[DOCS-11028] Additional option for initiating logRotate Created: 16/Nov/17  Updated: 30/Oct/23

Status: Closed
Project: Documentation
Component/s: Server
Affects Version/s: None
Fix Version/s: Server_Docs_20231030

Type: Improvement Priority: Minor - P4
Reporter: Arnie Listhaus Assignee: Unassigned
Resolution: Won't Do Votes: 0
Labels: user-management
Remaining Estimate: Not Specified
Time Spent: Not Specified
Original Estimate: Not Specified
Environment:

https://docs.mongodb.com/manual/reference/method/db.createRole/


Issue Links:
Related
is related to DOCS-8754 Need clarity on logRotation options f... Closed
Participants:
Days since reply: 1 year, 14 weeks, 2 days ago
Epic Link: DOCSP-1769
Story Points: 0.5

 Description   

Most especially on Windows where usage of SIGUSR1 is not an option, we should document the idea of creating a user that only has the logRotate privilege to be used by a scheduled task that initiates log rotation.

A possible option would be to create a user with a user defined role that only allows the logRotate privilege. This way, even if the password were compromised, the only thing a malicious user could accomplish was running the logRotate command.

For example, the commands below can be run in a MongoDB Shell to create a user defined role and a user who has that role assigned.

// create a user defined role that only permits log rotation
db.adminCommand({ createRole: "logrotate",  privileges: [ { resource: { cluster: true }, actions: [ "logRotate" ] } ], roles: []  } ) 
 
// create a user that has the logrotate role assigned
db.createUser({user: "logrotateUser", pwd: "password", roles: [ { role: "logrotate", db: "admin"} ] } )

Unfortunately, this mechanism can not currently be used for an arbiter as it does not have a copy of the admin database so you can not authenticate when connecting to it. We do have an open enhancement request to implement this feature.

The relevant tickets are:

SERVER-23443 - this describes the behavior we want. It was closed as a duplicate of SERVER-5479
SERVER-5479 - includes other aspects as well



 Comments   
Comment by Education Bot [ 31/Oct/22 ]

Hello! This ticket has been closed due to inactivity. If you believe this ticket is still important, please reopen it and leave a comment to explain why. Thank you!

Generated at Thu Feb 08 08:01:53 UTC 2024 using Jira 9.7.1#970001-sha1:2222b88b221c4928ef0de3161136cc90c8356a66.