diff --git a/changelog/20251015_other_remove_legacy_search_coordinator_polyfill.md b/changelog/20251015_other_remove_legacy_search_coordinator_polyfill.md new file mode 100644 index 000000000..0616cc062 --- /dev/null +++ b/changelog/20251015_other_remove_legacy_search_coordinator_polyfill.md @@ -0,0 +1,6 @@ +--- +kind: other +date: 2025-10-15 +--- + +* Simplified MongoDB Search setup: Removed the custom Search Coordinator polyfill (a piece of compatibility code previously needed to add the required permissions), as MongoDB 8.2.0 and later now include the necessary permissions via the built-in searchCoordinator role. diff --git a/controllers/operator/mongodbreplicaset_controller.go b/controllers/operator/mongodbreplicaset_controller.go index 4e959ac47..afac5a143 100644 --- a/controllers/operator/mongodbreplicaset_controller.go +++ b/controllers/operator/mongodbreplicaset_controller.go @@ -866,15 +866,6 @@ func (r *ReplicaSetReconcilerHelper) applySearchOverrides(ctx context.Context) b searchMongodConfig := searchcontroller.GetMongodConfigParameters(search, rs.Spec.GetClusterDomain()) rs.Spec.AdditionalMongodConfig.AddOption("setParameter", searchMongodConfig["setParameter"]) - if searchcontroller.NeedsSearchCoordinatorRolePolyfill(rs.Spec.GetMongoDBVersion()) { - log.Infof("Polyfilling the searchCoordinator role for MongoDB %s", rs.Spec.GetMongoDBVersion()) - - if rs.Spec.Security == nil { - rs.Spec.Security = &mdbv1.Security{} - } - rs.Spec.Security.Roles = append(rs.Spec.Security.Roles, searchcontroller.SearchCoordinatorRole()) - } - return true } diff --git a/controllers/operator/mongodbsearch_controller_test.go b/controllers/operator/mongodbsearch_controller_test.go index 273482fcb..904424df5 100644 --- a/controllers/operator/mongodbsearch_controller_test.go +++ b/controllers/operator/mongodbsearch_controller_test.go @@ -36,7 +36,7 @@ func newMongoDBCommunity(name, namespace string) *mdbcv1.MongoDBCommunity { Spec: mdbcv1.MongoDBCommunitySpec{ Type: mdbcv1.ReplicaSet, Members: 1, - Version: "8.0.10", + Version: "8.2.0", }, } } diff --git a/controllers/searchcontroller/community_search_source.go b/controllers/searchcontroller/community_search_source.go index 09b66c3df..6552adeb3 100644 --- a/controllers/searchcontroller/community_search_source.go +++ b/controllers/searchcontroller/community_search_source.go @@ -64,8 +64,8 @@ func (r *CommunitySearchSource) Validate() error { version, err := semver.ParseTolerant(r.GetMongoDBVersion()) if err != nil { return xerrors.Errorf("error parsing MongoDB version '%s': %w", r.Spec.Version, err) - } else if version.LT(semver.MustParse("8.0.10")) { - return xerrors.New("MongoDB version must be 8.0.10 or higher") + } else if version.LT(semver.MustParse("8.2.0")) { + return xerrors.New("MongoDB version must be 8.2.0 or higher") } foundScram := false diff --git a/controllers/searchcontroller/community_search_source_test.go b/controllers/searchcontroller/community_search_source_test.go index 68cf5e449..200629f64 100644 --- a/controllers/searchcontroller/community_search_source_test.go +++ b/controllers/searchcontroller/community_search_source_test.go @@ -50,74 +50,74 @@ func TestCommunitySearchSource_Validate(t *testing.T) { version: "7.0.0", authModes: []mdbcv1.AuthMode{"SCRAM-SHA-256"}, expectError: