[SERVER-12134] Allow permission to run "touch" command to be granted to specific collections Created: 16/Dec/13 Updated: 06/Dec/22 Resolved: 02/Jan/20 |
|
| Status: | Closed |
| Project: | Core Server |
| Component/s: | Security |
| Affects Version/s: | 2.5.4 |
| Fix Version/s: | None |
| Type: | Bug | Priority: | Major - P3 |
| Reporter: | Spencer Brody (Inactive) | Assignee: | Backlog - Security Team |
| Resolution: | Done | Votes: | 0 |
| Labels: | None | ||
| Remaining Estimate: | Not Specified | ||
| Time Spent: | Not Specified | ||
| Original Estimate: | Not Specified | ||
| Assigned Teams: |
Server Security
|
| Operating System: | ALL |
| Participants: |
| Description |
|
Currently if a user has the permission to run the "touch" command then they can run it on any collection in the system. There is no way to say a user is allowed to run "touch" on db1.foo but not db2.bar. This also means that only roles on the "admin" database can grant the ability to run "touch". This is because the access control check for the "touch" command requires the "touch" action on the cluster resource. Since the touch command operates on a collection, the access control check should require the "touch" action on the collection resource. |
| Comments |
| Comment by Spencer Jackson [ 02/Jan/20 ] |
|
The touch command was removed in |