[SERVER-10593] Expose built-in roles that can be used with the deprecated addUser helper that just takes a readOnly bool - MongoDB Jira

XML

Word

Printable

JSON

Details

Type: Task
Status: Closed
Priority: Major - P3
Resolution: Duplicate
Affects Version/s: 2.5.2
Fix Version/s: None
Component/s: Security
Labels:
None

Backwards Compatibility:
Minor Change

Description

The old form of addUser didn't take any role names as input, it just took a read-only boolean. There were basically 4 kinds of users it could make, based on the value of readOnly and whether or not the command was run on the admin DB. We need to figure out what the right roles to grant users are in each of those 4 cases.

Proposed plan:

DB-level read-only gets the "read" role.
DB-level read-write gets the new "dbOwner" role, which is the equivalent of readWrite + dbAdmin + userAdmin on that database.
admin read-only gets the "readAnyDatabase" role
admin read-write gets a still-to-be-named "superuser" role.

Attachments

Issue Links

duplicates

SERVER-10794 For compatibility with old versions of the shell, db.addUser("user", "password") should create a super-user.

Closed

is depended on by

JAVA-909 Update user manipulation helpers to use new manipulation commands provided by the server.

Closed

Activity

People

Assignee:: Spencer Brody (Inactive)

Reporter:: Spencer Brody (Inactive)

Participants:: Spencer Brody

Votes:: 0 Vote for this issue

Watchers:: 2 Start watching this issue

Dates

Created:: Aug 21 2013 05:52:20 PM UTC

Updated:: Jul 09 2016 09:09:32 PM UTC

Resolved:: Sep 24 2013 08:50:20 PM UTC