SERVER-67462 Support renaming encrypted collections if client has correct privileges

(cherry picked from commit 2f2dc04da0c7fd853a2ff68c245c5f6e28f50fa1)

3 files changed, 13 insertions, 2 deletions

diff --git a/src/mongo/db/s/rename_collection_coordinator.cpp b/src/mongo/db/s/rename_collection_coordinator.cpp
index 359f1e113df..d79274bab71 100644
--- a/src/mongo/db/s/rename_collection_coordinator.cpp
+++ b/src/mongo/db/s/rename_collection_coordinator.cpp
@@ -33,6 +33,7 @@
 
 #include "mongo/db/s/rename_collection_coordinator.h"
 
+#include "mongo/db/auth/authorization_session.h"
 #include "mongo/db/catalog/collection_catalog.h"
 #include "mongo/db/catalog/collection_uuid_mismatch.h"
 #include "mongo/db/catalog/database_holder.h"
@@ -194,7 +195,8 @@ ExecutorFuture<void> RenameCollectionCoordinator::_runImpl(
 
                         uassert(ErrorCodes::IllegalOperation,
                                 "Cannot rename an encrypted collection",
-                                !coll || !coll->getCollectionOptions().encryptedFieldConfig);
+                                !coll || !coll->getCollectionOptions().encryptedFieldConfig ||
+                                    _doc.getAllowEncryptedCollectionRename().value_or(false));
                     }
 
                     // Make sure the source collection exists
@@ -269,7 +271,8 @@ ExecutorFuture<void> RenameCollectionCoordinator::_runImpl(
                             opCtx, toNss, *coll, _doc.getExpectedTargetUUID());
                         uassert(ErrorCodes::IllegalOperation,
                                 "Cannot rename to an existing encrypted collection",
-                                !coll || !coll->getCollectionOptions().encryptedFieldConfig);
+                                !coll || !coll->getCollectionOptions().encryptedFieldConfig ||
+                                    _doc.getAllowEncryptedCollectionRename().value_or(false));
                     }
 
                 } catch (const DBException&) {
diff --git a/src/mongo/db/s/sharded_rename_collection.idl b/src/mongo/db/s/sharded_rename_collection.idl
index 1d43633d5e8..0d972dc6f64 100644
--- a/src/mongo/db/s/sharded_rename_collection.idl
+++ b/src/mongo/db/s/sharded_rename_collection.idl
@@ -123,6 +123,11 @@ structs:
                 type: uuid
                 description: "ID of the existing collection getting dropped."
                 optional: true
+            allowEncryptedCollectionRename:
+                description: "Encrypted Collection renames are usually disallowed to minimize user error.
+                              C2C needs to do the renames to replicate create collection."
+                type: bool
+                optional: true
 
     RenameCollectionParticipantDocument:
         description: "Represents a rename collection operation on a participant shard."
diff --git a/src/mongo/db/s/shardsvr_rename_collection_command.cpp b/src/mongo/db/s/shardsvr_rename_collection_command.cpp
index 5a1918046f4..fba545fbd0d 100644
--- a/src/mongo/db/s/shardsvr_rename_collection_command.cpp
+++ b/src/mongo/db/s/shardsvr_rename_collection_command.cpp
@@ -96,6 +96,9 @@ public:
             coordinatorDoc.setRenameCollectionRequest(req.getRenameCollectionRequest());
             coordinatorDoc.setShardingDDLCoordinatorMetadata(
                 {{fromNss, DDLCoordinatorTypeEnum::kRenameCollection}});
+            coordinatorDoc.setAllowEncryptedCollectionRename(
+                req.getAllowEncryptedCollectionRename().value_or(false));
+
             auto service = ShardingDDLCoordinatorService::getService(opCtx);
             auto renameCollectionCoordinator = checked_pointer_cast<RenameCollectionCoordinator>(
                 service->getOrCreateInstance(opCtx, coordinatorDoc.toBSON()));