[SERVER-9517] New schema for users and roles data Created: 30/Apr/13  Updated: 02/Aug/18  Resolved: 11/Oct/13

Status: Closed
Project: Core Server
Component/s: None
Affects Version/s: None
Fix Version/s: 2.5.3

Type: Task Priority: Major - P3
Reporter: Andy Schwerin Assignee: Spencer Brody (Inactive)
Resolution: Done Votes: 0
Labels: None
Remaining Estimate: Not Specified
Time Spent: Not Specified
Original Estimate: Not Specified

Issue Links:
Depends
is depended on by SERVER-10493 Update tools to support backing up an... Closed
Backwards Compatibility: Major Change
Participants:

 Description   

In support of user-defined roles and collection-level access control (SEVER-1105), a new schema is needed for describing user and role data. In the new schema, all role and user data for a node or cluster is stored in that node or cluster's "admin" database in new collections, admin.system.roledata and admin.system.userdata.



 Comments   
Comment by auto [ 11/Oct/13 ]

Author:

{u'username': u'stbrody', u'name': u'Spencer T Brody', u'email': u'spencer@10gen.com'}

Message: SERVER-9517 Fix unit test now that hasRole and canDelegate are optional
Branch: master
https://github.com/mongodb/mongo/commit/3b2050ef315f39314909509dcfa9676a971ff988

Comment by auto [ 11/Oct/13 ]

Author:

{u'username': u'stbrody', u'name': u'Spencer T Brody', u'email': u'spencer@10gen.com'}

Message: SERVER-9517 Fix backwards condition in user document parser
Branch: master
https://github.com/mongodb/mongo/commit/100fc6d278597a4e119ac70b07b0f7c38cd2c4ab

Comment by Andy Schwerin [ 11/Oct/13 ]

Just needs to be documented as part of user-defined roles project.

Comment by auto [ 11/Oct/13 ]

Author:

{u'username': u'stbrody', u'name': u'Spencer T Brody', u'email': u'spencer@10gen.com'}

Message: SERVER-9517 SERVER-6246 Make 'hasRole' and 'canDelegate' fields in roles array optional
Branch: master
https://github.com/mongodb/mongo/commit/0397775a52a814135225e6e8407455ba86dc117d

Comment by auto [ 10/Oct/13 ]

Author:

{u'username': u'stbrody', u'name': u'Spencer T Brody', u'email': u'spencer@mongodb.com'}

Message: SERVER-9517 Fix tool test to work since "name" field got changed to "user"
Branch: master
https://github.com/mongodb/mongo/commit/cda26fb2e200406154b943a9baebb2de47afe64b

Comment by auto [ 10/Oct/13 ]

Author:

{u'username': u'stbrody', u'name': u'Spencer T Brody', u'email': u'spencer@10gen.com'}

Message: SERVER-9515 SERVER-6246 SERVER-9517 Instead of "name", in user objects use "user" and in role objects use "role"
Branch: master
https://github.com/mongodb/mongo/commit/8093bb525d453cf880a3525c78f87178b493128c

Comment by auto [ 06/Oct/13 ]

Author:

{u'username': u'stbrody', u'name': u'Spencer T Brody', u'email': u'spencer@10gen.com'}

Message: SERVER-9517 Rename "source" field for users and roles to "db"
Branch: master
https://github.com/mongodb/mongo/commit/3e5905a8d427539d62d56e4bb72ae55638544a99

Comment by auto [ 23/Sep/13 ]

Author:

{u'username': u'stbrody', u'name': u'Spencer T Brody', u'email': u'spencer@10gen.com'}

Message: SERVER-9517 Implement generic insert, update, and remove methods in AuthzManagerExternalState
Branch: master
https://github.com/mongodb/mongo/commit/9eb13c83ea429762c6a3d3c011fee23c81a720e2

Comment by auto [ 16/Sep/13 ]

Author:

