Uploaded image for project: 'Core Server'
  1. Core Server
  2. SERVER-12134

Allow permission to run "touch" command to be granted to specific collections

    XMLWordPrintableJSON

Details

    • Icon: Bug Bug
    • Resolution: Done
    • Icon: Major - P3 Major - P3
    • None
    • 2.5.4
    • Security
    • None
    • Server Security
    • ALL

    Description

      Currently if a user has the permission to run the "touch" command then they can run it on any collection in the system. There is no way to say a user is allowed to run "touch" on db1.foo but not db2.bar. This also means that only roles on the "admin" database can grant the ability to run "touch".

      This is because the access control check for the "touch" command requires the "touch" action on the cluster resource. Since the touch command operates on a collection, the access control check should require the "touch" action on the collection resource.

      Attachments

        Activity

          People

            backlog-server-security Backlog - Security Team
            spencer@mongodb.com Spencer Brody (Inactive)
            Votes:
            0 Vote for this issue
            Watchers:
            5 Start watching this issue

            Dates

              Created:
              Updated:
              Resolved: