesInfoCommandArg::parseFromBSON tenant aware Created: 20/Dec/22 Updated: 29/Oct/23 Resolved: 20/Jan/23 |
|
| Status: | Closed |
| Project: | Core Server |
| Component/s: | None |
| Affects Version/s: | None |
| Fix Version/s: | 6.3.0-rc0 |
| Type: | Bug | Priority: | Major - P3 |
| Reporter: | Sophia Tan | Assignee: | Hugh Tong (Inactive) |
| Resolution: | Fixed | Votes: | 0 |
| Labels: | None | ||
| Remaining Estimate: | Not Specified | ||
| Time Spent: | Not Specified | ||
| Original Estimate: | Not Specified | ||
| Assigned Teams: |
Serverless
|
| Backwards Compatibility: | Fully Compatible |
| Operating System: | ALL |
| Sprint: | Server Serverless 2023-01-23 |
| Participants: |
| Description |
|
jstests/core/roles_info.js is failed with injected dollar tenant when send the following request:
To reproduce it, use the command line "buildscripts/resmoke.py run --suite native_tenant_data_isolation_with_dollar_tenant_jscore_passthrough jstests/core/roles_info.js ". Root cause: The tenant information is dropped off when parsing command parameter with auth::RolesInfoCommandArg::parseFromBSON(commandElement). To fix it, we should change the auth::RolesInfoCommandArg::parseFromBSON(commandElement) to take in tenant information. Perhaps, the IDL compiler should also be changed to generate the correct call site code for this function. |
| Comments |
| Comment by Githook User [ 19/Jan/23 ] |
|
Author: {'name': 'Hugh Tong', 'email': 'hugh.tong@mongodb.com', 'username': 'cortrain'}Message: |
| Comment by Hugh Tong (Inactive) [ 18/Jan/23 ] |
|
I think it's sufficient to state that we will add the tenantId to objects which maintain a tenantId object (in this case, RoleName and UserName objects), while ignoring other types, as this parsing function is used on a number of different fields with different types. The value of the tenantId is irrelevant to those types that do not maintain tenantId objects as those fields generally have nothing to do with namespace scopes. I think the title is fine, and our comments will serve to supplement the description above. |
| Comment by Sophia Tan [ 11/Jan/23 ] |
|
I realized it's not accurate to say this issue is caused by `auth::RolesInfoCommandArg::parseFromBSON(commandElement)` which parse command arg without tenant id. Actually, the command arg can be either std::string or RolesInfo object. We should not add the tenant id into string. So, we can keep the `auth::RolesInfoCommandArg::parseFromBSON(commandElement)` as it was and return the parsed command arg without involving tenant id. But, in further steps, when we create RolesInfo based on dbName and the command arg, the tenant id should be added into the RolesInfo object. hugh.tong@mongodb.com Would you please help to update the description and the title of this ticket once you find the real root cause and figure out the right way to fix it? |