[SERVER-11343] Change chunk manipulation commands to require privileges on the sharded collection rather than the cluster resource Created: 23/Oct/13 Updated: 30/Oct/15 Resolved: 06/Nov/13 |
|
| Status: | Closed |
| Project: | Core Server |
| Component/s: | Security, Sharding |
| Affects Version/s: | None |
| Fix Version/s: | 2.5.4 |
| Type: | Improvement | Priority: | Major - P3 |
| Reporter: | Spencer Brody (Inactive) | Assignee: | Spencer Brody (Inactive) |
| Resolution: | Done | Votes: | 0 |
| Labels: | None | ||
| Remaining Estimate: | Not Specified | ||
| Time Spent: | Not Specified | ||
| Original Estimate: | Not Specified | ||
| Participants: |
| Description |
|
Currently, commands for manipulating sharding information about a collection (shardCollection, moveChunk, splitChunk, etc.) require privileges on the cluster resource. This means that you can only grant users the ability to shard all collections or none, there's no way to say you can shard collections in this db but not collections in this other db. If we change the access control checks in these commands to use the namespace as the target, this should be easy to fix. |
| Comments |
| Comment by Spencer Brody (Inactive) [ 06/Nov/13 ] |
|
https://github.com/mongodb/mongo/commit/68c52f54dc4d81673b01c9964dfec3eed10de5a0 |