Uploaded image for project: 'Core Server'
  1. Core Server
  2. SERVER-10593

Expose built-in roles that can be used with the deprecated addUser helper that just takes a readOnly bool

    • Type: Icon: Task Task
    • Resolution: Duplicate
    • Priority: Icon: Major - P3 Major - P3
    • None
    • Affects Version/s: 2.5.2
    • Component/s: Security
    • Labels:
    • Minor Change

      The old form of addUser didn't take any role names as input, it just took a read-only boolean. There were basically 4 kinds of users it could make, based on the value of readOnly and whether or not the command was run on the admin DB. We need to figure out what the right roles to grant users are in each of those 4 cases.

      Proposed plan:

      • DB-level read-only gets the "read" role.
      • DB-level read-write gets the new "dbOwner" role, which is the equivalent of readWrite + dbAdmin + userAdmin on that database.
      • admin read-only gets the "readAnyDatabase" role
      • admin read-write gets a still-to-be-named "superuser" role.

            spencer@mongodb.com Spencer Brody (Inactive)
            spencer@mongodb.com Spencer Brody (Inactive)
            0 Vote for this issue
            2 Start watching this issue