[SERVER-15072] Limit resource usage for certain users Created: 28/Aug/14  Updated: 06/Dec/22  Resolved: 08/Dec/21

Status: Closed
Project: Core Server
Component/s: Admin, Concurrency, Querying, Security
Affects Version/s: None
Fix Version/s: Needs Further Definition

Type: New Feature Priority: Major - P3
Reporter: Jon Rangel (Inactive) Assignee: Backlog - Service Architecture
Resolution: Won't Do Votes: 16
Labels: None
Remaining Estimate: Not Specified
Time Spent: Not Specified
Original Estimate: Not Specified

Issue Links:
Depends
Duplicate
duplicates SERVER-3807 restrict connections per user Closed
is duplicated by SERVER-41645 Add Resource Management capabilities ... Closed
Related
is related to SERVER-33749 Configurable Idle Connection Timeout ... Closed
is related to SERVER-23672 Separate privilege action for mapreduce Backlog
Assigned Teams:
Service Arch
Participants:
Case:

 Description   

In some special cases (such as debugging a prod issue) users would like to provision read-only access for different participants in these kind of scenarios (developers, architects and so on).
Additionally, it is desired to to prevent those users from affecting the performance of the production application, or at least limit the performance impact of any interaction these users may have with the database.

We should consider adding a mechanism to limit the resource usage for a set of users. For example:

  • Limit the number/rate of operations that can be executed.
  • Limit the execution time of operations (kind of like an automatic $maxTimeMS that is enforced for these users).
  • Define different execution priorities for different users.
  • Allow access only to secondaries for investigation; don't allow queries to be run on the primary.


 Comments   
Comment by Benjamin Ogden (Inactive) [ 08/Aug/18 ]

One way to partly address limiting resource usage for certain users could be to strictly enforce workload isolation to specific hosts. This could be achieved by mapping roles to tagged replica members, perhaps by expanding the authenticationRestrictions in a role/user document. When using readPreferenceTags to direct workload to some secondaries, the concern is that some users may (eventually will) omit the read preference / tag from their connection string and accidentally affect the application with longer running analytics queries.

Generated at Thu Feb 08 03:36:51 UTC 2024 using Jira 9.7.1#970001-sha1:2222b88b221c4928ef0de3161136cc90c8356a66.