{u'username': u'stbrody', u'name': u'Spencer T Brody', u'email': u'spencer@10gen.com'}

Message: SERVER-9517 Implement generic query method on AuthorizationManagerExternalState
Branch: master
https://github.com/mongodb/mongo/commit/187fd3c34db7c1de32b057598aeb8a4a64ab014a

Comment by auto [ 06/Sep/13 ]

Author:

{u'username': u'stbrody', u'name': u'Spencer T Brody', u'email': u'spencer@10gen.com'}

Message: SERVER-9517 Make unit tests pass with new user format
Branch: master
https://github.com/10gen/mongo-enterprise-modules/commit/d6d0a838269df03ffb67234e4d46912616b50161

Comment by auto [ 06/Sep/13 ]

Author:

{u'username': u'stbrody', u'name': u'Spencer T Brody', u'email': u'spencer@10gen.com'}

Message: SERVER-9517 Make default authorization version 2
Branch: master
https://github.com/mongodb/mongo/commit/1b8b6b67ce650b4a8ce5c8df53fe20bcf50ed16a

Comment by auto [ 06/Sep/13 ]

Author:

{u'username': u'stbrody', u'name': u'Spencer T Brody', u'email': u'spencer@10gen.com'}

Message: SERVER-9517 Update tests to pass with new user schema
Branch: master
https://github.com/mongodb/mongo/commit/ec23a4a3587f83c603b36b7761881c9edb8c503b

Comment by auto [ 06/Sep/13 ]

Author:

{u'username': u'stbrody', u'name': u'Spencer T Brody', u'email': u'spencer@10gen.com'}

Message: SERVER-9517 SERVER-6246 Update shell helpers for user management
Branch: master
https://github.com/mongodb/mongo/commit/1a2d5ede29501a063f66da108fbb3d9a57eb1289

Comment by auto [ 06/Sep/13 ]

Author:

{u'username': u'stbrody', u'name': u'Spencer T Brody', u'email': u'spencer@10gen.com'}

Message: SERVER-10493 SERVER-9517 Quick fix to get mongorestore working with new user data format.

This is not a complete fix, more work is needed to make mongodump and mongorestore fully support the
new user schema, this change is just the minimal work to get the tests to pass.
Branch: master
https://github.com/mongodb/mongo/commit/00c0f07bb5f875b24a3db21dc91541dad5dfdcc9

Comment by auto [ 06/Sep/13 ]

Author:

{u'username': u'stbrody', u'name': u'Spencer T Brody', u'email': u'spencer@10gen.com'}

Message: SERVER-9517 Temporarily update automatic index building code to build the right index for v2 style user documents
Branch: master
https://github.com/mongodb/mongo/commit/05c25731039dfe83994fe19bf65704c41c9f2a23

Comment by auto [ 06/Sep/13 ]

Author:

{u'username': u'stbrody', u'name': u'Spencer T Brody', u'email': u'spencer@10gen.com'}

Message: SERVER-9517 When checking if a privilege document is valid make sure to check the v2 schema
Branch: master
https://github.com/mongodb/mongo/commit/74d584f48055ad76408e8c9406a92e9b22869a83

Comment by auto [ 06/Sep/13 ]

Author:

{u'username': u'stbrody', u'name': u'Spencer T Brody', u'email': u'spencer@10gen.com'}

Message: SERVER-9517 SERVER-8213 Temporarily disable copydb tests that use auth until the copyDB command works with new roles
Branch: master
https://github.com/mongodb/mongo/commit/b9a1874e3e839aa130fe73d112470debb33e59b8

Comment by auto [ 06/Sep/13 ]

Author:

{u'username': u'stbrody', u'name': u'Spencer T Brody', u'email': u'spencer@10gen.com'}

Message: SERVER-9517 SERVER-10668 Temporarily disable jstests/sharding/authCommands.js until it can be updated to work with new system roles
Branch: master
https://github.com/mongodb/mongo/commit/70cd77270cf85a2b43cd3fed6d8172fd59872f93

