|
Most especially on Windows where usage of SIGUSR1 is not an option, we should document the idea of creating a user that only has the logRotate privilege to be used by a scheduled task that initiates log rotation.
A possible option would be to create a user with a user defined role that only allows the logRotate privilege. This way, even if the password were compromised, the only thing a malicious user could accomplish was running the logRotate command.
For example, the commands below can be run in a MongoDB Shell to create a user defined role and a user who has that role assigned.
// create a user defined role that only permits log rotation
|
db.adminCommand({ createRole: "logrotate", privileges: [ { resource: { cluster: true }, actions: [ "logRotate" ] } ], roles: [] } )
|
|
// create a user that has the logrotate role assigned
|
db.createUser({user: "logrotateUser", pwd: "password", roles: [ { role: "logrotate", db: "admin"} ] } )
|
Unfortunately, this mechanism can not currently be used for an arbiter as it does not have a copy of the admin database so you can not authenticate when connecting to it. We do have an open enhancement request to implement this feature.
The relevant tickets are:
SERVER-23443 - this describes the behavior we want. It was closed as a duplicate of SERVER-5479
SERVER-5479 - includes other aspects as well
|