[SERVER-13239] Make eval permission checking more granular Created: 17/Mar/14 Updated: 10/Sep/18 Resolved: 10/Sep/18 |
|
| Status: | Closed |
| Project: | Core Server |
| Component/s: | Security |
| Affects Version/s: | 2.6.0-rc1 |
| Fix Version/s: | None |
| Type: | Improvement | Priority: | Major - P3 |
| Reporter: | Andreas Nilsson | Assignee: | DO NOT USE - Backlog - Platform Team |
| Resolution: | Done | Votes: | 1 |
| Labels: | None | ||
| Remaining Estimate: | Not Specified | ||
| Time Spent: | Not Specified | ||
| Original Estimate: | Not Specified | ||
| Issue Links: |
|
||||
| Participants: | |||||
| Description |
|
Currently the eval command require all available permissions in order to run. It would be better to only require permissions for the actual operations that is performed by the enclosed script. This is currently prevented by the way we parse and execute Javascript so it is a non-trivial problem to solve. |
| Comments |
| Comment by Sara Williamson [ 10/Sep/18 ] |
|
db.eval has been removed. |
| Comment by Andreas Nilsson [ 27/Mar/14 ] |
|
Ok I see. I agree with the need for a more granular access control of eval. However this will not be released within the near future so finding a way around it, or not using eval is probably the better choice. I have moved the ticket to "Planned but not scheduled". If you need more practical advice regarding alternatives you can either post a topic to https://groups.google.com/forum/#!forum/mongodb-user or file a support ticket. Andreas |
| Comment by Hugues Lismonde [ 27/Mar/14 ] |
|
We use MongoDB "like MySQL", i.e. we have about 50 databases, one per client and obviously they don't have access to each others databases. Some maintenance operations are done through "executed" (meaning eval'ed apparently) scripts via our CMS. Those scripts could be directly used with the CLI utility but that would mean installing the full suite on every servers. This could be solved that way. We also have a few operations that are much more easily performed through a javascript script than fetching records and manipulating them "client" side. We don't care much about the write-lock as we have a low write volume and the operation is quite fast. Our main problem here is going through 50+ sites to ensure everything still works fine after rewriting the relevant parts. |
| Comment by Andreas Nilsson [ 27/Mar/14 ] |
|
hlidobe can you elaborate on your use case a little bit and how you are using eval. Maybe there is a different way forward than having to downgrade to 2.2. Thank you, |
| Comment by Hugues Lismonde [ 26/Mar/14 ] |
|
This is a huge issue for us. We had to downgrade a new server to 2.2 to overcome this "feature". Our use case imply many small databases with restricted access by clients and we obviously can't grant everyone access to all databases! |