Comment by auto [ 27/Aug/13 ]

Author:

{u'username': u'stbrody', u'name': u'Spencer T Brody', u'email': u'spencer@10gen.com'}

Message: SERVER-9517 Allow AuthorizationManager to find and parse v2 priv docs
Branch: master
https://github.com/mongodb/mongo/commit/e5228931a9bb25a607cf19ec4881bf0d2e132a42

Comment by auto [ 26/Aug/13 ]

Author:

{u'username': u'stbrody', u'name': u'Spencer T Brody', u'email': u'spencer@10gen.com'}

Message: SERVER-9517 Remove no longer used dbname parameter from getPrivilegeDocument
Branch: master
https://github.com/10gen/mongo-enterprise-modules/commit/0746b0cef55d55564554b2a7638f586b1322a16a

Comment by auto [ 26/Aug/13 ]

Author:

{u'username': u'stbrody', u'name': u'Spencer T Brody', u'email': u'spencer@10gen.com'}

Message: SERVER-9517 Remove no longer used dbname parameter from getPrivilegeDocument
Branch: master
https://github.com/mongodb/mongo/commit/642e50abf557b339531bea4b767e1d3a81b4d669

Comment by auto [ 26/Aug/13 ]

Author:

{u'username': u'stbrody', u'name': u'Spencer T Brody', u'email': u'spencer@10gen.com'}

Message: SERVER-9517 Update v2 privilege doc parsing to put canDelegate and hasRole field into 'roles' array elements
Branch: master
https://github.com/mongodb/mongo/commit/8564ca3e2bdaffd5a698fc23ed315706391dbe9b

Comment by auto [ 26/Aug/13 ]

Author:

{u'username': u'stbrody', u'name': u'Spencer T Brody', u'email': u'spencer@10gen.com'}

Message: SERVER-9517 Move user privilege initialization back to the AuthorizationManager, out of the PrivilegeDocumentParser
Branch: master
https://github.com/mongodb/mongo/commit/9a0d053d7f6047a515a9c1a022550d687fe45165

Comment by auto [ 26/Aug/13 ]

Author:

{u'username': u'stbrody', u'name': u'Spencer T Brody', u'email': u'spencer@10gen.com'}

Message: SERVER-9517 Remove dbname argument from AuthzManager::hasPrivilegeDocument
Branch: master
https://github.com/mongodb/mongo/commit/4693cd6124b50bc73208c7dc81b498ff435c14b6

Comment by auto [ 20/Aug/13 ]

Author:

{u'username': u'stbrody', u'name': u'Spencer T Brody', u'email': u'spencer@10gen.com'}

Message: SERVER-9517 Add role extraction to v2 privilege document parser
Branch: master
https://github.com/mongodb/mongo/commit/5e5bf40a5a3ce6b6ffd643faa50da34ef7d79311

Comment by auto [ 20/Aug/13 ]

Author:

{u'username': u'stbrody', u'name': u'Spencer T Brody', u'email': u'spencer@10gen.com'}

Message: SERVER-9517 Add credential extraction to v2 privilege document parser
Branch: master
https://github.com/mongodb/mongo/commit/1508f53a898fa4d70b543bf4fd55817b4a3f1252

Comment by auto [ 20/Aug/13 ]

Author:

{u'username': u'stbrody', u'name': u'Spencer T Brody', u'email': u'spencer@10gen.com'}

Message: SERVER-9517 Add parser for V2 privilege documents. Currently can only check if a document is valid.
Branch: master
https://github.com/mongodb/mongo/commit/a61d12943d0873c7b2c3f5f452501c1b759b3fa2

Generated at Thu Feb 08 03:20:39 UTC 2024 using Jira 9.7.1#970001-sha1:2222b88b221c4928ef0de3161136cc90c8356a66.