true, - expectedErrMsg: "MongoDB version must be 8.0.10 or higher", + expectedErrMsg: "MongoDB version must be 8.2.0 or higher", }, { name: "Version just below minimum", - version: "8.0.9", + version: "8.1.9", authModes: []mdbcv1.AuthMode{"SCRAM-SHA-256"}, expectError: true, - expectedErrMsg: "MongoDB version must be 8.0.10 or higher", + expectedErrMsg: "MongoDB version must be 8.2.0 or higher", }, { name: "Valid minimum version", - version: "8.0.10", + version: "8.2.0", authModes: []mdbcv1.AuthMode{"SCRAM-SHA-256"}, expectError: false, }, { name: "Version above minimum", - version: "8.1.0", + version: "8.3.0", authModes: []mdbcv1.AuthMode{"SCRAM-SHA-256"}, expectError: false, }, { name: "Version with build number", - version: "8.1.0-rc1", + version: "8.3.0-rc1", authModes: []mdbcv1.AuthMode{"SCRAM-SHA-256"}, expectError: false, }, // Authentication mode tests - empty/nil cases { name: "Empty auth modes", - version: "8.0.10", + version: "8.2.0", authModes: []mdbcv1.AuthMode{}, expectError: false, }, { name: "Nil auth modes", - version: "8.0.10", + version: "8.2.0", authModes: nil, expectError: false, }, { name: "X509 mode only", - version: "8.0.10", + version: "8.2.0", authModes: []mdbcv1.AuthMode{"X509"}, expectError: true, expectedErrMsg: "MongoDBSearch requires SCRAM authentication to be enabled", }, { name: "X509 and SCRAM", - version: "8.0.10", + version: "8.2.0", authModes: []mdbcv1.AuthMode{"X509", "SCRAM-SHA-256"}, expectError: false, }, { name: "Multiple auth modes with SCRAM first", - version: "8.0.10", + version: "8.2.0", authModes: []mdbcv1.AuthMode{"SCRAM-SHA-1", "X509"}, expectError: false, }, { name: "Multiple auth modes with SCRAM last", - version: "8.0.10", + version: "8.2.0", authModes: []mdbcv1.AuthMode{"PLAIN", "X509", "SCRAM-SHA-256"}, expectError: false, }, { name: "Multiple non-SCRAM modes", - version: "8.0.10", + version: "8.2.0", authModes: []mdbcv1.AuthMode{"PLAIN", "X509"}, expectError: true, expectedErrMsg: "MongoDBSearch requires SCRAM authentication to be enabled", @@ -125,45 +125,45 @@ func TestCommunitySearchSource_Validate(t *testing.T) { // SCRAM variant tests { name: "SCRAM only", - version: "8.0.10", + version: "8.2.0", authModes: []mdbcv1.AuthMode{"SCRAM"}, expectError: false, }, { name: "SCRAM-SHA-1 only", - version: "8.0.10", + version: "8.2.0", authModes: []mdbcv1.AuthMode{"SCRAM-SHA-1"}, expectError: false, }, { name: "SCRAM-SHA-256 only", - version: "8.0.10", + version: "8.2.0", authModes: []mdbcv1.AuthMode{"SCRAM-SHA-256"}, expectError: false, }, { name: "All SCRAM variants", - version: "8.0.10", + version: "8.2.0", authModes: []mdbcv1.AuthMode{"SCRAM", "SCRAM-SHA-1", "SCRAM-SHA-256"}, expectError: false, }, // Case-insensitive tests (now supported with ToUpper) { name: "Lowercase SCRAM", - version: "8.0.10", + version: "8.2.0", authModes: []mdbcv1.AuthMode{"scram-sha-256"}, expectError: false, }, { name: "Mixed case SCRAM", - version: "8.0.10", + version: "8.2.0", authModes: []mdbcv1.AuthMode{"Scram-Sha-256"}, expectError: false, }, // Edge case tests { name: "PLAIN only", - version: "8.0.10", + version: "8.2.0", authModes: []mdbcv1.AuthMode{"PLAIN"}, expectError: true, expectedErrMsg: "MongoDBSearch requires SCRAM authentication to be enabled", @@ -174,11 +174,11 @@ func TestCommunitySearchSource_Validate(t *testing.T) { version: "7.0.0", authModes: []mdbcv1.AuthMode{"SCRAM-SHA-256"}, expectError: true, - expectedErrMsg: "MongoDB version must be 8.0.10 or higher", + expectedErrMsg: "MongoDB version must be 8.2.0 or higher", }, { name: "Valid version with invalid auth", - version: "8.0.10", + version: "8.2.0", authModes: []mdbcv1.AuthMode{"X509"}, expectError: true, expectedErrMsg: "MongoDBSearch requires SCRAM authentication to be enabled", @@ -188,7 +188,7 @@ func TestCommunitySearchSource_Validate(t *testing.T) { version: "7.0.0", authModes: []mdbcv1.AuthMode{"X509"}, expectError: true, - expectedErrMsg: "MongoDB version must be 8.0.10 or higher", // Should fail on version first + expectedErrMsg: "MongoDB version must be 8.2.0 or higher", // Should fail on version first }, } diff --git a/controllers/searchcontroller/enterprise_search_source.go b/controllers/searchcontroller/enterprise_search_source.go index f90522127..29329e324 100644 --- a/controllers/searchcontroller/enterprise_search_source.go +++ b/controllers/searchcontroller/enterprise_search_source.go @@ -55,8 +55,8 @@ func (r EnterpriseResourceSearchSource) Validate() error { version, err := semver.ParseTolerant(util.StripEnt(r.Spec.GetMongoDBVersion())) if err != nil { return xerrors.Errorf("error parsing MongoDB version '%s': %w", r.Spec.GetMongoDBVersion(), err) - } else if version.LT(semver.MustParse("8.0.10")) { - return xerrors.New("MongoDB version must be 8.0.10 or higher") + } else if version.LT(semver.MustParse("8.2.0")) { + return xerrors.New("MongoDB version must be 8.2.0 or higher") } if r.Spec.GetTopology() != mdbv1.ClusterTopologySingleCluster { diff --git a/controllers/searchcontroller/enterprise_search_source_test.go b/controllers/searchcontroller/enterprise_search_source_test.go index ac9eaae5b..5fa55ec32 100644 --- a/controllers/searchcontroller/enterprise_search_source_test.go +++ b/controllers/searchcontroller/enterprise_search_source_test.go @@ -77,20 +77,20 @@ func TestEnterpriseResourceSearchSource_Validate(t *testing.T) { resourceType: mdbv1.ReplicaSet, authModes: []string{}, expectError: true, - expectedErrMsg: "MongoDB version must be 8.0.10 or higher", + expectedErrMsg: "MongoDB version must be 8.2.0 or higher", }, { name: "Version just below minimum", - version: "8.0.9", + version: "8.1.9", topology: mdbv1.ClusterTopologySingleCluster, resourceType: mdbv1.ReplicaSet, authModes: []string{}, expectError: true, - expectedErrMsg: "MongoDB version must be 8.0.10 or higher", + expectedErrMsg: "MongoDB version must be 8.2.0 or higher", }, { name: "Valid minimum version", - version: "8.0.10", + version: "8.2.0", topology: mdbv1.ClusterTopologySingleCluster, resourceType: mdbv1.ReplicaSet, authModes: []string{}, @@ -98,7 +98,7 @@ func TestEnterpriseResourceSearchSource_Validate(t *testing.T) { }, { name: "Version above minimum", - version: "8.1.0", + version: "8.3.0", topology: mdbv1.ClusterTopologySingleCluster, resourceType: mdbv1.ReplicaSet, authModes: []string{}, @@ -107,7 +107,7 @@ func TestEnterpriseResourceSearchSource_Validate(t *testing.T) { // Topology validation tests { name: "Invalid topology - MultiCluster", - version: "8.0.10", + version: "8.2.0", topology: