[SERVER-79071] Add new privilege action type for non-tokenized $queryStats invocation Created: 18/Jul/23  Updated: 29/Oct/23  Resolved: 28/Jul/23

Status: Closed
Project: Core Server
Component/s: None
Affects Version/s: None
Fix Version/s: 7.1.0-rc0

Type: Task Priority: Major - P3
Reporter: Charlie Swanson Assignee: Naama Bareket
Resolution: Fixed Votes: 0
Labels: customer-security-and-privacy-considerations
Remaining Estimate: Not Specified
Time Spent: Not Specified
Original Estimate: Not Specified

Issue Links:
Depends
is depended on by SERVER-85105 Tracking: PM-2885 Milestone 0 Closed
Related
Assigned Teams:
Query Optimization
Backwards Compatibility: Fully Compatible
Participants:

 Description   

We want non-tokenized invocations to demand an explicit privilege action, and so we also need to change the $queryStats stage to say that invocations without 'transformIdentifiers' are not allowed with only the queryStatsRead privilege.

At the time of this filing it's still being discussed whether this should be part of the clusterManager role by default like the existing action



 Comments   
Comment by Githook User [ 28/Jul/23 ]

Author:

{'name': 'Naama Bareket', 'email': 'naama.bareket@mongodb.com', 'username': 'naama-bareket'}

Message: SERVER-79071: Add new privilege action type for non-tokenized $queryStats invocation
Branch: master
https://github.com/mongodb/mongo/commit/ab4af11b412c8aed458530b2a5455977fe1bce15

Generated at Thu Feb 08 06:40:00 UTC 2024 using Jira 9.7.1#970001-sha1:2222b88b221c4928ef0de3161136cc90c8356a66.