[SERVER-11768] Validate privileges (action/resource type mapping) granted to roles Created: 18/Nov/13  Updated: 06/Dec/22

Status: Backlog
Project: Core Server
Component/s: Security, Usability
Affects Version/s: 2.5.4
Fix Version/s: None

Type: Improvement Priority: Major - P3
Reporter: Andreas Nilsson Assignee: Backlog - Security Team
Resolution: Unresolved Votes: 0
Labels: 26qa, platforms-re-triaged
Remaining Estimate: Not Specified
Time Spent: Not Specified
Original Estimate: Not Specified

Issue Links:
Related
is related to DOCS-2239 Add more details to the list of actio... Closed
Assigned Teams:
Server Security
Backwards Compatibility: Fully Compatible
Participants:

 Description   

For UDR, add validation code to make sure that its not possible to grant incorrect, meaningless privileges. Some examples of such privileges are:

  • Cluster membership management (addShard, replSetReconfig, etc) on anything but the clusterResource.
  • CRUD (find, insert, update, remove) on cluster resource

More specifically for all action types map which ones should be grantable to which type of the five basic resource types in UDR.

For reference, the 5 types of grantable resource patterns are:

  1. A specific namespace (<dbname>.<collectionName>)
  2. All collections in a given database (excluding system collections)
  3. A given collection name in all databases
  4. All collections in all databases (excluding system collections)
  5. The cluster resource.

Generated at Thu Feb 08 03:26:42 UTC 2024 using Jira 9.7.1#970001-sha1:2222b88b221c4928ef0de3161136cc90c8356a66.