[SERVER-72667] Add authorization checks for cluster checkMetadataConsistency command Created: 10/Jan/23  Updated: 29/Oct/23  Resolved: 03/Mar/23

Status: Closed
Project: Core Server
Component/s: None
Affects Version/s: None
Fix Version/s: 7.0.0-rc0

Type: Task Priority: Major - P3
Reporter: Pol Pinol Assignee: Pol Pinol
Resolution: Fixed Votes: 0
Labels: None
Remaining Estimate: Not Specified
Time Spent: Not Specified
Original Estimate: Not Specified

Issue Links:
Depends
Documented
is documented by DOCS-15928 Investigate changes in SERVER-72667: ... Closed
Gantt Dependency
has to be done before SERVER-74470 Add authorization checks of the check... Closed
Related
is related to SERVER-74474 Investigate useHostName parameter of ... Closed
Assigned Teams:
Sharding EMEA
Backwards Compatibility: Fully Compatible
Sprint: Sharding EMEA 2023-03-06
Participants:

 Description   

Investigate and add the authorization checks for the new checkMetadataConsistency command.

https://github.com/10gen/mongo/blob/c892ad5a89e92acfe9847cdd31469fba93e21363/src/mongo/s/commands/cluster_check_metadata_consistency_cmd.cpp#L107-L109

 

The goal of this ticket is to add a new specific action type "checkMetadataConsistency" and include it in the following built-in roles:

  • clusterManager (by def, clusterAdmin has all privileges that clusterManager have)

Additionally, we should add tests to ensure that users without this privilege are not authorized to run the new command.

 

To sum up, as we have 3 level modes to run the command, we will have 3 different levels of privileges:

Cluster level mode:

  • Cmd: db.getSiblingDB('admin').runCommnad({'checkMetadataConsistency': 1})
  • Privileges: ResourcePattern::forClusterResource() and ActionType::checkMetadataConsistency

Database level mode:

  • Cmd: db.runCommnad({'checkMetadataConsistency': 1})
  • Privileges: (ResourcePattern::forClusterResource() or ResourcePattern::forDatabaseName(db)) and ActionType::checkMetadataConsistency

Collection level mode:

  • Cmd: db.runCommand({'checkMetadataConsistency': 'myColl'})
  • Privileges: (ResourcePattern::forClusterResource() or ResourcePattern:: forExactNamespace(nss)) and ActionType::checkMetadataConsistency


 Comments   
Comment by Githook User [ 02/Mar/23 ]

Author:

{'name': 'Pol Pinol Castuera', 'email': 'pol.pinol@mongodb.com', 'username': 'PolPinol'}

Message: SERVER-72667 Add authorization checks for cluster checkMetadataConsistency command
Branch: master
https://github.com/mongodb/mongo/commit/28724c5066e1086d0b07090698a846d1ba2be360

Generated at Thu Feb 08 06:22:28 UTC 2024 using Jira 9.7.1#970001-sha1:2222b88b221c4928ef0de3161136cc90c8356a66.