Uploaded image for project: 'Compass '
  1. Compass
  2. COMPASS-7122

Investigate changes in SERVER-77551: Ensure only users with allowed permissions may invoke query settings commands

    • Type: Icon: Investigation Investigation
    • Resolution: Done
    • Priority: Icon: Minor - P4 Minor - P4
    • No version
    • Affects Version/s: None
    • Component/s: None
    • None

      Original Downstream Change Summary

      We have introduced a new action and built-in role called "querySettings".

      Description of Linked Ticket

      We need to ensure that only users with the allowed permissions are able to invoke the query settings commands and agg stage.

      One way of doing it is through modification of the idl definition.

       

      What we need to is:

      • introduce a new action_type query_settings in action_type.idl file
      • modify the query settings commands idl file to include the permission check as described in the code snippet
      # in query_settings_cmds.idl
      
      - "mongo/db/auth/access_checks.idl"
      - "mongo/db/auth/action_type.idl"
      ...
          access_check:
            simple:
              privilege:
                resource_pattern: cluster
                action_type: query_settings 

       

      • perform the authorisation check as described in the following code snippet

       

      auto authzSession = AuthorizationSession::get(Client::getCurrent()); 
      authzSession->verifyContract(&SetQuerySettingsCommandRequest::kAuthorizationContract); 

       

      • for agg stage the privilege has to be defined in aggregate_command.idl as follows

       

      ...
      - privilege: # $querySettings
        resource_pattern: cluster
        action_type: query_settings

       

      • adjust the privilege vector definition for the $querySettings agg stage
      • extend the existing permission tests to ensure that authorization is performed accordingly in commands_lib.js

            Assignee:
            Unassigned Unassigned
            Reporter:
            backlog-server-pm Backlog - Core Eng Program Management Team
            Votes:
            0 Vote for this issue
            Watchers:
            3 Start watching this issue

              Created:
              Updated:
              Resolved: