-
Type: Task
-
Resolution: Won't Do
-
Priority: Minor - P4
-
Affects Version/s: None
-
Component/s: Server
-
Labels:
-
0.5
Most especially on Windows where usage of SIGUSR1 is not an option, we should document the idea of creating a user that only has the logRotate privilege to be used by a scheduled task that initiates log rotation.
A possible option would be to create a user with a user defined role that only allows the logRotate privilege. This way, even if the password were compromised, the only thing a malicious user could accomplish was running the logRotate command.
For example, the commands below can be run in a MongoDB Shell to create a user defined role and a user who has that role assigned.
// create a user defined role that only permits log rotation db.adminCommand({ createRole: "logrotate", privileges: [ { resource: { cluster: true }, actions: [ "logRotate" ] } ], roles: [] } ) // create a user that has the logrotate role assigned db.createUser({user: "logrotateUser", pwd: "password", roles: [ { role: "logrotate", db: "admin"} ] } )
Unfortunately, this mechanism can not currently be used for an arbiter as it does not have a copy of the admin database so you can not authenticate when connecting to it. We do have an open enhancement request to implement this feature.
The relevant tickets are:
SERVER-23443 - this describes the behavior we want. It was closed as a duplicate of SERVER-5479
SERVER-5479 - includes other aspects as well
- is related to
-
DOCS-8754 Need clarity on logRotation options for Windows
- Closed