mdbv1.ClusterTopologyMultiCluster, resourceType: mdbv1.ReplicaSet, authModes: []string{}, @@ -116,7 +116,7 @@ func TestEnterpriseResourceSearchSource_Validate(t *testing.T) { }, { name: "Valid topology - SingleCluster", - version: "8.0.10", + version: "8.2.0", topology: mdbv1.ClusterTopologySingleCluster, resourceType: mdbv1.ReplicaSet, authModes: []string{}, @@ -124,7 +124,7 @@ func TestEnterpriseResourceSearchSource_Validate(t *testing.T) { }, { name: "Empty topology defaults to SingleCluster", - version: "8.0.10", + version: "8.2.0", topology: "", resourceType: mdbv1.ReplicaSet, authModes: []string{}, @@ -133,7 +133,7 @@ func TestEnterpriseResourceSearchSource_Validate(t *testing.T) { // Resource type validation tests { name: "Invalid resource type - Standalone", - version: "8.0.10", + version: "8.2.0", topology: mdbv1.ClusterTopologySingleCluster, resourceType: mdbv1.Standalone, authModes: []string{}, @@ -142,7 +142,7 @@ func TestEnterpriseResourceSearchSource_Validate(t *testing.T) { }, { name: "Invalid resource type - ShardedCluster", - version: "8.0.10", + version: "8.2.0", topology: mdbv1.ClusterTopologySingleCluster, resourceType: mdbv1.ShardedCluster, authModes: []string{}, @@ -151,7 +151,7 @@ func TestEnterpriseResourceSearchSource_Validate(t *testing.T) { }, { name: "Valid resource type - ReplicaSet", - version: "8.0.10", + version: "8.2.0", topology: mdbv1.ClusterTopologySingleCluster, resourceType: mdbv1.ReplicaSet, authModes: []string{}, @@ -160,7 +160,7 @@ func TestEnterpriseResourceSearchSource_Validate(t *testing.T) { // Authentication mode tests { name: "No SCRAM authentication", - version: "8.0.10", + version: "8.2.0", topology: mdbv1.ClusterTopologySingleCluster, resourceType: mdbv1.ReplicaSet, authModes: []string{"X509"}, @@ -169,7 +169,7 @@ func TestEnterpriseResourceSearchSource_Validate(t *testing.T) { }, { name: "Empty authentication modes", - version: "8.0.10", + version: "8.2.0", topology: mdbv1.ClusterTopologySingleCluster, resourceType: mdbv1.ReplicaSet, authModes: []string{}, @@ -177,7 +177,7 @@ func TestEnterpriseResourceSearchSource_Validate(t *testing.T) { }, { name: "Nil authentication modes", - version: "8.0.10", + version: "8.2.0", topology: mdbv1.ClusterTopologySingleCluster, resourceType: mdbv1.ReplicaSet, authModes: nil, @@ -185,7 +185,7 @@ func TestEnterpriseResourceSearchSource_Validate(t *testing.T) { }, { name: "Valid SCRAM authentication", - version: "8.0.10", + version: "8.2.0", topology: mdbv1.ClusterTopologySingleCluster, resourceType: mdbv1.ReplicaSet, authModes: []string{"SCRAM-SHA-256"}, @@ -193,7 +193,7 @@ func TestEnterpriseResourceSearchSource_Validate(t *testing.T) { }, { name: "Mixed auth modes with SCRAM", - version: "8.0.10", + version: "8.2.0", topology: mdbv1.ClusterTopologySingleCluster, resourceType: mdbv1.ReplicaSet, authModes: []string{"X509", "SCRAM-SHA-256"}, @@ -201,7 +201,7 @@ func TestEnterpriseResourceSearchSource_Validate(t *testing.T) { }, { name: "Case insensitive SCRAM", - version: "8.0.10", + version: "8.2.0", topology: mdbv1.ClusterTopologySingleCluster, resourceType: mdbv1.ReplicaSet, authModes: []string{"scram-sha-256"}, @@ -209,7 +209,7 @@ func TestEnterpriseResourceSearchSource_Validate(t *testing.T) { }, { name: "SCRAM variants", - version: "8.0.10", + version: "8.2.0", topology: mdbv1.ClusterTopologySingleCluster, resourceType: mdbv1.ReplicaSet, authModes: []string{"SCRAM", "SCRAM-SHA-1", "SCRAM-SHA-256"}, @@ -218,7 +218,7 @@ func TestEnterpriseResourceSearchSource_Validate(t *testing.T) { // Internal cluster authentication tests { name: "X509 internal cluster auth not supported", - version: "8.0.10", + version: "8.2.0", topology: mdbv1.ClusterTopologySingleCluster, resourceType: mdbv1.ReplicaSet, authModes: []string{"SCRAM-SHA-256"}, @@ -228,7 +228,7 @@ func TestEnterpriseResourceSearchSource_Validate(t *testing.T) { }, { name: "Valid internal cluster auth - empty", - version: "8.0.10", + version: "8.2.0", topology: mdbv1.ClusterTopologySingleCluster, resourceType: mdbv1.ReplicaSet, authModes: []string{"SCRAM-SHA-256"}, @@ -237,7 +237,7 @@ func TestEnterpriseResourceSearchSource_Validate(t *testing.T) { }, { name: "Valid internal cluster auth - SCRAM", - version: "8.0.10", + version: "8.2.0", topology: mdbv1.ClusterTopologySingleCluster, resourceType: mdbv1.ReplicaSet, authModes: []string{"SCRAM-SHA-256"}, @@ -252,11 +252,11 @@ func TestEnterpriseResourceSearchSource_Validate(t *testing.T) { resourceType: mdbv1.Standalone, authModes: []string{"X509"}, expectError: true, - expectedErrMsg: "MongoDB version must be 8.0.10 or higher", + expectedErrMsg: "MongoDB version must be 8.2.0 or higher", }, { name: "Valid version, invalid topology", - version: "8.0.10", + version: "8.2.0", topology: mdbv1.ClusterTopologyMultiCluster, resourceType: mdbv1.ReplicaSet, authModes: []string{}, @@ -265,7 +265,7 @@ func TestEnterpriseResourceSearchSource_Validate(t *testing.T) { }, { name: "Valid version and topology, invalid resource type", - version: "8.0.10", + version: "8.2.0", topology: mdbv1.ClusterTopologySingleCluster, resourceType: mdbv1.Standalone, authModes: []string{}, diff --git a/controllers/searchcontroller/mongodbsearch_reconcile_helper.go b/controllers/searchcontroller/mongodbsearch_reconcile_helper.go index 9f95670ea..d3a5c32a0 100644 --- a/controllers/searchcontroller/mongodbsearch_reconcile_helper.go +++ b/controllers/searchcontroller/mongodbsearch_reconcile_helper.go @@ -7,7 +7,6 @@ import ( "fmt" "strings" - "github.com/blang/semver" "github.com/ghodss/yaml" "go.uber.org/zap" "golang.org/x/xerrors" @@ -22,7 +21,6 @@ import ( apierrors "k8s.io/apimachinery/pkg/api/errors" metav1 "k8s.io/apimachinery/pkg/apis/meta/v1" - mdbv1 "github.com/mongodb/mongodb-kubernetes/api/v1/mdb" searchv1 "github.com/mongodb/mongodb-kubernetes/api/v1/search" "github.com/mongodb/mongodb-kubernetes/controllers/operator/workflow" "github.com/mongodb/mongodb-kubernetes/mongodb-community-operator/pkg/automationconfig" @@ -483,65 +481,3 @@ func (r *MongoDBSearchReconcileHelper) getMongotImage() string { return "" } - -func SearchCoordinatorRole() mdbv1.MongoDBRole { - // direct translation of https://github.com/10gen/mongo/blob/6f8d95a513eea8f91ea9f5d895dd8a288dfcf725/src/mongo/db/auth/builtin_roles.yml#L652 - return mdbv1.MongoDBRole{ - Role: "searchCoordinator", - Db: "admin", - Roles: []mdbv1.InheritedRole{ - { - Role: "clusterMonitor", - Db: "admin", - }, - { - Role: "directShardOperations", - Db: "admin", - }, - { - Role: "readAnyDatabase", - Db: "admin", - }, - }, - Privileges: []mdbv1.Privilege{ - { - Resource: mdbv1.Resource{ - Db: "__mdb_internal_search", - }, - Actions: []string{ - "changeStream", "collStats", "dbHash", "dbStats", "find", - "killCursors", "listCollections", "listIndexes", "listSearchIndexes", - // performRawDataOperations is available only on mongod master - // "performRawDataOperations", - "planCacheRead", "cleanupStructuredEncryptionData", - "compactStructuredEncryptionData", "convertToCapped", "createCollection", - "createIndex", "createSearchIndexes", "dropCollection", "dropIndex", - "dropSearchIndex", "insert", "remove", "renameCollectionSameDB", - "update", "updateSearchIndex", - }, - }, - // TODO: this causes the error "(BadValue) resource: {cluster: true} conflicts with resource type 'db'" - // { - // Resource: mdbv1.Resource{ - // Cluster: ptr.To(true), - // }, - // Actions: []string{"bypassDefaultMaxTimeMS"}, - // }, - }, - AuthenticationRestrictions: nil, - } -} - -// Because the first Search Public Preview support MongoDB Server 8.0.10 we need to polyfill the searchCoordinator role -// TODO: Remove once we drop support for <8.2 in Search -func NeedsSearchCoordinatorRolePolyfill(mongodbVersion string) bool { - version, err := semver.ParseTolerant(mongodbVersion) - if err != nil { - // if we can't determine the version, assume no need to polyfill - return false - } - - // 8.0.10+ and 8.1.x need the polyfill, anything older is not supported and execution will never reach here, - // and anything newer already has the role built-in - return version.Major == 8 && version.Minor < 2 -} diff --git a/controllers/searchcontroller/mongodbsearch_reconcile_helper_test.go b/controllers/searchcontroller/mongodbsearch_reconcile_helper_test.go index 88f57f246..affc30c52 100644 --- a/controllers/searchcontroller/mongodbsearch_reconcile_helper_test.go +++ b/controllers/searchcontroller/mongodbsearch_reconcile_helper_test.go @@ -98,57 +98,6 @@ func TestMongoDBSearchReconcileHelper_ValidateSingleMongoDBSearchForSearchSource } } -func TestNeedsSearchCoordinatorRolePolyfill(t *testing.T) { - cases := []struct { - name string - version string - expected bool - }{ - { - name: "MongoDB 7.x and below do not require polyfill (unsupported by Search)", - version: "7.3.0", - expected: false, - }, - { - name: "MongoDB 8.0.x requires polyfill", - version: "8.0.10", - expected: true, - }, - { - name: "MongoDB 8.1.x requires polyfill", - version: "8.1.0", - expected: true, - }, - { - name: "MongoDB 8.2.0-rc0 treated as 8.2 (no polyfill)", - version: "8.2.0-rc0", - expected: false, - }, - { - name: "MongoDB 8.2.0 and above do not require polyfill", - version: "8.2.0", - expected: false, - }, - { - name: "MongoDB 8.2.0-ent treated as 8.2 (no polyfill)", - version: "8.2.0-ent", - expected: false, - }, - { - name: "MongoDB 9.0.0 and above do not require polyfill", - version: "9.0.0", - expected: false, - }, - } - - for _, c := range cases { - t.Run(c.name, func(t *testing.T) { - actual := NeedsSearchCoordinatorRolePolyfill(c.version) - assert.Equal(t, c.expected, actual) - }) - } -} - func TestGetMongodConfigParameters_TransportAndPorts(t *testing.T) { cases := []struct { name string diff --git a/mongodb-community-operator/controllers/replica_set_controller.go