[SERVER-11854] Make getParameter command require different privileges depending on which parameter is being asked for Created: 25/Nov/13  Updated: 06/Dec/22

Status: Backlog
Project: Core Server
Component/s: Security
Affects Version/s: 2.5.4
Fix Version/s: None

Type: Improvement Priority: Major - P3
Reporter: Spencer Brody (Inactive) Assignee: Backlog - Security Team
Resolution: Unresolved Votes: 1
Labels: 26qa
Remaining Estimate: Not Specified
Time Spent: Not Specified
Original Estimate: Not Specified

Assigned Teams:
Server Security
Backwards Compatibility: Minor Change
Participants:

 Description   

Right now getParameter always requires the same privileges (granted via the clusterMonitor built-in role) no matter what the parameter being asked for is. But different parameters may have different levels of sensitivity. For example, it'd be nice if the userAdminAnyDatabase role could run

{getParameter:1, authSchemaVersion: 1}

.



 Comments   
Comment by Valeri Karpov [ 26/Nov/13 ]

Stumbled into this issue when trying out upgrading 2.4 users to 2.6 users last night. Would recommend either fixing this or making a note in the docs, this is something thats pretty easy to run into, especially if you're used to dealing with standalone mongods.

Generated at Thu Feb 08 03:26:55 UTC 2024 using Jira 9.7.1#970001-sha1:2222b88b221c4928ef0de3161136cc90c8356a66.