[SERVER-11854] Make getParameter command require different privileges depending on which parameter is being asked for Created: 25/Nov/13 Updated: 06/Dec/22 |
|
| Status: | Backlog |
| Project: | Core Server |
| Component/s: | Security |
| Affects Version/s: | 2.5.4 |
| Fix Version/s: | None |
| Type: | Improvement | Priority: | Major - P3 |
| Reporter: | Spencer Brody (Inactive) | Assignee: | Backlog - Security Team |
| Resolution: | Unresolved | Votes: | 1 |
| Labels: | 26qa | ||
| Remaining Estimate: | Not Specified | ||
| Time Spent: | Not Specified | ||
| Original Estimate: | Not Specified | ||
| Assigned Teams: |
Server Security
|
| Backwards Compatibility: | Minor Change |
| Participants: |
| Description |
|
Right now getParameter always requires the same privileges (granted via the clusterMonitor built-in role) no matter what the parameter being asked for is. But different parameters may have different levels of sensitivity. For example, it'd be nice if the userAdminAnyDatabase role could run {getParameter:1, authSchemaVersion: 1}. |
| Comments |
| Comment by Valeri Karpov [ 26/Nov/13 ] |
|
Stumbled into this issue when trying out upgrading 2.4 users to 2.6 users last night. Would recommend either fixing this or making a note in the docs, this is something thats pretty easy to run into, especially if you're used to dealing with standalone mongods. |