[SERVER-13497] Add a permissionto allow read only users to listDatabases Created: 05/Apr/14  Updated: 07/Apr/14  Resolved: 06/Apr/14

Status: Closed
Project: Core Server
Component/s: Security
Affects Version/s: 2.4.10
Fix Version/s: None

Type: Improvement Priority: Major - P3
Reporter: Andrew de Quincey Assignee: Unassigned
Resolution: Done Votes: 0
Labels: None
Remaining Estimate: Not Specified
Time Spent: Not Specified
Original Estimate: Not Specified

Participants:

 Description   

Hi, I would like to define a read only "analysis" user which allows us to browse our live mongodb (which have a dynamic set of databases) using a tool such as robomongo. This is an account where it absolutely must not be possible to accidentally delete any sort of data/modify server configuration; its just for readonly investigation.

Ideally, I would like users with "readAnyDatabase" to be able to also list all databases on the server. At the moment however, I have to add "clusterAdmin" to this user to allow this (verified in latest 2.4.10 source). Although I cannot accidentally delete documents, I can still happily drop databases entirely with a single command!

This obviously conflicts with other issues such as https://jira.mongodb.org/browse/SERVER-11063. So, I suggest a new role which provides access to read-only "cluster" commands such as "listDatabases", that I can use in addition to "readAnyDatabase".



 Comments   
Comment by Andrew de Quincey [ 06/Apr/14 ]

Awesome, just spotted the user defined roles in the upcoming 2.6, which renders this request unnecessary.

Generated at Thu Feb 08 03:31:54 UTC 2024 using Jira 9.7.1#970001-sha1:2222b88b221c4928ef0de3161136cc90c8356a66.