SERVER-67462 Support renaming encrypted collections if client has correct privileges

author: Mark Benvenuto <mark.benvenuto@mongodb.com> 2022-06-28 15:34:59 -0400
committer: Evergreen Agent <no-reply@evergreen.mongodb.com> 2022-07-07 17:20:24 +0000
commit: 2f2dc04da0c7fd853a2ff68c245c5f6e28f50fa1 (patch)
tree: 4b954eda2797fcb1a6f2636bcefb7c5f49b38850 /src/mongo
parent: 850161356ba07d654aab253b6e3fd31849278a16 (diff)
download: mongo-2f2dc04da0c7fd853a2ff68c245c5f6e28f50fa1.tar.gz
7 files changed, 35 insertions, 7 deletions
diff --git a/src/mongo/db/catalog/rename_collection.cpp b/src/mongo/db/catalog/rename_collection.cpp
index b2ea5e5ff4a..3cb953f04c1 100644
--- a/src/mongo/db/catalog/rename_collection.cpp
+++ b/src/mongo/db/catalog/rename_collection.cpp
@@ -117,7 +117,10 @@ Status checkSourceAndTargetNamespaces(OperationContext* opCtx,
                       str::stream() << "Source collection " << source.ns() << " does not exist");
     }
 
-    if (sourceColl->getCollectionOptions().encryptedFieldConfig) {
+    if (sourceColl->getCollectionOptions().encryptedFieldConfig &&
+        !AuthorizationSession::get(opCtx->getClient())
+             ->isAuthorizedForActionsOnResource(ResourcePattern::forClusterResource(),
+                                                ActionType::setUserWriteBlockMode)) {
         return Status(ErrorCodes::IllegalOperation, "Cannot rename an encrypted collection");
     }
 
@@ -130,7 +133,10 @@ Status checkSourceAndTargetNamespaces(OperationContext* opCtx,
             return Status(ErrorCodes::NamespaceExists,
                           str::stream() << "a view already exists with that name: " << target);
     } else {
-        if (targetColl->getCollectionOptions().encryptedFieldConfig) {
+        if (targetColl->getCollectionOptions().encryptedFieldConfig &&
+            !AuthorizationSession::get(opCtx->getClient())
+                 ->isAuthorizedForActionsOnResource(ResourcePattern::forClusterResource(),
+                                                    ActionType::setUserWriteBlockMode)) {
             return Status(ErrorCodes::IllegalOperation,
                           "Cannot rename to an existing encrypted collection");
         }
diff --git a/src/mongo/db/s/rename_collection_coordinator.cpp b/src/mongo/db/s/rename_collection_coordinator.cpp
index 391d57133b4..b96a89e62d7 100644
--- a/src/mongo/db/s/rename_collection_coordinator.cpp
+++ b/src/mongo/db/s/rename_collection_coordinator.cpp
@@ -32,6 +32,7 @@
 
 #include "mongo/db/s/rename_collection_coordinator.h"
 
+#include "mongo/db/auth/authorization_session.h"
 #include "mongo/db/catalog/collection_catalog.h"
 #include "mongo/db/catalog/collection_uuid_mismatch.h"
 #include "mongo/db/catalog/database_holder.h"
@@ -156,7 +157,8 @@ ExecutorFuture<void> RenameCollectionCoordinator::_runImpl(
 
                         uassert(ErrorCodes::IllegalOperation,
                                 "Cannot rename an encrypted collection",
-                                !coll || !coll->getCollectionOptions().encryptedFieldConfig);
+                                !coll || !coll->getCollectionOptions().encryptedFieldConfig ||
+                                    _doc.getAllowEncryptedCollectionRename().value_or(false));
                     }
 
                     // Make sure the source collection exists
@@ -229,7 +231,8 @@ ExecutorFuture<void> RenameCollectionCoordinator::_runImpl(
                             opCtx, toNss, *coll, _doc.getExpectedTargetUUID());
                         uassert(ErrorCodes::IllegalOperation,
                                 "Cannot rename to an existing encrypted collection",
-                                !coll || !coll->getCollectionOptions().encryptedFieldConfig);
+                                !coll || !coll->getCollectionOptions().encryptedFieldConfig ||
+                                    _doc.getAllowEncryptedCollectionRename().value_or(false));
                     }
 
                 } catch (const DBException&) {
diff --git a/src/mongo/db/s/sharded_rename_collection.idl b/src/mongo/db/s/sharded_rename_collection.idl
index 1d43633d5e8..0d972dc6f64 100644
--- a/src/mongo/db/s/sharded_rename_collection.idl
+++ b/src/mongo/db/s/sharded_rename_collection.idl
@@ -123,6 +123,11 @@ structs:
                 type: uuid
                 description: "ID of the existing collection getting dropped."
                 optional: true
+            allowEncryptedCollectionRename:
+                description: "Encrypted Collection renames are usually disallowed to minimize user error.
+                              C2C needs to do the renames to replicate create collection."
+                type: bool
+                optional: true
 
