[SERVER-11527] Inconsistent arguments in grant/revoke roles/privileges to/from role Created: 01/Nov/13  Updated: 19/Dec/13  Resolved: 01/Nov/13

Status: Closed
Project: Core Server
Component/s: Security
Affects Version/s: None
Fix Version/s: 2.5.4

Type: Bug Priority: Major - P3
Reporter: bard.bloom@10gen.com Assignee: Spencer Brody (Inactive)
Resolution: Done Votes: 0
Labels: 26qa
Remaining Estimate: Not Specified
Time Spent: Not Specified
Original Estimate: Not Specified

Issue Links:
Related
Backwards Compatibility: Minor Change
Operating System: ALL
Participants:

 Description   

grantRolesToRole takes a grantedRoles argument, thusly:

{ grantRolesToRole: "productsReaderWriter",
  grantedRoles: [
    { role: "productsReader", db: "products"}
  ],
  writeConcern: { w: "majority" , wtimeout: 5000 }
}

But for 'grantPrivilegesToRole, the argument is not 'grantedPrivileges', but simply 'privileges'.

{ grantPrivilegesToRole: "<role>",
  privileges: [
    { resource: { <resource> }, actions: [ "<action>", ... ] },
    ...
  ],
  writeConcern: <write concern document>
}

Similarly, revokeRolesFromRole has 'revokedRoles', but revokePrivelegesFromRole has just 'privileges'



 Comments   
Comment by auto [ 01/Nov/13 ]

Author:

{u'username': u'stbrody', u'name': u'Spencer T Brody', u'email': u'spencer@10gen.com'}

Message: SERVER-11527 Rename 'grantedRoles' and 'revokedRoles' to just 'roles' in the args to grant/revokeRolesFromRole
Branch: master
https://github.com/mongodb/mongo/commit/dde5ead47e54458c4629e59e8139cf4bb3bb1e3a

Comment by bard.bloom@10gen.com [ 01/Nov/13 ]

Speaking as an English professor's child, a novelist, and an all-around petty assh*le, I think that it's pretty clear with just 'roles'.

Comment by Eric Milkie [ 01/Nov/13 ]

I agree – it's pretty clear! I concur with getting rid of "granted".

Comment by Spencer Brody (Inactive) [ 01/Nov/13 ]

Yeah, every other command that specifies roles just calls them "roles". I used "grantedRoles" and "revokedRoles" here b/c I was worried about people getting confused between which is the role receiving the other roles vs the roles being granted to that role. Now seeing how it looks, I'm less worried about it being confusing.

The question is, in the following command, is it clear which role is receiving the other?

db.runCommand({grantRolesToRole: "myRole", roles: ['readWrite']})

I actually think it's pretty clear. If others agree, then I can change grantRolesToRole and revokeRolesToRole to just use "roles" like the other commands do.

Generated at Thu Feb 08 03:26:01 UTC 2024 using Jira 9.7.1#970001-sha1:2222b88b221c4928ef0de3161136cc90c8356a66.