[SERVER-12134] Allow permission to run "touch" command to be granted to specific collections Created: 16/Dec/13  Updated: 06/Dec/22  Resolved: 02/Jan/20

Status: Closed
Project: Core Server
Component/s: Security
Affects Version/s: 2.5.4
Fix Version/s: None

Type: Bug Priority: Major - P3
Reporter: Spencer Brody (Inactive) Assignee: Backlog - Security Team
Resolution: Done Votes: 0
Labels: None
Remaining Estimate: Not Specified
Time Spent: Not Specified
Original Estimate: Not Specified

Assigned Teams:
Server Security
Operating System: ALL
Participants:

 Description   

Currently if a user has the permission to run the "touch" command then they can run it on any collection in the system. There is no way to say a user is allowed to run "touch" on db1.foo but not db2.bar. This also means that only roles on the "admin" database can grant the ability to run "touch".

This is because the access control check for the "touch" command requires the "touch" action on the cluster resource. Since the touch command operates on a collection, the access control check should require the "touch" action on the collection resource.



 Comments   
Comment by Spencer Jackson [ 02/Jan/20 ]

The touch command was removed in SERVER-42524.

Generated at Thu Feb 08 03:27:41 UTC 2024 using Jira 9.7.1#970001-sha1:2222b88b221c4928ef0de3161136cc90c8356a66.