     RenameCollectionParticipantDocument:
         description: "Represents a rename collection operation on a participant shard."
diff --git a/src/mongo/db/s/shardsvr_rename_collection_command.cpp b/src/mongo/db/s/shardsvr_rename_collection_command.cpp
index df68acc6801..d7bf1db2b03 100644
--- a/src/mongo/db/s/shardsvr_rename_collection_command.cpp
+++ b/src/mongo/db/s/shardsvr_rename_collection_command.cpp
@@ -98,6 +98,9 @@ public:
             coordinatorDoc.setRenameCollectionRequest(req.getRenameCollectionRequest());
             coordinatorDoc.setShardingDDLCoordinatorMetadata(
                 {{fromNss, DDLCoordinatorTypeEnum::kRenameCollection}});
+            coordinatorDoc.setAllowEncryptedCollectionRename(
+                req.getAllowEncryptedCollectionRename().value_or(false));
+
             auto service = ShardingDDLCoordinatorService::getService(opCtx);
             auto renameCollectionCoordinator = checked_pointer_cast<RenameCollectionCoordinator>(
                 service->getOrCreateInstance(opCtx, coordinatorDoc.toBSON()));
diff --git a/src/mongo/s/commands/cluster_rename_collection_cmd.cpp b/src/mongo/s/commands/cluster_rename_collection_cmd.cpp
index 7fdb7767d47..1df93f9458e 100644
--- a/src/mongo/s/commands/cluster_rename_collection_cmd.cpp
+++ b/src/mongo/s/commands/cluster_rename_collection_cmd.cpp
@@ -93,6 +93,10 @@ public:
             ShardsvrRenameCollection renameCollRequest(fromNss);
             renameCollRequest.setDbName(fromNss.db());
             renameCollRequest.setRenameCollectionRequest(renameCollReq);
+            renameCollRequest.setAllowEncryptedCollectionRename(
+                AuthorizationSession::get(opCtx->getClient())
+                    ->isAuthorizedForActionsOnResource(ResourcePattern::forClusterResource(),
+                                                       ActionType::setUserWriteBlockMode));
 
             auto catalogCache = Grid::get(opCtx)->catalogCache();
             auto swDbInfo = Grid::get(opCtx)->catalogCache()->getDatabase(opCtx, fromNss.db());
diff --git a/src/mongo/s/request_types/sharded_ddl_commands.idl b/src/mongo/s/request_types/sharded_ddl_commands.idl
index b3cc1ed7246..001551acaf6 100644
--- a/src/mongo/s/request_types/sharded_ddl_commands.idl
+++ b/src/mongo/s/request_types/sharded_ddl_commands.idl
@@ -322,6 +322,12 @@ commands:
         api_version: ""
         chained_structs:
             RenameCollectionRequest: RenameCollectionRequest
+        fields:
+            allowEncryptedCollectionRename:
+                description: "Encrypted Collection renames are usually disallowed to minimize user error.
+                              C2C needs to do the renames to replicate create collection."
+                type: bool
+                optional: true
 
     _shardsvrSetAllowMigrations:
         command_name: _shardsvrSetAllowMigrations
@@ -367,7 +373,7 @@ commands:
         namespace: concatenate_with_db
         api_version: ""
         strict: false
-        chained_structs: 
+        chained_structs:
             RefineCollectionShardKeyRequest: RefineCollectionShardKeyRequest
 
     _configsvrRefineCollectionShardKey:
@@ -400,7 +406,7 @@ commands:
         namespace: concatenate_with_db
         api_version: ""
         strict: false
-        chained_structs: 
+        chained_structs:
             DropIndexesRequest: DropIndexesRequest
 
     _configsvrCreateDatabase:
diff --git a/src/mongo/shell/assert.js b/src/mongo/shell/assert.js
index 87fe3232814..1e5c7115280 100644
--- a/src/mongo/shell/assert.js
+++ b/src/mongo/shell/assert.js
@@ -110,7 +110,8 @@ assert = (function() {
                     doassert("msg function cannot expect any parameters.");
                 }
             } else if (typeof msg !== "string" && typeof msg !== "object") {
-                doassert("msg parameter must be a string, function or object.");
+                doassert("msg parameter must be a string, function or object. Found type: " +
+                         typeof (msg));
             }
 
             if (msg && assert._debug) {
author	Mark Benvenuto <mark.benvenuto@mongodb.com>	2022-06-28 15:34:59 -0400
committer	Evergreen Agent <no-reply@evergreen.mongodb.com>	2022-07-07 17:20:24 +0000
commit	2f2dc04da0c7fd853a2ff68c245c5f6e28f50fa1 (patch)
tree	4b954eda2797fcb1a6f2636bcefb7c5f49b38850 /src/mongo
parent	850161356ba07d654aab253b6e3fd31849278a16 (diff)
download	mongo-2f2dc04da0c7fd853a2ff68c245c5f6e28f50fa1.tar.gz