Uploaded image for project: 'Core Server'
  1. Core Server
  2. SERVER-10593

Expose built-in roles that can be used with the deprecated addUser helper that just takes a readOnly bool

    XMLWordPrintableJSON

Details

    • Task
    • Status: Closed
    • Major - P3
    • Resolution: Duplicate
    • 2.5.2
    • None
    • Security
    • None
    • Minor Change

    Description

      The old form of addUser didn't take any role names as input, it just took a read-only boolean. There were basically 4 kinds of users it could make, based on the value of readOnly and whether or not the command was run on the admin DB. We need to figure out what the right roles to grant users are in each of those 4 cases.

      Proposed plan:

      • DB-level read-only gets the "read" role.
      • DB-level read-write gets the new "dbOwner" role, which is the equivalent of readWrite + dbAdmin + userAdmin on that database.
      • admin read-only gets the "readAnyDatabase" role
      • admin read-write gets a still-to-be-named "superuser" role.

      Attachments

        Issue Links

          Activity

            People

              spencer@mongodb.com Spencer Brody (Inactive)
              spencer@mongodb.com Spencer Brody (Inactive)
              Votes:
              0 Vote for this issue
              Watchers:
              2 Start watching this issue

              Dates

                Created:
                Updated:
                Resolved: