[SERVER-75656] Remove configureQueryAnalyzer action from permitted actions in Serverless Created: 04/Apr/23  Updated: 29/Oct/23  Resolved: 04/Aug/23

Status: Closed
Project: Core Server
Component/s: None
Affects Version/s: None
Fix Version/s: 7.1.0-rc0

Type: Task Priority: Major - P3
Reporter: Israel Hsu Assignee: Sara Golemon
Resolution: Fixed Votes: 0
Labels: None
Remaining Estimate: Not Specified
Time Spent: Not Specified
Original Estimate: Not Specified

Assigned Teams:
Server Security
Backwards Compatibility: Minor Change
Sprint: Security 2023-08-07
Participants:

 Description   

The action type configureQueryAnalyzer was added to the dbAdmin role according to the design for shard key metrics.]. However, the configureQueryAnalyzer command should not be permitted to run by users authenticated by Server Token (i.e. in multi-tenant situations). 

The action type was added to serverlessActionType lists in SERVER-69653 in order to pass tests in native_tenant_data_isolation_with_security_token_jscore_passthrough test suite, but should ultimately be removed and excluded from permissions for multi-tenant users.

 



 Comments   
Comment by Githook User [ 07/Aug/23 ]

Author:

{'name': 'Sara Golemon', 'email': 'sara.golemon@mongodb.com', 'username': 'sgolemon'}

Message: SERVER-75656 Include configureQueryAnalyzer in non-tenant builtin roles only
Branch: minh.luu-no_compile_sys-perf
https://github.com/mongodb/mongo/commit/1c3fb19ac8e5690e81617e815f122d8a868804a3

Comment by Githook User [ 04/Aug/23 ]

Author:

{'name': 'Sara Golemon', 'email': 'sara.golemon@mongodb.com', 'username': 'sgolemon'}

Message: SERVER-75656 Include configureQueryAnalyzer in non-tenant builtin roles only
Branch: master
https://github.com/mongodb/mongo/commit/1c3fb19ac8e5690e81617e815f122d8a868804a3

Generated at Thu Feb 08 06:30:44 UTC 2024 using Jira 9.7.1#970001-sha1:2222b88b221c4928ef0de3161136cc90c8356a66.