[SERVER-17856] users on mongods should always be able to run currentOp and killOp on their own operations - MongoDB Jira

XML

Word

Printable

JSON

Details

Type: New Feature
Status: Closed
Priority: Major - P3
Resolution: Fixed
Affects Version/s: None
Fix Version/s: 3.2.9, 3.3.11
Component/s: Security
Labels:
- code-and-test

Backwards Compatibility:
Minor Change
Backport Completed:

3.2.9
Sprint:
Security 17 (07/15/16), Security (08/08/16)

Description

Both the inprog (currentOp) and killop (killOp) roles are granted at the cluster resource level, which makes them an all-or-none condition (I believe).

Use case:

Give developers access to a database with restricted access (basically read-only, non-administrative authority). However because they are given the ability to execute queries, it would be nice if they had the ability to kill any process that were executed by them. Some tools, such as Aqua Data Studio, utilize the killOp command to terminate any queries executed from their query window, however this functionality only works for individuals with administrative roles.
One solution would be to permit killOp command to be permissioned to allow a user to kill his own processes but no other.

Perhaps even just a single new role (userKillOp?) could suffice.

Attachments

Issue Links

is documented by

DOCS-8476 3.2.9 -- user can run killop/currentOp on own operations

Closed

is related to

SERVER-28260 Create a killAnyCursor privilege

Closed

SERVER-9609 Ensure users can only call getMore on cursors they created

Closed

related to

SERVER-25354 users on mongos should always be able to run currentOp and killOp on their own operations

Closed

Activity

People

Assignee:: Spencer Jackson

Reporter:: Andrew Ryder (Inactive)

Participants:: Andrew Ryder, Githook User, Spencer Jackson

Votes:: 2 Vote for this issue

Watchers:: 12 Start watching this issue

Dates

Created:: Apr 02 2015 07:27:09 AM UTC

Updated:: Mar 22 2017 03:26:45 PM UTC

Resolved:: Jul 29 2016 09:05:45 PM UTC