Uploaded image for project: 'Core Server'
  1. Core Server
  2. SERVER-11768

Validate privileges (action/resource type mapping) granted to roles

    XMLWordPrintableJSON

Details

    • Server Security
    • Fully Compatible

    Description

      For UDR, add validation code to make sure that its not possible to grant incorrect, meaningless privileges. Some examples of such privileges are:

      • Cluster membership management (addShard, replSetReconfig, etc) on anything but the clusterResource.
      • CRUD (find, insert, update, remove) on cluster resource

      More specifically for all action types map which ones should be grantable to which type of the five basic resource types in UDR.

      For reference, the 5 types of grantable resource patterns are:

      1. A specific namespace (<dbname>.<collectionName>)
      2. All collections in a given database (excluding system collections)
      3. A given collection name in all databases
      4. All collections in all databases (excluding system collections)
      5. The cluster resource.

      Attachments

        Activity

          People

            backlog-server-security Backlog - Security Team
            andreas.nilsson Andreas Nilsson
            Votes:
            0 Vote for this issue
            Watchers:
            3 Start watching this issue

            Dates

              Created:
              Updated: