Enable authorizedDatabases & authorizedCollections for fetching metadata in MongoDB #14988
Conversation
huberty89
requested review from
s2lomon,
skrzypo987,
kokosing,
Praveen2112 and
ebyhr
|
I need to update the docs |
huberty89
force-pushed
the
huberty89/mongo-metadata-privileges
branch
from
0db337e to
0dfe3d0
Compare
|
Looks like |
huberty89
force-pushed
the
huberty89/mongo-metadata-privileges
branch
from
0dfe3d0 to
0c8ad0a
Compare
| @@ -44,6 +44,7 @@ | |||
| private Optional<String> connectionUrl = Optional.empty(); | |||
| private List<ServerAddress> seeds = ImmutableList.of(); | |||
| private List<MongoCredential> credentials = ImmutableList.of(); | |||
| private boolean metadataPrivilegesRequired = true; | |||
There was a problem hiding this comment.
Could you share why we want to introduce a config property? Other connectors hide unauthorized databases and tables. Always enabling authorizedDatabasesOnly & authorizedCollections properties looks fine to me.
There was a problem hiding this comment.
But older versions behave differently with this config enabled so unless we confirm that we don’t support older versions of Mongo (i.e 4.0) - enabling it by default might cause some issue. @huberty89 can you share how it works in the latest and older version ?
There was a problem hiding this comment.
Now I also agree to not introduce new property.
In older version of MongoDB returned list of databases and collection was filtered out, in newer versions it's required to have specific privilege to list those. So this behavior has changed between versions only for authorizedDatabases=true and authorizedCollections=true
plugin/trino-mongodb/src/main/java/io/trino/plugin/mongodb/MongoSession.java
Outdated
Show resolved
Hide resolved
plugin/trino-mongodb/src/test/java/io/trino/plugin/mongodb/MongoServer.java
Outdated
Show resolved
Hide resolved
plugin/trino-mongodb/src/test/java/io/trino/plugin/mongodb/MongoServer.java
Outdated
Show resolved
Hide resolved
|
|
||
| private static MongoServer setupMongoServer() | ||
| { | ||
| MongoServer server = new MongoServer("4.0.6", ImmutableMap.of( |
There was a problem hiding this comment.
MongoDB 4.0 already reached EOL on Apr 30. Let's use a new version. Upcoming FTE on MongoDB will upgrade the minimum supported version to 4.2.
There was a problem hiding this comment.
I set version to 4.4.17 - it seams docker init flakiness (when I set root user and password via env) got fixed
There was a problem hiding this comment.
Hmm, it's still failing in my environment. It looks relating to testcontainers/testcontainers-java#4695
There was a problem hiding this comment.
Looks like org.testcontainers.containers.MongoDBContainer contains a bug.
When I set MONGO_INITDB_ROOT_USERNAME and MONGO_INITDB_ROOT_PASSWORD this cause a restart MongoDB process.
At the same time db.runCommand( { isMaster: 1 } ).ismaster==false is executed inside Docker container in a loop (60 times) and during process restart this throw network error - that's the main issue.
I create AuthenticatedMongoServer which use GenericContainer directly. Default enabled replication is not needed in current scenario.
plugin/trino-mongodb/src/main/java/io/trino/plugin/mongodb/MongoSession.java
Outdated
Show resolved
Hide resolved
plugin/trino-mongodb/src/main/java/io/trino/plugin/mongodb/MongoSession.java
Outdated
Show resolved
Hide resolved
plugin/trino-mongodb/src/test/java/io/trino/plugin/mongodb/TestMetadataPrivilegesRequired.java
Outdated
Show resolved
Hide resolved
plugin/trino-mongodb/src/test/java/io/trino/plugin/mongodb/TestMongoClientConfig.java
Outdated
Show resolved
Hide resolved
| @@ -44,6 +44,7 @@ | |||
| private Optional<String> connectionUrl = Optional.empty(); | |||
| private List<ServerAddress> seeds = ImmutableList.of(); | |||
| private List<MongoCredential> credentials = ImmutableList.of(); | |||
| private boolean metadataPrivilegesRequired = true; | |||
There was a problem hiding this comment.
But older versions behave differently with this config enabled so unless we confirm that we don’t support older versions of Mongo (i.e 4.0) - enabling it by default might cause some issue. @huberty89 can you share how it works in the latest and older version ?
plugin/trino-mongodb/src/main/java/io/trino/plugin/mongodb/MongoSession.java
Outdated
Show resolved
Hide resolved
plugin/trino-mongodb/src/test/java/io/trino/plugin/mongodb/TestMetadataPrivilegesRequired.java
Outdated
Show resolved
Hide resolved
plugin/trino-mongodb/src/main/java/io/trino/plugin/mongodb/MongoSession.java
Outdated
Show resolved
Hide resolved
plugin/trino-mongodb/src/test/java/io/trino/plugin/mongodb/MongoServer.java
Outdated
Show resolved
Hide resolved
huberty89
force-pushed
the
huberty89/mongo-metadata-privileges
branch
from
0c8ad0a to
5e159c8
Compare
|
@skrzypo987 @ebyhr @Praveen2112 I make an update, please take a look |
huberty89
force-pushed
the
huberty89/mongo-metadata-privileges
branch
from
5e159c8 to
32b1889
Compare
huberty89
changed the title
|
|
||
| private static void createTestRole(MongoDatabase database) | ||
| { | ||
| Double commandStatus = database.runCommand(new BsonDocument("createRole", new BsonString(TEST_ROLE)) |
There was a problem hiding this comment.
