[SERVER-74527] Expose a way to know whether the directShardOperations role is being used. Created: 02/Mar/23 Updated: 29/Oct/23 Resolved: 04/Apr/23 |
|
| Status: | Closed |
| Project: | Core Server |
| Component/s: | None |
| Affects Version/s: | None |
| Fix Version/s: | 7.0.0-rc0 |
| Type: | Task | Priority: | Major - P3 |
| Reporter: | Adam Rayner | Assignee: | Sergi Mateo Bellido |
| Resolution: | Fixed | Votes: | 0 |
| Labels: | None | ||
| Remaining Estimate: | Not Specified | ||
| Time Spent: | Not Specified | ||
| Original Estimate: | Not Specified | ||
| Assigned Teams: |
Server Security
|
| Backwards Compatibility: | Fully Compatible |
| Sprint: | Sharding EMEA 2023-03-20, Sharding EMEA 2023-04-03, Sharding EMEA 2023-04-17 |
| Participants: |
| Description |
|
In In 7.0, this role should be associated with a new privilege that allows users to perform direct operations against shards (i.e. without going through the mongos). Sharding EMEA will need a way to query whether that privilege is enabled given an operation context (through the AuthorizationSession , using the client associated with the opCtx ?). Some customers might want to opt in to this role, we don't expect it to happen very often but it might happen: the most common use case would be to manually delete orphan documents: instead of relying on the native way of removing orphan documents after a migration (i.e. range deletions) we had some customers in the past that manually removed them. Since those documents are just an artifact of the chunk migration, they couldn't remove them connecting through the mongos: they would have removed the legit documents on the recipient shard instead of the orphan documents on the donor shard. So they ended up doing this cleanup connecting directly to the shards. |
| Comments |
| Comment by Githook User [ 03/Apr/23 ] |
|
Author: {'name': 'Sergi Mateo Bellido', 'email': 'sergi.mateo-bellido@mongodb.com', 'username': 'smateo'}Message: |