[SERVER-10593] Expose built-in roles that can be used with the deprecated addUser helper that just takes a readOnly bool Created: 21/Aug/13  Updated: 09/Jul/16  Resolved: 24/Sep/13

Status: Closed
Project: Core Server
Component/s: Security
Affects Version/s: 2.5.2
Fix Version/s: None

Type: Task Priority: Major - P3
Reporter: Spencer Brody (Inactive) Assignee: Spencer Brody (Inactive)
Resolution: Duplicate Votes: 0
Labels: None
Remaining Estimate: Not Specified
Time Spent: Not Specified
Original Estimate: Not Specified

Issue Links:
Depends
is depended on by JAVA-909 Update user manipulation helpers to u... Closed
Duplicate
duplicates SERVER-10794 For compatibility with old versions o... Closed
Backwards Compatibility: Minor Change
Participants:

 Description   

The old form of addUser didn't take any role names as input, it just took a read-only boolean. There were basically 4 kinds of users it could make, based on the value of readOnly and whether or not the command was run on the admin DB. We need to figure out what the right roles to grant users are in each of those 4 cases.

Proposed plan:

  • DB-level read-only gets the "read" role.
  • DB-level read-write gets the new "dbOwner" role, which is the equivalent of readWrite + dbAdmin + userAdmin on that database.
  • admin read-only gets the "readAnyDatabase" role
  • admin read-write gets a still-to-be-named "superuser" role.

Generated at Thu Feb 08 03:23:34 UTC 2024 using Jira 9.7.1#970001-sha1:2222b88b221c4928ef0de3161136cc90c8356a66.