b/mongodb-community-operator/controllers/replica_set_controller.go index 972337939..4c0f593f9 100644 --- a/mongodb-community-operator/controllers/replica_set_controller.go +++ b/mongodb-community-operator/controllers/replica_set_controller.go @@ -14,7 +14,6 @@ import ( "k8s.io/apimachinery/pkg/fields" "k8s.io/apimachinery/pkg/runtime" "k8s.io/apimachinery/pkg/types" - "k8s.io/utils/ptr" "sigs.k8s.io/controller-runtime/pkg/builder" "sigs.k8s.io/controller-runtime/pkg/controller" "sigs.k8s.io/controller-runtime/pkg/controller/controllerutil" @@ -729,7 +728,6 @@ func (r ReplicaSetReconciler) buildAutomationConfig(ctx context.Context, mdb mdb prometheusModification, processPortManager.GetPortsModification(), getMongodConfigSearchModification(search, mdb.Spec.GetClusterDomain()), - searchCoordinatorCustomRoleModification(search, mdb.GetMongoDBVersion()), ) if err != nil { return automationconfig.AutomationConfig{}, fmt.Errorf("could not create an automation config: %s", err) @@ -742,66 +740,6 @@ func (r ReplicaSetReconciler) buildAutomationConfig(ctx context.Context, mdb mdb return automationConfig, nil } -// TODO: remove this as soon as searchCoordinator builtin role is backported -func searchCoordinatorCustomRoleModification(search *searchv1.MongoDBSearch, mongodbVersion string) automationconfig.Modification { - if search == nil || !searchcontroller.NeedsSearchCoordinatorRolePolyfill(mongodbVersion) { - return automationconfig.NOOP() - } - - return func(ac *automationconfig.AutomationConfig) { - searchCoordinatorRole := searchCoordinatorCustomRoleStruct() - ac.Roles = append(ac.Roles, searchCoordinatorRole) - } -} - -func searchCoordinatorCustomRoleStruct() automationconfig.CustomRole { - // direct translation of https://github.com/10gen/mongo/blob/6f8d95a513eea8f91ea9f5d895dd8a288dfcf725/src/mongo/db/auth/builtin_roles.yml#L652 - return automationconfig.CustomRole{ - Role: "searchCoordinator", - DB: "admin", - Roles: []automationconfig.Role{ - { - Role: "clusterMonitor", - Database: "admin", - }, - { - Role: "directShardOperations", - Database: "admin", - }, - { - Role: "readAnyDatabase", - Database: "admin", - }, - }, - Privileges: []automationconfig.Privilege{ - { - Resource: automationconfig.Resource{ - DB: ptr.To("__mdb_internal_search"), - Collection: ptr.To(""), - }, - Actions: []string{ - "changeStream", "collStats", "dbHash", "dbStats", "find", - "killCursors", "listCollections", "listIndexes", "listSearchIndexes", - // performRawDataOperations is available only on mongod master - // "performRawDataOperations", - "planCacheRead", "cleanupStructuredEncryptionData", - "compactStructuredEncryptionData", "convertToCapped", "createCollection", - "createIndex", "createSearchIndexes", "dropCollection", "dropIndex", - "dropSearchIndex", "insert", "remove", "renameCollectionSameDB", - "update", "updateSearchIndex", - }, - }, - { - Resource: automationconfig.Resource{ - Cluster: true, - }, - Actions: []string{"bypassDefaultMaxTimeMS"}, - }, - }, - AuthenticationRestrictions: nil, - } -} - // OverrideToAutomationConfig turns an automation config override from the resource spec into an automation config // which can be used to merge. func OverrideToAutomationConfig(override mdbv1.AutomationConfigOverride) automationconfig.AutomationConfig {