Is it possible to use Document class to improve readability?
There was a problem hiding this comment.
Got it, I also try to improve readability by spiting it into few methods
| if (schemaName.equals(remoteSchemaName.toLowerCase(ENGLISH))) { | ||
| return remoteSchemaName; | ||
| } | ||
| } | ||
| return schemaName; | ||
| } | ||
|
|
||
| private Iterable<String> listDatabaseNames() |
There was a problem hiding this comment.
Maybe instead returning Iterable from here and later turning it to Stream through ImmutableList.of(listDatabaseNames()).stream(), please return Iterable from here, for example by Streams.stream(...).
There was a problem hiding this comment.
If the name of the method starts with list maybe just return a list?
There was a problem hiding this comment.
We discuss this offline, because listDatabaseNames is private I return now MongoIterable
| @@ -178,7 +183,7 @@ public List<HostAddress> getAddresses() | |||
|
|
|||
| public List<String> getAllSchemas() | |||
| { | |||
| return ImmutableList.copyOf(client.listDatabaseNames()).stream() | |||
| return ImmutableList.copyOf(listDatabaseNames()).stream() | |||
There was a problem hiding this comment.
please look below - change the return type of listDatabaseNames to make it simpler to read. I'm kind of lost on what is transformed into what.
| MongoDatabase database = client.getDatabase(databaseName); | ||
| Document cursor = database.runCommand(new Document(AUTHORIZED_LIST_COLLECTIONS_COMMAND)).get("cursor", Document.class); | ||
|
|
||
| List<Document> firstBatch = cursor.get("firstBatch", List.class); |
There was a problem hiding this comment.
Would there be another batch ?
There was a problem hiding this comment.
I checked in a MongoDB Java driver source and by just creating 10,000 collections in MongoDB and by default MongoDB returns everything in a single response, so this implementation should be sufficient.
There was a problem hiding this comment.
Does MongoDB takes too long to create 10,000 collections ? Can we add it as a test to ensure that if the newer version returns in some batch we could handle the same ?
There was a problem hiding this comment.
Listing 10,000 collections took for me 1.14 second. Still agree a test for this case is a good idea, I will add it
| { | ||
| assertThat(getQueryRunner().execute("SHOW TABLES FROM mongodb." + TEST_DATABASE) | ||
| .getOnlyColumnAsSet()) | ||
| .containsExactly(TEST_COLLECTION.toLowerCase(Locale.ENGLISH)); |
There was a problem hiding this comment.
Do we need a redundant conversion ? Can we use assertQuery where we could provide a result as VALUES ...
| } | ||
| } | ||
|
|
||
| private static void createTestRole(MongoDatabase database) |
There was a problem hiding this comment.
Can we move this to MongoServer
There was a problem hiding this comment.
I moved into AuthenticatedMongoServer
| if (schemaName.equals(remoteSchemaName.toLowerCase(ENGLISH))) { | ||
| return remoteSchemaName; | ||
| } | ||
| } | ||
| return schemaName; | ||
| } | ||
|
|
||
| private Iterable<String> listDatabaseNames() |
There was a problem hiding this comment.
If the name of the method starts with list maybe just return a list?
huberty89
force-pushed
the
huberty89/mongo-metadata-privileges
branch
2 times, most recently
from
5857836 to
963b174
Compare
plugin/trino-mongodb/src/test/java/io/trino/plugin/mongodb/TestMongoPrivileges.java
Outdated
Show resolved
Hide resolved
huberty89
force-pushed
the
huberty89/mongo-metadata-privileges
branch
from
963b174 to
47fcc6b
Compare
Send `authorizedDatabases=true` parameter while listing databases/schemas Send `authorizedCollections=true` parameter while listing collections/tables Without those listing databases & collections require `listDatabases` & `listCollections` actions.
huberty89
force-pushed
the
huberty89/mongo-metadata-privileges
branch
from
47fcc6b to
87bf835
Compare
|
@Praveen2112 @skrzypo987 @ebyhr Please take a look if everything looks good and it's good to be merged, thanks |
|
Merged, thanks! |
|
Follow up: #15652 |
Description
Enable authorizedDatabases & authorizedCollections for fetching metadata in MongoDB
Fixes
#1398
Release notes
( ) This is not user-visible or docs only and no release notes are required.
( ) Release notes are required, please propose a release note for me.
(x) Release notes are required, with the following suggested text: