[SERVER-77551] Ensure only users with allowed permissions may invoke query settings commands Created: 30/May/23  Updated: 29/Oct/23  Resolved: 17/Aug/23

Status: Closed
Project: Core Server
Component/s: None
Affects Version/s: None
Fix Version/s: 7.1.0-rc0

Type: Task Priority: Major - P3
Reporter: Denis Grebennicov Assignee: Victor Ghita (Inactive)
Resolution: Fixed Votes: 0
Labels: M1
Remaining Estimate: Not Specified
Time Spent: Not Specified
Original Estimate: Not Specified

Issue Links:
Depends
depends on SERVER-77464 Implement setQuerySettings command (i... Closed
depends on SERVER-77789 Implement $querySettings agg stage (n... Closed
depends on SERVER-77467 Implement removeQuerySettings command Closed
is depended on by COMPASS-7122 Investigate changes in SERVER-77551: ... Closed
Documented
is documented by DOCS-16322 Investigate changes in SERVER-77551: ... Backlog
Backwards Compatibility: Fully Compatible
Sprint: QE 2023-07-24, QE 2023-08-07, QE 2023-08-21
Participants:

 Description   

We need to ensure that only users with the allowed permissions are able to invoke the query settings commands and agg stage.

One way of doing it is through modification of the idl definition.

 

What we need to is:

  • introduce a new action_type query_settings in action_type.idl file
  • perform the authorisation check for commands
  • for agg stage the privilege has to be defined in aggregate_command.idl as follows

...
- privilege: # $querySettings
  resource_pattern: cluster
  action_type: query_settings

 

  • adjust the privilege vector definition for the $querySettings agg stage
  • extend the existing permission tests to ensure that authorization is performed accordingly in commands_lib.js


 Comments   
Comment by Githook User [ 16/Aug/23 ]

Author:

{'name': 'Victor Ghita', 'email': 'victor.ghita@mongodb.com', 'username': ''}

Message: SERVER-77551 Add authorisation checks for query settings commands
Branch: master
https://github.com/mongodb/mongo/commit/97a32438997327386c91c82baa43290ca9769571

Generated at Thu Feb 08 06:35:55 UTC 2024 using Jira 9.7.1#970001-sha1:2222b88b221c4928ef0de3161136cc90c8356a66.