Uploaded image for project: 'Core Server'
  1. Core Server
  2. SERVER-36141

Builtin role which only has INSERT/UPDATE/DELETE/FIND/STATs (Not create/drop collection & index)

    XMLWordPrintable

    Details

    • Type: New Feature
    • Status: Open
    • Priority: Minor - P4
    • Resolution: Unresolved
    • Affects Version/s: 3.4.16
    • Fix Version/s: Backlog
    • Component/s: Security
    • Labels:
      None

      Description

      A lot of companies has their own DBA team,

      And schema modification like create/drop index & collection task is responsible for DBA team. And DBA wants that schema change will be done by DBA only not Developer.

       

      But current implementation of MongoDB, All CRUD(INSERT & UPDATE & DELETE & FIND) and schema change actions are included "readWrite" role. So CRUD and Schema-change action can not be separated when use builtin-role. We can make it with user-defined role, but user-defined role has some issues like https://jira.mongodb.org/browse/SERVER-17513 (we should make user defined role for each database).

       

      I think make another builtin-role is easy. so what do you think make pureReadWriteRole for this use case.

      ```

      // Read-write role
      readWriteRoleActions += readRoleActions;
      readWriteRoleActions
      << ActionType::convertToCapped // db admin gets this also
      << ActionType::createCollection // db admin gets this also
      << ActionType::dropCollection
      << ActionType::dropIndex
      << ActionType::emptycapped
      << ActionType::createIndex
      << ActionType::insert
      << ActionType::remove
      << ActionType::renameCollectionSameDB // db admin gets this also
      << ActionType::update;

      // Pure read-write role (only contains READ and insert & remote & update)
      pureReadWriteRoleActions += readRoleActions;
      pureReadWriteRoleActions
      << ActionType::emptycapped
      << ActionType::insert
      << ActionType::remove
      << ActionType::update;

      ```

        Attachments

          Activity

            People

            Assignee:
            backlog-server-security Backlog - Security Team
            Reporter:
            matt.lee Matt SeongUck Lee
            Participants:
            Votes:
            0 Vote for this issue
            Watchers:
            7 Start watching this issue

              Dates

              Created:
              Updated: