diff --git a/source/includes/minimum-destination-privileges.rst b/source/includes/minimum-destination-privileges.rst new file mode 100644 index 000000000..24018adde --- /dev/null +++ b/source/includes/minimum-destination-privileges.rst @@ -0,0 +1,112 @@ +.. list-table:: + :header-rows: 1 + :stub-columns: 1 + :widths: 10 20 + + * - Sync Type + - Minimum Destination Privileges + + * - Default + - .. code-block:: javascript + + [ + { + "resource": { "cluster": true }, + "actions": [ + "appendOplogNote", + "enableSharding", + "getDefaultRWConcern", + "getShardMap", + "hostInfo", + "listDatabases", + "listShards", + "replSetGetConfig", + "replSetGetStatus", + "serverStatus" + ] + }, + { + "resource": { "db": "", "collection": "" }, + "actions": [ + "bypassDocumentValidation", + "changeStream", + "collMod", + "convertToCapped", + "createCollection", + "createIndex", + "dropCollection", + "dropIndex", + "enableSharding", + "find", + "indexStats", + "insert", + "listCollections", + "listIndexes", + "remove", + "renameCollectionSameDB", + "update", + "bypassWriteBlockingMode", + "setUserWriteBlockMode" + ] + }, + { + "resource": { "db": "admin", "collection": "system.version" }, + "actions": [ "find" ] + }, + { + "resource": { "db": "", "collection": "system.js" }, + "actions": [ "listCollections", "listIndexes" ] + }, + { + "resource": { "db": "config", "collection": "shards" }, + "actions": [ "find" ] + }, + { + "resource": { "db": "", "collection": "system.views" }, + "actions": [ "dropCollection" ] + }, + { + "resource": { "db": "config", "collection": "version" }, + "actions": [ "find" ] + }, + { + "resource": { "db": "config", "collection": "collections" }, + "actions": [ "find" ] + }, + { + "resource": { "db": "config", "collection": "settings" }, + "actions": [ "find" ] + }, + { + "resource": { "db": "config", "collection": "tags" }, + "actions": [ "find" ] + }, + { + "resource": { "system_buckets": "" }, + "actions": [ "listCollections", "listIndexes" ] + } + ] + + * - Write Blocking + - Everything from the default destination privileges. + + * - Reversing + - Everything from the default source privileges and the default destination + privileges with the addition of: + + .. code-block:: javascript + + [ + { "resource": { "db": "", "collection": "" }, "actions": [ "dropDatabase" ] } + ] + + * - Multiple Reversals + - Everything from the default source privileges and the default destination + privileges with the addition of: + + .. code-block:: javascript + + [ + { "resource": { "db": "", "collection": "" }, "actions": [ "dropDatabase" ] } + ] + diff --git a/source/includes/minimum-source-privileges.rst b/source/includes/minimum-source-privileges.rst new file mode 100644 index 000000000..3fa5bb5dc --- /dev/null +++ b/source/includes/minimum-source-privileges.rst @@ -0,0 +1,151 @@ +.. list-table:: + :header-rows: 1 + :stub-columns: 1 + :widths: 10 30 + + * - Sync Type + - Minimum Source Privileges + + * - Default + - .. code-block:: javascript + + [ + { + "resource": { "cluster": true }, + "actions": [ + "appendOplogNote", + "getDefaultRWConcern", + "getShardMap", + "hostInfo", + "listDatabases", + "listShards", + "replSetGetConfig", + "replSetGetStatus", + "serverStatus" + ] + }, + { + "resource": { "db": "", "collection": "" }, + "actions": [ + "changeStream", + "collStats", + "find", + "indexStats", + "listCollections", + "listIndexes" + ] + }, + { + "resource": { "db": "admin", "collection": "system.version" }, + "actions": [ "find" ] + }, + { + "resource": { "db": "", "collection": "system.js" }, + "actions": [ "listCollections", "listIndexes" ] + }, + { + "resource": { "db": "config", "collection": "shards" }, + "actions": [ "find" ] + }, + { + "resource": { "db": "config", "collection": "collections" }, + "actions": [ "find" ] + }, + { + "resource": { "db": "config", "collection": "version" }, + "actions": [ "find" ] + }, + { + "resource": { "db": "config", "collection": "settings" }, + "actions": [ "find" ] + }, + { + "resource": { "system_buckets": "" }, + "actions": [ "listCollections", "listIndexes" ] + } + ] + + * - Write-blocking + - Everything from the default source privileges with the addition of: + + .. code-block:: javascript + + [ + { + "resource": { "cluster": true }, + "actions": [ "bypassWriteBlockingMode", "setUserWriteBlockMode" ] + } + ] + + * - Reversing + - Everything from the default source privileges and the default destination + privileges. + + * - Multiple Reversals + - Everything from the default source privileges and the default destination + privileges with the addition of: + + .. code-block:: javascript + + [ + { "resource": { "db": "", "collection": "" }, "actions": [ "dropDatabase" ] } + ] + + * - V4.4 Migration + - .. code-block:: javascript + + [ + { + "resource": { "cluster": true }, + "actions": [ + "addShard", + "appendOplogNote", + "flushRouterConfig", + "getDefaultRWConcern", + "getShardMap", + "hostInfo", + "listDatabases", + "listShards", + "replSetGetConfig", + "replSetGetStatus", + "serverStatus" + ] + }, + { + "resource": { "db": "", "collection": "" }, + "actions": [ + "changeStream", + "collStats", + "find", + "indexStats", + "listCollections", + "listIndexes" + ] + }, + { + "resource": { "db": "admin", "collection": "system.version" }, + "actions": [ "find" ] + }, + { + "resource": { "db": "", "collection": "system.js" }, + "actions": [ "listCollections", "listIndexes" ] + }, + { + "resource": { "db": "config", "collection": "shards" }, + "actions": [ "find" ] + }, + { + "resource": { "db": "config", "collection": "collections" }, + "actions": [ "find" ] + }, + { + "resource": { "db": "config", "collection": "version" }, + "actions": [ "find" ] + }, + { + "resource": { "db": "config", "collection": "settings" }, + "actions": [ "find" ] + } + ] + + diff --git a/source/reference/permissions.txt b/source/reference/permissions.txt index 0e0a35117..d78c626d4 100644 --- a/source/reference/permissions.txt +++ b/source/reference/permissions.txt @@ -28,12 +28,98 @@ The Atlas permissions are: .. include:: /includes/table-permissions-atlas.rst +.. _c2c-minimum-privileges: + +Minimum Privileges +------------------ + +.. note:: + + Minimum privileges may change across mongosync versions. + +The minimum source privileges are: + +.. include:: /includes/minimum-source-privileges.rst + +The minimum destination privileges are: + +.. include:: /includes/minimum-destination-privileges.rst + .. _c2c-older-version-permissions: Pre-6.0 Migrations ------------------ -- When migrating from a 4.4 source cluster, you must have - :authrole:`clusterManager` permissions on the source cluster. +- When migrating from a 4.4 source cluster, the source cluster + should either have :authrole:`clusterManager` or the minimum + permissions listed for v4.4. + + The minimum source permissions for v4.4 are: + + .. list-table:: + :header-rows: 1 + :stub-columns: 1 + :widths: 10 30 + + * - Sync Type + - Minimum Source Privileges + + * - V4.4 Migration + - .. code-block:: javascript + + [ + { + "resource": { "cluster": true }, + "actions": [ + "addShard", + "appendOplogNote", + "flushRouterConfig", + "getDefaultRWConcern", + "getShardMap", + "hostInfo", + "listDatabases", + "listShards", + "replSetGetConfig", + "replSetGetStatus", + "serverStatus" + ] + }, + { + "resource": { "db": "", "collection": "" }, + "actions": [ + "changeStream", + "collStats", + "find", + "indexStats", + "listCollections", + "listIndexes" + ] + }, + { + "resource": { "db": "admin", "collection": "system.version" }, + "actions": [ "find" ] + }, + { + "resource": { "db": "", "collection": "system.js" }, + "actions": [ "listCollections", "listIndexes" ] + }, + { + "resource": { "db": "config", "collection": "shards" }, + "actions": [ "find" ] + }, + { + "resource": { "db": "config", "collection": "collections" }, + "actions": [ "find" ] + }, + { + "resource": { "db": "config", "collection": "version" }, + "actions": [ "find" ] + }, + { + "resource": { "db": "config", "collection": "settings" }, + "actions": [ "find" ] + } + ] + +- Dual write-blocking and reverse sync are not supported. -- Write blocking and reverse sync are not supported.