[SERVER-74527] Expose a way to know whether the directShardOperations role is being used. Created: 02/Mar/23  Updated: 29/Oct/23  Resolved: 04/Apr/23

Status: Closed
Project: Core Server
Component/s: None
Affects Version/s: None
Fix Version/s: 7.0.0-rc0

Type: Task Priority: Major - P3
Reporter: Adam Rayner Assignee: Sergi Mateo Bellido
Resolution: Fixed Votes: 0
Labels: None
Remaining Estimate: Not Specified
Time Spent: Not Specified
Original Estimate: Not Specified

Assigned Teams:
Server Security
Backwards Compatibility: Fully Compatible
Sprint: Sharding EMEA 2023-03-20, Sharding EMEA 2023-04-03, Sharding EMEA 2023-04-17
Participants:

 Description   

In SERVER-65088 we created a new role called 'directShardOperations' that didn't have any privilege associated to it, it was just a placeholder for the upcoming work.

In 7.0, this role should be associated with a new privilege that allows users to perform direct operations against shards (i.e. without going through the mongos).

Sharding EMEA will need a way to query whether that privilege is enabled given an operation context (through the AuthorizationSession , using the client associated with the opCtx ?).

Some customers might want to opt in to this role, we don't expect it to happen very often but it might happen: the most common use case would be to manually delete orphan documents: instead of relying on the native way of removing orphan documents after a migration (i.e. range deletions) we had some customers in the past that manually removed them. Since those documents are just an artifact of the chunk migration, they couldn't remove them connecting through the mongos: they would have removed the legit documents on the recipient shard instead of the orphan documents on the donor shard. So they ended up doing this cleanup connecting directly to the shards.



 Comments   
Comment by Githook User [ 03/Apr/23 ]

Author:

{'name': 'Sergi Mateo Bellido', 'email': 'sergi.mateo-bellido@mongodb.com', 'username': 'smateo'}

Message: SERVER-74527 Adding security infrastructure for directShardOperations
Branch: master
https://github.com/mongodb/mongo/commit/b29c35ee63c1eb1fead39db7293e751e9ae173d8

Generated at Thu Feb 08 06:27:42 UTC 2024 using Jira 9.7.1#970001-sha1:2222b88b221c4928ef0de3161136cc90c8356a66.