|
For UDR, add validation code to make sure that its not possible to grant incorrect, meaningless privileges. Some examples of such privileges are:
- Cluster membership management (addShard, replSetReconfig, etc) on anything but the clusterResource.
- CRUD (find, insert, update, remove) on cluster resource
More specifically for all action types map which ones should be grantable to which type of the five basic resource types in UDR.
For reference, the 5 types of grantable resource patterns are:
- A specific namespace (<dbname>.<collectionName>)
- All collections in a given database (excluding system collections)
- A given collection name in all databases
- All collections in all databases (excluding system collections)
- The cluster resource.
|