Uploaded image for project: 'Core Server'
  1. Core Server
  2. SERVER-17856

users on mongods should always be able to run currentOp and killOp on their own operations

    Details

    • Type: New Feature
    • Status: Closed
    • Priority: Major - P3
    • Resolution: Fixed
    • Affects Version/s: None
    • Fix Version/s: 3.2.9, 3.3.11
    • Component/s: Security
    • Labels:

      Description

      Both the inprog (currentOp) and killop (killOp) roles are granted at the cluster resource level, which makes them an all-or-none condition (I believe).

      Use case:

      Give developers access to a database with restricted access (basically read-only, non-administrative authority). However because they are given the ability to execute queries, it would be nice if they had the ability to kill any process that were executed by them. Some tools, such as Aqua Data Studio, utilize the killOp command to terminate any queries executed from their query window, however this functionality only works for individuals with administrative roles.
      One solution would be to permit killOp command to be permissioned to allow a user to kill his own processes but no other.

      Perhaps even just a single new role (userKillOp?) could suffice.

        Issue Links

          Activity

          Hide
          xgen-internal-githook Githook User added a comment -

          Author:

          {u'username': u'spencerjackson', u'name': u'Spencer Jackson', u'email': u'spencer.jackson@mongodb.com'}

          Message: SERVER-17856: Allow mongod users to currentOp and killOp own operations
          Branch: master
          https://github.com/mongodb/mongo/commit/9380a1c12a19a061eaafabb5f6b9e87f16a28179

          Show
          xgen-internal-githook Githook User added a comment - Author: {u'username': u'spencerjackson', u'name': u'Spencer Jackson', u'email': u'spencer.jackson@mongodb.com'} Message: SERVER-17856 : Allow mongod users to currentOp and killOp own operations Branch: master https://github.com/mongodb/mongo/commit/9380a1c12a19a061eaafabb5f6b9e87f16a28179
          Hide
          spencer.jackson Spencer Jackson added a comment -

          I have merged a patch which allows users on mongods to experience this behavior. This will hopefully help most people, but doesn't extend to sharded clusters. I've opened SERVER-25354, for this extension.

          Show
          spencer.jackson Spencer Jackson added a comment - I have merged a patch which allows users on mongods to experience this behavior. This will hopefully help most people, but doesn't extend to sharded clusters. I've opened SERVER-25354 , for this extension.
          Hide
          xgen-internal-githook Githook User added a comment -

          Author:

          {u'username': u'spencerjackson', u'name': u'Spencer Jackson', u'email': u'spencer.jackson@mongodb.com'}

          Message: SERVER-17856: Allow mongod users to currentOp and killOp own operations

          (cherry picked from commit 9380a1c12a19a061eaafabb5f6b9e87f16a28179)
          Branch: v3.2
          https://github.com/mongodb/mongo/commit/62d931bf4ba6a4d881e53e10dd176a80d8f3b8b3

          Show
          xgen-internal-githook Githook User added a comment - Author: {u'username': u'spencerjackson', u'name': u'Spencer Jackson', u'email': u'spencer.jackson@mongodb.com'} Message: SERVER-17856 : Allow mongod users to currentOp and killOp own operations (cherry picked from commit 9380a1c12a19a061eaafabb5f6b9e87f16a28179) Branch: v3.2 https://github.com/mongodb/mongo/commit/62d931bf4ba6a4d881e53e10dd176a80d8f3b8b3

            People

            • Votes:
              2 Vote for this issue
              Watchers:
              11 Start watching this issue

              Dates

              • Created:
                Updated:
                Resolved:

                  Agile