[SERVER-74448] Investigate if transitionToCatalogShard should be in localhost exception privileges Created: 28/Feb/23 Updated: 17/Mar/23 Resolved: 16/Mar/23 |
|
| Status: | Closed |
| Project: | Core Server |
| Component/s: | None |
| Affects Version/s: | None |
| Fix Version/s: | None |
| Type: | Task | Priority: | Major - P3 |
| Reporter: | Jack Mulrow | Assignee: | Wenqin Ye |
| Resolution: | Won't Fix | Votes: | 0 |
| Labels: | None | ||
| Remaining Estimate: | Not Specified | ||
| Time Spent: | Not Specified | ||
| Original Estimate: | Not Specified | ||
| Attachments: |
|
||||||||
| Issue Links: |
|
||||||||
| Assigned Teams: |
Sharding NYC
|
||||||||
| Sprint: | Sharding NYC 2023-04-03 | ||||||||
| Participants: | |||||||||
| Description |
|
transitionToCatalogShard is essentially a wrapper for addShard that adds the config server as a shard capable of storing user data. We have a list of "minimum privileges required to bootstrap a system and add the first user" that we allow when the localhost exception is active (ie there are no users and we're connecting from localhost). Notably, this includes addShard, which raises the question of if we should allow transitionToCatalogShard as well. If transitionToCatalogShard can run, then the cluster is far enough along where we should be able to add a user, so this seems unnecessary, but by that same logic, so is addShard, so we should investigate further. |
| Comments |
| Comment by Wenqin Ye [ 16/Mar/23 ] |
|
I don't think it is necessary to also allow `transitionToCatalogShard` in the localhost exception. I asked the server security team and the original reason for putting addShard as one of the allowed privileges was because there was a bug where you could not create a user if you didn't have any shards. But apparently that is no longer a problem, so `addShard` doesn't technically even need to be in the allowed commands for the localhost exception anymore. |